Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
Analysis ID:711988
MD5:fd611b535d6742c93108f1efd9b5424f
SHA1:138891cd92aa05c29765e36a1e0ca88ca229fa9a
SHA256:e99458ebd23933338555907993fb3cbce8dc5a36fb57fd69e43703bdbc0fa340
Tags:exe
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Mass process execution to delay analysis
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe (PID: 4544 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" MD5: FD611B535D6742C93108F1EFD9B5424F)
    • powershell.exe (PID: 3584 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4180 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5152 cmdline: powershell.exe 0x3A3A41D7 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5240 cmdline: powershell.exe 0x656176C0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2960 cmdline: powershell.exe 0x46696EC0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5436 cmdline: powershell.exe 0x41286F85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 672 cmdline: powershell.exe 0x72342289 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5772 cmdline: powershell.exe 0x20692295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5728 cmdline: powershell.exe 0x78383295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5020 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3692 cmdline: powershell.exe 0x302C22CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4584 cmdline: powershell.exe 0x20302E85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2908 cmdline: powershell.exe 0x70203289 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3536 cmdline: powershell.exe 0x20692291 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5140 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2800 cmdline: powershell.exe 0x30783A95 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6008 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5248 cmdline: powershell.exe 0x30296B8B -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4072 cmdline: powershell.exe 0x723322FC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1712 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2772 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5412 cmdline: powershell.exe 0x3A3A54CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3484 cmdline: powershell.exe 0x727477C4 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2552 cmdline: powershell.exe 0x6C416EC9 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2908 cmdline: powershell.exe 0x6F632ACC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5752 cmdline: powershell.exe 0x302C6B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5904 cmdline: powershell.exe 0x30783395 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2240 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4392 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4296 cmdline: powershell.exe 0x30783195 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4520 cmdline: powershell.exe 0x30302E85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2944 cmdline: powershell.exe 0x692032DD -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5448 cmdline: powershell.exe 0x34302BD5 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5400 cmdline: powershell.exe 0x2E7233FC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5856 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5880 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3760 cmdline: powershell.exe 0x3A3A51C0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5168 cmdline: powershell.exe 0x74466BC9 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1324 cmdline: powershell.exe 0x65506DCC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1420 cmdline: powershell.exe 0x6E7467D7 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2764 cmdline: powershell.exe 0x28697096 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6028 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6128 cmdline: powershell.exe 0x31343091 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5688 cmdline: powershell.exe 0x202C22CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5916 cmdline: powershell.exe 0x20302ECC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 472 cmdline: powershell.exe 0x20302BCC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3300 cmdline: powershell.exe 0x2E7230FC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 376 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6096 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3356 cmdline: powershell.exe 0x3A3A50C0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5552 cmdline: powershell.exe 0x616444CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 492 cmdline: powershell.exe 0x6C652ACC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5632 cmdline: powershell.exe 0x72332E85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6012 cmdline: powershell.exe 0x69207094 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 404 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5180 cmdline: powershell.exe 0x30783395 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe PID: 4544JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeReversingLabs: Detection: 12%
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeVirustotal: Detection: 15%Perma Link
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00406375 FindFirstFileW,FindClose,0_2_00406375
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00405823 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405823
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_004052D0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D0
    Source: conhost.exeProcess created: 53
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040327D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00404B0D0_2_00404B0D
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeStatic PE information: invalid certificate
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeReversingLabs: Detection: 12%
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeVirustotal: Detection: 15%
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeJump to behavior
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe"
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040327D
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2908:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1736:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4988:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:672:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1980:120:WilError_01
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2ACA.tmpJump to behavior
    Source: classification engineClassification label: mal60.troj.evad.winEXE@162/5@0/0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00404591 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404591
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe PID: 4544, type: MEMORYSTR
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeFile created: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeFile created: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Mass process execution to delay analysis
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeWindow / User API: threadDelayed 393Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe TID: 5732Thread sleep time: -39300s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00406375 FindFirstFileW,FindClose,0_2_00406375
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00405823 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405823
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeAPI call chain: ExitProcess graph end nodegraph_0-5043
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeAPI call chain: ExitProcess graph end nodegraph_0-5048
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_008B1112 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,GlobalLock,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenW,lstrlenW,lstrlenW,lstrcpynW,lstrlenW,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatW,GlobalSize,lstrlenW,lstrcpyW,CharNextW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,0_2_008B1112
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeCode function: 0_2_00406054 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406054

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		Path Interception1
    Access Token Manipulation    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Virtualization/Sandbox Evasion    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
    Process Injection    		1
    Access Token Manipulation    		LSASS Memory1
    Application Window Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Time Based Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Time Based Evasion    		NTDS2
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets3
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 711988 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 28/09/2022 Architecture: WINDOWS Score: 60 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 7 SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe 1 27 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 41 Mass process execution to delay analysis 7->41 11 powershell.exe 7->11         started        13 powershell.exe 7->13         started        15 powershell.exe 7->15         started        17 53 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 50 other processes 17->31

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe13%ReversingLabsWin32.Trojan.Guloader
    SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe15%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\System.dll1%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\System.dll8%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll1%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll0%MetadefenderBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:711988
      Start date and time:2022-09-28 19:05:16 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 21s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:120
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal60.troj.evad.winEXE@162/5@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 45.4% (good quality ratio 44.5%)
      • Quality average: 88.8%
      • Quality standard deviation: 21.2%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 52
      • Number of non-executed functions: 31
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\System.dllSecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousBrowse
        SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousBrowse
          SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousBrowse
            SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousBrowse
              INVO-0987654345678.exeGet hashmaliciousBrowse
                INVO-0987654345678.exeGet hashmaliciousBrowse
                  v22-003920.exeGet hashmaliciousBrowse
                    v22-003920.exeGet hashmaliciousBrowse
                      sall.exeGet hashmaliciousBrowse
                        sall.exeGet hashmaliciousBrowse
                          Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exeGet hashmaliciousBrowse
                            Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exeGet hashmaliciousBrowse
                              #U041f#U043b#U0430#U0449#U0430#U043d#U0435.exeGet hashmaliciousBrowse
                                KARL MAYER Offer PAGET C+A 09.07.exeGet hashmaliciousBrowse
                                  KARL MAYER Offer PAGET C+A 09.07.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30458.11641.exeGet hashmaliciousBrowse
                                      SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30458.11641.exeGet hashmaliciousBrowse
                                        payment copy.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.NSIS.Injector.AOW.tr.21642.exeGet hashmaliciousBrowse
                                            SecuriteInfo.com.NSIS.Injector.AOW.tr.21642.exeGet hashmaliciousBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.655335921632966
                                              Encrypted:false
                                              SSDEEP:192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
                                              MD5:EE260C45E97B62A5E42F17460D406068
                                              SHA1:DF35F6300A03C4D3D3BD69752574426296B78695
                                              SHA-256:E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
                                              SHA-512:A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 1%, Browse
                                              • Antivirus: Metadefender, Detection: 8%, Browse
                                              Joe Sandbox View:
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                              • Filename: INVO-0987654345678.exe, Detection: malicious, Browse
                                              • Filename: INVO-0987654345678.exe, Detection: malicious, Browse
                                              • Filename: v22-003920.exe, Detection: malicious, Browse
                                              • Filename: v22-003920.exe, Detection: malicious, Browse
                                              • Filename: sall.exe, Detection: malicious, Browse
                                              • Filename: sall.exe, Detection: malicious, Browse
                                              • Filename: Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe, Detection: malicious, Browse
                                              • Filename: Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe, Detection: malicious, Browse
                                              • Filename: #U041f#U043b#U0430#U0449#U0430#U043d#U0435.exe, Detection: malicious, Browse
                                              • Filename: KARL MAYER Offer PAGET C+A 09.07.exe, Detection: malicious, Browse
                                              • Filename: KARL MAYER Offer PAGET C+A 09.07.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30458.11641.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30458.11641.exe, Detection: malicious, Browse
                                              • Filename: payment copy.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.21642.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.21642.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):6656
                                              Entropy (8bit):5.139253382998066
                                              Encrypted:false
                                              SSDEEP:96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
                                              MD5:1B0E41F60564CCCCCD71347D01A7C397
                                              SHA1:B1BDDD97765E9C249BA239E9C95AB32368098E02
                                              SHA-256:13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
                                              SHA-512:B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 1%, Browse
                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal\Aftappede38.Fol

                                              Download File
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              File Type:ASCII text, with very long lines (19658), with no line terminators
                                              Category:dropped
                                              Size (bytes):19658
                                              Entropy (8bit):3.999047093980042
                                              Encrypted:false
                                              SSDEEP:384:h6Ec1CjCe8+QRcdoTinQ2dzwuwQgSWnzc:hDJCepmcdoTEQkwQgjnzc
                                              MD5:D5C02448412B114523F84DA3FA79B921
                                              SHA1:866B678CA0BBB080819E35E55502B76893E450D7
                                              SHA-256:258DE26230A1259ABE4C02EA48F493D06301E708A5BAB3403F920157C8C0326C
                                              SHA-512:E41EC7782140AFAC44C03D687A03C9FD83CF78B62D053DCC7262B5A956D9EC38AF85BFC1C0E763E05DC95B1E14BA521EF6AFE7380CDA0FA2924ACC97B4DC2081
                                              Malicious:false
                                              Preview:89EF6B6570CB656C31973A3A41D7656176C046696EC041286F8572342289206922957838329530303295302C22CC20302E8570203289206922912C206B8530783A952C206B8530296B8B723322FC6B6570CB656C31973A3A54CC727477C46C416EC96F632ACC302C6B8530783395303032952C206B853078319530302E85692032DD34302BD52E7233FC6B6570CB656C31973A3A51C074466BC965506DCC6E7467D7286970962C206B8531343091202C22CC20302ECC20302BCC2E7230FC6B6570CB656C31973A3A50C0616444CC6C652ACC72332E85692070942C206B8530783395303032952C2A6B85302C22CC20302BCC2E7230FC757367D73332389F43616EC957696CC16F7752D76F63438D697233852C6922952C6922952C206B85302C22CC20302BFCF2A7FFDE13DA349C3A24D7B2B55A5A4B4BB07BA7CD2C58E5D6F93B85649AE5605E3E28CA15258B0D2507B085FAA19AD8BC5F9CB6B070B34233576D71AA2734F60934942FB5A3FE7E81D8CB38C8379CDE55DD664A6CF05BD45BC8A092B7DD42EC93ECE3829CDFF26865B11CAF4624E037E1CB16DC6BE83A45EAE7C0911037160C23F3926A880D4CF5A1358F635B52C84F26B5FB06C0C1CD36F027B8370F6E4EF0F6B0DC35C5BBF0DF6781168014A579D72A47A93D13262AAF0CDC8CC296A7E35F1385785E9F39CA0E78E87EF0AA93

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal\Pligtmennesker.Sia

                                              Download File
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):74610
                                              Entropy (8bit):7.568416217183095
                                              Encrypted:false
                                              SSDEEP:1536:pxXo9NupmsKNpE5W5/L8SXGcNZOs3slLViOdlExEXWqn7Mljg66:pxXokKzP4Jc2OslLViElbFn7M0
                                              MD5:DF028206125C5985B34F688624AB9E55
                                              SHA1:D876BCD61B1179B75245D72A443B0185C5F18340
                                              SHA-256:3B489FB62E1506B3A3249B0D08D3D5E30A8D7A2AF81B85018557702ED82604CB
                                              SHA-512:FB916FA9D9930D807EDD2471A0004BAF39993537497E260E4506D0D9A67606364F69B714B0C57820417394A411D0F624BCA574B9371D9A6B954D774D1FB3D7EE
                                              Malicious:false
                                              Preview:C.^!......).&.C.Ov..U.<.v..B.N...~...y..`.#....1..?.(.......0.....!..*.w...}*.N..n[...0......&.}...6...2.....?.....Zu#)...1.....L.u.7mdGk.1{g..c_B..............D&`.R.C.4&L.mi-.I..v.....o.`BU5.1...-...@.......Z.0L.=s....`J.)5.DR...bg.J.2..a...G...\...[...P......@.o:....=A..e.Px..h..6(.........:....J......C.b~.V2.U.k![V=./ K....K...S.{u.^.+..H&1..{.J.'.l...=...*.2....sF....b...I>..O.M.S...x..&...9....a.+ ..!p.......A.i.`8.n...2.......&_...v.....E\....w.c..m...6.p.C,.V..}`cA.rUX..f...w......~.X...H.p.<.Z..{....o.bP.7)v.:..YV.............i.G.:Xw.P........E..u..%.e....>...i...ge....Oi.yw....7vz~...s.1..k....y.....4-...~.8..~>x..q..W..lg...\. cn.V.SYJ..,.......`...#....=.c.p;...L.0......0........C...>.Se......S....3.u.d.38.......S.....=,..k...u{..].M....;yQ......F.......J...x.>...+.yQ..rF5......e^....G.`Y.a...........v.W.--/....TAQ..:FD.4....{...dc.Oy..=.>b...y......38!.m..e..l.A.fo..;q(D...kq.2......D6...: ...}.....N.+......~.T.+..D...o.

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal\network-workgroup-symbolic.svg

                                              Download File
                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              File Type:SVG Scalable Vector Graphics image
                                              Category:dropped
                                              Size (bytes):824
                                              Entropy (8bit):5.20249576082362
                                              Encrypted:false
                                              SSDEEP:24:t4CBGDT/MA6x+mXkvG3ll4AeW0WNDNHkdMRAeW0fcj:gDT/owRvGn4AewpOiAe5cj
                                              MD5:4F05487595F8C324710ACC9E0359A72F
                                              SHA1:20FFAD557E25CA662F3EF4FCC0A0479F483B209E
                                              SHA-256:9BFFBE1954818E8A73B0A11734BC1D684118DF513766EDDD5C424E8FEBE74FAA
                                              SHA-512:128526C5A71F1E885E4F18157AEE73F7EEE98FBA15C32A28F42D9FCFAD953972409264F82F6A3A14A1AA1FAC829F39DB9CEAD2FEE06C0258F26DCBE2142BC751
                                              Malicious:false
                                              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#bebebe" font-weight="400" fill="#474747"><path d="M1.75 4C.798 4 0 4.798 0 5.75v4.5C0 11.202.798 12 1.75 12h.125l-.781 1.563L.375 15h9.25l-.719-1.437L8.125 12h.125c.952 0 1.75-.798 1.75-1.75v-4.5C10 4.798 9.202 4 8.25 4zM2 6h6v4H2z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-family="Sans" overflow="visible"/><path d="M7.75 1C6.798 1 6 1.798 6 2.75V3h8v4h-3v3.25c0 .66-.252 1.27-.656 1.75h5.28l-1.5-3h.126C15.202 9 16 8.202 16 7.25v-4.5C16 1.798 15.202 1 14.25 1z" style="line-height:normal;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-family="Andale Mono" overflow="visible"/></g></svg>

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.403792593936947
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              File size:144936
                                              MD5:fd611b535d6742c93108f1efd9b5424f
                                              SHA1:138891cd92aa05c29765e36a1e0ca88ca229fa9a
                                              SHA256:e99458ebd23933338555907993fb3cbce8dc5a36fb57fd69e43703bdbc0fa340
                                              SHA512:aee52a82250e187eb79ea8a3a93b21f759152fe85a0f56af04daf5533efbadc96b97e12ac5fe161f55210fd0d1c4f3d3bdf0cd1968d1852ea4799e58692675d7
                                              SSDEEP:3072:z1T//IHWyWJADJuH1byNWXpEszNEk4erllTuGAR0j/qiqxP+:N//I2y3A5yNWXp7ukxjVAR0jPv
                                              TLSH:A0E3E0813764E427E8F29F32197BA76B9A7FD52114102343C3796A8E7D31382BD1EA52
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.G.@n..@n..@n./O1..@n..@o.K@n./O3..@n..c^..@n.+Fh..@n.Rich.@n.........................PE..L...e..V.................b....:....

                                              File Icon

                                              Icon Hash:f8ce9fb3a386ecf0

                                              Static PE Info

                                              General

                                              Entrypoint:0x40327d
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x567F8465 [Sun Dec 27 06:25:41 2015 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:d4b94e8ee3f620a89d114b9da4b31873

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:OU="Gibbeted Merosomata ", E=Goshawks@Dulotic.Bar, O=Vidervrdighedernes, L=Suze-la-Rousse, S=Auvergne-Rh\xf4ne-Alpes, C=FR
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 6/27/2022 8:38:07 PM 6/26/2025 8:38:07 PM
                                              Subject Chain
                                              • OU="Gibbeted Merosomata ", E=Goshawks@Dulotic.Bar, O=Vidervrdighedernes, L=Suze-la-Rousse, S=Auvergne-Rh\xf4ne-Alpes, C=FR
                                              Version:3
                                              Thumbprint MD5:C095C5D260841C415979ED93D182614C
                                              Thumbprint SHA-1:2388AA14A5F5AAADA2CCF5025E53739FC0200EAC
                                              Thumbprint SHA-256:DBA776BC0C6CE484DFB3161056BBEF007B0D1ECD535A3D7089440DF8B937F6F5
                                              Serial:73955E667784B00C

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000002D4h
                                              push ebp
                                              push esi
                                              push 00000020h
                                              xor ebp, ebp
                                              pop esi
                                              mov dword ptr [esp+0Ch], ebp
                                              push 00008001h
                                              mov dword ptr [esp+0Ch], 0040A300h
                                              mov dword ptr [esp+18h], ebp
                                              call dword ptr [004080B0h]
                                              call dword ptr [004080ACh]
                                              cmp ax, 00000006h
                                              je 00007F4EA871D4D3h
                                              push ebp
                                              call 00007F4EA8720616h
                                              cmp eax, ebp
                                              je 00007F4EA871D4C9h
                                              push 00000C00h
                                              call eax
                                              push ebx
                                              push edi
                                              push 0040A2F4h
                                              call 00007F4EA8720593h
                                              push 0040A2ECh
                                              call 00007F4EA8720589h
                                              push 0040A2E0h
                                              call 00007F4EA872057Fh
                                              push 00000009h
                                              call 00007F4EA87205E4h
                                              push 00000007h
                                              call 00007F4EA87205DDh
                                              mov dword ptr [007A8A44h], eax
                                              call dword ptr [00408044h]
                                              push ebp
                                              call dword ptr [004082A8h]
                                              mov dword ptr [007A8AF8h], eax
                                              push ebp
                                              lea eax, dword ptr [esp+34h]
                                              push 000002B4h
                                              push eax
                                              push ebp
                                              push 0079FF00h
                                              call dword ptr [0040818Ch]
                                              push 0040A2C8h
                                              push 007A7A40h
                                              call 00007F4EA87201CAh
                                              call dword ptr [004080A8h]
                                              mov ebx, 007B3000h
                                              push eax
                                              push ebx
                                              call 00007F4EA87201B8h
                                              push ebp
                                              call dword ptr [00408178h]

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x84bc0xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d80000x6ea8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x22f480x6e0.data
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x61550x6200False0.6741470025510204data6.472221311938333IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x13700x1400False0.441015625data5.105712848520416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xa0000x39eb380x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x3a90000x2f0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x3d80000x6ea80x7000False0.545166015625data5.216552612077974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x3d83880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                                              RT_ICON0x3da9300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                                              RT_ICON0x3db9d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
                                              RT_ICON0x3dc8800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                                              RT_ICON0x3dd1280x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
                                              RT_ICON0x3dd7900x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                                              RT_ICON0x3ddcf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                                              RT_ICON0x3de1600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
                                              RT_ICON0x3de4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
                                              RT_DIALOG0x3de5700x100dataEnglishUnited States
                                              RT_DIALOG0x3de6700xf8dataEnglishUnited States
                                              RT_DIALOG0x3de7680xa0dataEnglishUnited States
                                              RT_DIALOG0x3de8080x60dataEnglishUnited States
                                              RT_GROUP_ICON0x3de8680x84dataEnglishUnited States
                                              RT_VERSION0x3de8f00x278dataEnglishUnited States
                                              RT_MANIFEST0x3deb680x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                              USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                              ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:19:06:11
                                              Start date:28/09/2022
                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe"
                                              Imagebase:0x400000
                                              File size:144936 bytes
                                              MD5 hash:FD611B535D6742C93108F1EFD9B5424F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:19:06:15
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:19:06:15
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:3
                                              Start time:19:06:17
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:4
                                              Start time:19:06:17
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:5
                                              Start time:19:06:19
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A41D7 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:6
                                              Start time:19:06:19
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:7
                                              Start time:19:06:20
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656176C0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:19:06:20
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:9
                                              Start time:19:06:22
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x46696EC0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:10
                                              Start time:19:06:22
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:11
                                              Start time:19:06:24
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x41286F85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:12
                                              Start time:19:06:24
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:13
                                              Start time:19:06:29
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x72342289 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:14
                                              Start time:19:06:29
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:15
                                              Start time:19:06:30
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20692295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:16
                                              Start time:19:06:30
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:17
                                              Start time:19:06:32
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x78383295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:18
                                              Start time:19:06:32
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:19
                                              Start time:19:06:34
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30303295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:20
                                              Start time:19:06:34
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:22
                                              Start time:19:06:35
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x302C22CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:23
                                              Start time:19:06:35
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:24
                                              Start time:19:06:37
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20302E85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:25
                                              Start time:19:06:37
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:26
                                              Start time:19:06:39
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x70203289 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:27
                                              Start time:19:06:39
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:28
                                              Start time:19:06:40
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20692291 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:29
                                              Start time:19:06:40
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:30
                                              Start time:19:06:42
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:0x7ff6ffff0000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:31
                                              Start time:19:06:42
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:32
                                              Start time:19:06:43
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783A95 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:33
                                              Start time:19:06:43
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:34
                                              Start time:19:06:49
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:35
                                              Start time:19:06:49
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:36
                                              Start time:19:06:51
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30296B8B -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:37
                                              Start time:19:06:51
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:38
                                              Start time:19:06:52
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x723322FC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:39
                                              Start time:19:06:52
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:40
                                              Start time:19:06:55
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:41
                                              Start time:19:06:55
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:43
                                              Start time:19:06:56
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:44
                                              Start time:19:06:56
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:45
                                              Start time:19:06:58
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A54CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:46
                                              Start time:19:06:59
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:47
                                              Start time:19:07:01
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x727477C4 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:48
                                              Start time:19:07:01
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:49
                                              Start time:19:07:02
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6C416EC9 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:50
                                              Start time:19:07:02
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:53
                                              Start time:19:07:08
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6F632ACC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:54
                                              Start time:19:07:08
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:55
                                              Start time:19:07:10
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x302C6B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:56
                                              Start time:19:07:10
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:57
                                              Start time:19:07:12
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783395 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:58
                                              Start time:19:07:12
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:59
                                              Start time:19:07:13
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30303295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:60
                                              Start time:19:07:14
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:61
                                              Start time:19:07:15
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:62
                                              Start time:19:07:15
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:63
                                              Start time:19:07:17
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783195 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:64
                                              Start time:19:07:17
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:66
                                              Start time:19:07:19
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30302E85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:67
                                              Start time:19:07:19
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:68
                                              Start time:19:07:21
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x692032DD -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:69
                                              Start time:19:07:21
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:70
                                              Start time:19:07:22
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x34302BD5 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:71
                                              Start time:19:07:22
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:72
                                              Start time:19:07:28
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2E7233FC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:73
                                              Start time:19:07:28
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:74
                                              Start time:19:07:30
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:75
                                              Start time:19:07:30
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:76
                                              Start time:19:07:32
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:77
                                              Start time:19:07:32
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:78
                                              Start time:19:07:33
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A51C0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:79
                                              Start time:19:07:33
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:80
                                              Start time:19:07:35
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x74466BC9 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:81
                                              Start time:19:07:35
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:82
                                              Start time:19:07:37
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x65506DCC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:83
                                              Start time:19:07:37
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:84
                                              Start time:19:07:38
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6E7467D7 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:85
                                              Start time:19:07:38
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:86
                                              Start time:19:07:40
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x28697096 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:87
                                              Start time:19:07:40
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:88
                                              Start time:19:07:42
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:89
                                              Start time:19:07:42
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:90
                                              Start time:19:07:47
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x31343091 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:91
                                              Start time:19:07:47
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:92
                                              Start time:19:07:49
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x202C22CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:93
                                              Start time:19:07:49
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:94
                                              Start time:19:07:51
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20302ECC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:95
                                              Start time:19:07:51
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:96
                                              Start time:19:07:53
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20302BCC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:97
                                              Start time:19:07:53
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:98
                                              Start time:19:07:55
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2E7230FC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:99
                                              Start time:19:07:55
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:100
                                              Start time:19:07:58
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:101
                                              Start time:19:07:58
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:102
                                              Start time:19:07:59
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:0x7ff7fcd70000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:103
                                              Start time:19:07:59
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:104
                                              Start time:19:08:01
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A50C0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:105
                                              Start time:19:08:01
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:107
                                              Start time:19:08:06
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x616444CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:108
                                              Start time:19:08:06
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:109
                                              Start time:19:08:07
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6C652ACC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:110
                                              Start time:19:08:07
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:111
                                              Start time:19:08:09
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x72332E85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:112
                                              Start time:19:08:09
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:114
                                              Start time:19:08:10
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x69207094 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:115
                                              Start time:19:08:11
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:116
                                              Start time:19:08:12
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:117
                                              Start time:19:08:12
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:118
                                              Start time:19:08:14
                                              Start date:28/09/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe 0x30783395 -bxor 677
                                              Imagebase:0x7ff6ffff0000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:119
                                              Start time:19:08:14
                                              Start date:28/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:23.8%
                                                Dynamic/Decrypted Code Coverage:6.2%
                                                Signature Coverage:23.7%
                                                Total number of Nodes:1639
                                                Total number of Limit Nodes:52
                                                execution_graph 5228 402840 5229 402bbf 18 API calls 5228->5229 5231 40284e 5229->5231 5230 402864 5233 405be2 2 API calls 5230->5233 5231->5230 5232 402bbf 18 API calls 5231->5232 5232->5230 5234 40286a 5233->5234 5256 405c07 GetFileAttributesW CreateFileW 5234->5256 5236 402877 5237 402883 GlobalAlloc 5236->5237 5238 40291a 5236->5238 5241 402911 CloseHandle 5237->5241 5242 40289c 5237->5242 5239 402922 DeleteFileW 5238->5239 5240 402935 5238->5240 5239->5240 5241->5238 5257 403235 SetFilePointer 5242->5257 5244 4028a2 5245 40321f ReadFile 5244->5245 5246 4028ab GlobalAlloc 5245->5246 5247 4028bb 5246->5247 5248 4028ef 5246->5248 5249 403027 32 API calls 5247->5249 5250 405cb9 WriteFile 5248->5250 5251 4028c8 5249->5251 5252 4028fb GlobalFree 5250->5252 5254 4028e6 GlobalFree 5251->5254 5253 403027 32 API calls 5252->5253 5255 40290e 5253->5255 5254->5248 5255->5241 5256->5236 5257->5244 5258 10001000 5261 1000101b 5258->5261 5268 10001516 5261->5268 5263 10001020 5264 10001024 5263->5264 5265 10001027 GlobalAlloc 5263->5265 5266 1000153d 3 API calls 5264->5266 5265->5264 5267 10001019 5266->5267 5270 1000151c 5268->5270 5269 10001522 5269->5263 5270->5269 5271 1000152e GlobalFree 5270->5271 5271->5263 5272 401cc0 5273 402ba2 18 API calls 5272->5273 5274 401cc7 5273->5274 5275 402ba2 18 API calls 5274->5275 5276 401ccf GetDlgItem 5275->5276 5277 402531 5276->5277 5278 4029c0 5279 402ba2 18 API calls 5278->5279 5280 4029c6 5279->5280 5281 4029f9 5280->5281 5282 40281e 5280->5282 5284 4029d4 5280->5284 5281->5282 5283 406054 18 API calls 5281->5283 5283->5282 5284->5282 5286 405f79 wsprintfW 5284->5286 5286->5282 4043 401fc3 4044 401fd5 4043->4044 4045 402087 4043->4045 4066 402bbf 4044->4066 4048 401423 25 API calls 4045->4048 4053 4021e1 4048->4053 4049 402bbf 18 API calls 4050 401fe5 4049->4050 4051 401ffb LoadLibraryExW 4050->4051 4052 401fed GetModuleHandleW 4050->4052 4051->4045 4054 40200c 4051->4054 4052->4051 4052->4054 4072 406477 WideCharToMultiByte 4054->4072 4057 402056 4120 405191 4057->4120 4058 40201d 4060 402025 4058->4060 4061 40203c 4058->4061 4117 401423 4060->4117 4075 10001759 4061->4075 4062 40202d 4062->4053 4064 402079 FreeLibrary 4062->4064 4064->4053 4067 402bcb 4066->4067 4131 406054 4067->4131 4070 401fdc 4070->4049 4073 4064a1 GetProcAddress 4072->4073 4074 402017 4072->4074 4073->4074 4074->4057 4074->4058 4076 10001789 4075->4076 4170 10001b18 4076->4170 4078 100018a6 4078->4062 4079 10001790 4079->4078 4080 100017a1 4079->4080 4081 100017a8 4079->4081 4215 10002286 4080->4215 4200 100022d0 4081->4200 4086 1000180c 4092 10001812 4086->4092 4093 1000184e 4086->4093 4087 100017ee 4228 100024a9 4087->4228 4088 100017d7 4101 100017cd 4088->4101 4225 10002b5f 4088->4225 4089 100017be 4091 100017c4 4089->4091 4095 100017cf 4089->4095 4091->4101 4211 100028a4 4091->4211 4097 100015b4 3 API calls 4092->4097 4099 100024a9 9 API calls 4093->4099 4094 100017f4 4238 100015b4 4094->4238 4219 10002645 4095->4219 4103 10001828 4097->4103 4104 10001840 4099->4104 4101->4086 4101->4087 4107 100024a9 9 API calls 4103->4107 4108 10001895 4104->4108 4249 1000246c 4104->4249 4106 100017d5 4106->4101 4107->4104 4108->4078 4112 1000189f GlobalFree 4108->4112 4112->4078 4114 10001881 4114->4108 4253 1000153d wsprintfW 4114->4253 4115 1000187a FreeLibrary 4115->4114 4118 405191 25 API calls 4117->4118 4119 401431 4118->4119 4119->4062 4121 4051ac 4120->4121 4130 40524e 4120->4130 4122 4051c8 lstrlenW 4121->4122 4123 406054 18 API calls 4121->4123 4124 4051f1 4122->4124 4125 4051d6 lstrlenW 4122->4125 4123->4122 4127 405204 4124->4127 4128 4051f7 SetWindowTextW 4124->4128 4126 4051e8 lstrcatW 4125->4126 4125->4130 4126->4124 4129 40520a SendMessageW SendMessageW SendMessageW 4127->4129 4127->4130 4128->4127 4129->4130 4130->4062 4147 406061 4131->4147 4132 4062ac 4133 402bec 4132->4133 4165 406032 lstrcpynW 4132->4165 4133->4070 4149 4062c6 4133->4149 4135 406114 GetVersion 4135->4147 4136 40627a lstrlenW 4136->4147 4137 406054 10 API calls 4137->4136 4140 40618f GetSystemDirectoryW 4140->4147 4142 4061a2 GetWindowsDirectoryW 4142->4147 4143 4062c6 5 API calls 4143->4147 4144 406054 10 API calls 4144->4147 4145 40621b lstrcatW 4145->4147 4146 4061d6 SHGetSpecialFolderLocation 4146->4147 4148 4061ee SHGetPathFromIDListW CoTaskMemFree 4146->4148 4147->4132 4147->4135 4147->4136 4147->4137 4147->4140 4147->4142 4147->4143 4147->4144 4147->4145 4147->4146 4158 405eff RegOpenKeyExW 4147->4158 4163 405f79 wsprintfW 4147->4163 4164 406032 lstrcpynW 4147->4164 4148->4147 4155 4062d3 4149->4155 4150 406349 4151 40634e CharPrevW 4150->4151 4154 40636f 4150->4154 4151->4150 4152 40633c CharNextW 4152->4150 4152->4155 4154->4070 4155->4150 4155->4152 4156 406328 CharNextW 4155->4156 4157 406337 CharNextW 4155->4157 4166 405a13 4155->4166 4156->4155 4157->4152 4159 405f73 4158->4159 4160 405f33 RegQueryValueExW 4158->4160 4159->4147 4161 405f54 RegCloseKey 4160->4161 4161->4159 4163->4147 4164->4147 4165->4133 4167 405a19 4166->4167 4168 405a2f 4167->4168 4169 405a20 CharNextW 4167->4169 4168->4155 4169->4167 4256 1000121b GlobalAlloc 4170->4256 4172 10001b3c 4257 1000121b GlobalAlloc 4172->4257 4174 10001d7a GlobalFree GlobalFree GlobalFree 4175 10001d97 4174->4175 4191 10001de1 4174->4191 4176 100020ee 4175->4176 4185 10001dac 4175->4185 4175->4191 4178 10002110 GetModuleHandleW 4176->4178 4176->4191 4177 10001c1d GlobalAlloc 4198 10001b47 4177->4198 4180 10002121 LoadLibraryW 4178->4180 4181 10002136 4178->4181 4179 10001c86 GlobalFree 4179->4198 4180->4181 4180->4191 4264 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte 4181->4264 4182 10001c68 lstrcpyW 4183 10001c72 lstrcpyW 4182->4183 4183->4198 4185->4191 4260 1000122c 4185->4260 4186 10002195 lstrlenW 4190 100015ff 4 API calls 4186->4190 4188 10002048 4188->4191 4193 10002090 lstrcpyW 4188->4193 4196 100021af 4190->4196 4191->4079 4192 10002148 4192->4186 4192->4191 4193->4191 4194 10001cc4 4194->4198 4258 1000158f GlobalSize GlobalAlloc 4194->4258 4195 10001f37 GlobalFree 4195->4198 4196->4191 4198->4174 4198->4177 4198->4179 4198->4182 4198->4183 4198->4188 4198->4191 4198->4194 4198->4195 4199 1000122c 2 API calls 4198->4199 4263 1000121b GlobalAlloc 4198->4263 4199->4198 4209 100022e8 4200->4209 4201 1000122c GlobalAlloc lstrcpynW 4201->4209 4203 10002415 GlobalFree 4207 100017ae 4203->4207 4203->4209 4204 100023d3 lstrlenW 4204->4203 4208 100023b8 4204->4208 4205 100023ba GlobalAlloc 4205->4208 4206 1000238f GlobalAlloc 4206->4208 4207->4088 4207->4089 4207->4101 4208->4203 4271 100025d9 4208->4271 4209->4201 4209->4203 4209->4204 4209->4205 4209->4206 4267 100012ba 4209->4267 4212 100028b6 4211->4212 4213 1000295b CreateFileA 4212->4213 4214 10002979 4213->4214 4214->4101 4216 10002296 4215->4216 4217 100017a7 4215->4217 4216->4217 4218 100022a8 GlobalAlloc 4216->4218 4217->4081 4218->4216 4223 10002661 4219->4223 4220 100026b2 GlobalAlloc 4224 100026d4 4220->4224 4221 100026c5 4222 100026ca GlobalSize 4221->4222 4221->4224 4222->4224 4223->4220 4223->4221 4224->4106 4226 10002b6a 4225->4226 4227 10002baa GlobalFree 4226->4227 4274 1000121b GlobalAlloc 4228->4274 4230 10002541 lstrcpynW 4234 100024b3 4230->4234 4231 1000250b MultiByteToWideChar 4231->4234 4232 10002571 GlobalFree 4232->4234 4233 10002554 wsprintfW 4233->4234 4234->4230 4234->4231 4234->4232 4234->4233 4235 100025ac GlobalFree 4234->4235 4236 10001272 2 API calls 4234->4236 4275 100012e1 4234->4275 4235->4094 4236->4234 4279 1000121b GlobalAlloc 4238->4279 4240 100015ba 4241 100015c7 lstrcpyW 4240->4241 4243 100015e1 4240->4243 4244 100015fb 4241->4244 4243->4244 4245 100015e6 wsprintfW 4243->4245 4246 10001272 4244->4246 4245->4244 4247 100012b5 GlobalFree 4246->4247 4248 1000127b GlobalAlloc lstrcpynW 4246->4248 4247->4104 4248->4247 4250 10001861 4249->4250 4251 1000247a 4249->4251 4250->4114 4250->4115 4251->4250 4252 10002496 GlobalFree 4251->4252 4252->4251 4254 10001272 2 API calls 4253->4254 4255 1000155e 4254->4255 4255->4108 4256->4172 4257->4198 4259 100015ad 4258->4259 4259->4194 4266 1000121b GlobalAlloc 4260->4266 4262 1000123b lstrcpynW 4262->4191 4263->4198 4265 1000163f GlobalFree 4264->4265 4265->4192 4266->4262 4268 100012c1 4267->4268 4269 1000122c 2 API calls 4268->4269 4270 100012df 4269->4270 4270->4209 4272 100025e7 VirtualAlloc 4271->4272 4273 1000263d 4271->4273 4272->4273 4273->4208 4274->4234 4276 100012ea 4275->4276 4277 1000130c 4275->4277 4276->4277 4278 100012f0 lstrcpyW 4276->4278 4277->4234 4278->4277 4279->4240 5287 404244 lstrlenW 5288 404263 5287->5288 5289 404265 WideCharToMultiByte 5287->5289 5288->5289 5290 4016c4 5291 402bbf 18 API calls 5290->5291 5292 4016ca GetFullPathNameW 5291->5292 5293 4016e4 5292->5293 5299 401706 5292->5299 5296 406375 2 API calls 5293->5296 5293->5299 5294 40171b GetShortPathNameW 5295 402a4c 5294->5295 5297 4016f6 5296->5297 5297->5299 5300 406032 lstrcpynW 5297->5300 5299->5294 5299->5295 5300->5299 5301 40454a 5302 404580 5301->5302 5303 40455a 5301->5303 5304 40415d 8 API calls 5302->5304 5305 4040f6 19 API calls 5303->5305 5306 40458c 5304->5306 5307 404567 SetDlgItemTextW 5305->5307 5307->5302 5308 4014cb 5309 405191 25 API calls 5308->5309 5310 4014d2 5309->5310 5311 8b1000 5312 8b1112 81 API calls 5311->5312 5313 8b102b 5312->5313 5314 40194e 5315 402bbf 18 API calls 5314->5315 5316 401955 lstrlenW 5315->5316 5317 402531 5316->5317 5318 4027ce 5319 4027d6 5318->5319 5320 4027da FindNextFileW 5319->5320 5322 4027ec 5319->5322 5321 402833 5320->5321 5320->5322 5324 406032 lstrcpynW 5321->5324 5324->5322 4292 4052d0 4293 4052f1 GetDlgItem GetDlgItem GetDlgItem 4292->4293 4294 40547a 4292->4294 4338 40412b SendMessageW 4293->4338 4296 405483 GetDlgItem CreateThread FindCloseChangeNotification 4294->4296 4297 4054ab 4294->4297 4296->4297 4361 405264 OleInitialize 4296->4361 4298 4054d6 4297->4298 4301 4054c2 ShowWindow ShowWindow 4297->4301 4302 4054fb 4297->4302 4299 4054e2 4298->4299 4307 405536 4298->4307 4303 405510 ShowWindow 4299->4303 4304 4054ea 4299->4304 4300 405361 4306 405368 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4300->4306 4343 40412b SendMessageW 4301->4343 4347 40415d 4302->4347 4311 405530 4303->4311 4312 405522 4303->4312 4344 4040cf 4304->4344 4313 4053d6 4306->4313 4314 4053ba SendMessageW SendMessageW 4306->4314 4307->4302 4315 405544 SendMessageW 4307->4315 4310 405509 4317 4040cf SendMessageW 4311->4317 4316 405191 25 API calls 4312->4316 4318 4053e9 4313->4318 4319 4053db SendMessageW 4313->4319 4314->4313 4315->4310 4320 40555d CreatePopupMenu 4315->4320 4316->4311 4317->4307 4339 4040f6 4318->4339 4319->4318 4322 406054 18 API calls 4320->4322 4323 40556d AppendMenuW 4322->4323 4325 40558a GetWindowRect 4323->4325 4326 40559d TrackPopupMenu 4323->4326 4324 4053f9 4327 405402 ShowWindow 4324->4327 4328 405436 GetDlgItem SendMessageW 4324->4328 4325->4326 4326->4310 4329 4055b8 4326->4329 4330 405418 ShowWindow 4327->4330 4333 405425 4327->4333 4328->4310 4331 40545d SendMessageW SendMessageW 4328->4331 4332 4055d4 SendMessageW 4329->4332 4330->4333 4331->4310 4332->4332 4334 4055f1 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4332->4334 4342 40412b SendMessageW 4333->4342 4336 405616 SendMessageW 4334->4336 4336->4336 4337 40563f GlobalUnlock SetClipboardData CloseClipboard 4336->4337 4337->4310 4338->4300 4340 406054 18 API calls 4339->4340 4341 404101 SetDlgItemTextW 4340->4341 4341->4324 4342->4328 4343->4298 4345 4040d6 4344->4345 4346 4040dc SendMessageW 4344->4346 4345->4346 4346->4302 4348 404175 GetWindowLongW 4347->4348 4358 4041fe 4347->4358 4349 404186 4348->4349 4348->4358 4350 404195 GetSysColor 4349->4350 4351 404198 4349->4351 4350->4351 4352 4041a8 SetBkMode 4351->4352 4353 40419e SetTextColor 4351->4353 4354 4041c0 GetSysColor 4352->4354 4355 4041c6 4352->4355 4353->4352 4354->4355 4356 4041d7 4355->4356 4357 4041cd SetBkColor 4355->4357 4356->4358 4359 4041f1 CreateBrushIndirect 4356->4359 4360 4041ea DeleteObject 4356->4360 4357->4356 4358->4310 4359->4358 4360->4359 4368 404142 4361->4368 4363 405287 4366 4052ae 4363->4366 4371 401389 4363->4371 4364 404142 SendMessageW 4365 4052c0 OleUninitialize 4364->4365 4366->4364 4369 40415a 4368->4369 4370 40414b SendMessageW 4368->4370 4369->4363 4370->4369 4373 401390 4371->4373 4372 4013fe 4372->4363 4373->4372 4374 4013cb MulDiv SendMessageW 4373->4374 4374->4373 4478 401754 4479 402bbf 18 API calls 4478->4479 4480 40175b 4479->4480 4484 405c36 4480->4484 4482 401762 4483 405c36 2 API calls 4482->4483 4483->4482 4485 405c43 GetTickCount GetTempFileNameW 4484->4485 4486 405c7d 4485->4486 4487 405c79 4485->4487 4486->4482 4487->4485 4487->4486 4504 401d56 GetDC GetDeviceCaps 4505 402ba2 18 API calls 4504->4505 4506 401d74 MulDiv ReleaseDC 4505->4506 4507 402ba2 18 API calls 4506->4507 4508 401d93 4507->4508 4509 406054 18 API calls 4508->4509 4510 401dcc CreateFontIndirectW 4509->4510 4511 402531 4510->4511 4512 4014d7 4513 402ba2 18 API calls 4512->4513 4514 4014dd Sleep 4513->4514 4516 402a4c 4514->4516 5325 401a57 5326 402ba2 18 API calls 5325->5326 5327 401a5d 5326->5327 5328 402ba2 18 API calls 5327->5328 5329 401a05 5328->5329 5330 40155b 5331 4029f2 5330->5331 5334 405f79 wsprintfW 5331->5334 5333 4029f7 5334->5333 4521 401ddc 4522 402ba2 18 API calls 4521->4522 4523 401de2 4522->4523 4524 402ba2 18 API calls 4523->4524 4525 401deb 4524->4525 4526 401df2 ShowWindow 4525->4526 4527 401dfd EnableWindow 4525->4527 4528 402a4c 4526->4528 4527->4528 4620 401bdf 4621 402ba2 18 API calls 4620->4621 4622 401be6 4621->4622 4623 402ba2 18 API calls 4622->4623 4624 401bf0 4623->4624 4625 402bbf 18 API calls 4624->4625 4626 401c00 4624->4626 4625->4626 4627 402bbf 18 API calls 4626->4627 4630 401c10 4626->4630 4627->4630 4628 401c1b 4631 402ba2 18 API calls 4628->4631 4629 401c5f 4632 402bbf 18 API calls 4629->4632 4630->4628 4630->4629 4634 401c20 4631->4634 4633 401c64 4632->4633 4635 402bbf 18 API calls 4633->4635 4636 402ba2 18 API calls 4634->4636 4637 401c6d FindWindowExW 4635->4637 4638 401c29 4636->4638 4641 401c8f 4637->4641 4639 401c31 SendMessageTimeoutW 4638->4639 4640 401c4f SendMessageW 4638->4640 4639->4641 4640->4641 5335 4022df 5336 402bbf 18 API calls 5335->5336 5337 4022ee 5336->5337 5338 402bbf 18 API calls 5337->5338 5339 4022f7 5338->5339 5340 402bbf 18 API calls 5339->5340 5341 402301 GetPrivateProfileStringW 5340->5341 5342 401960 5343 402ba2 18 API calls 5342->5343 5344 401967 5343->5344 5345 402ba2 18 API calls 5344->5345 5346 401971 5345->5346 5347 402bbf 18 API calls 5346->5347 5348 40197a 5347->5348 5349 40198e lstrlenW 5348->5349 5350 4019ca 5348->5350 5351 401998 5349->5351 5351->5350 5355 406032 lstrcpynW 5351->5355 5353 4019b3 5353->5350 5354 4019c0 lstrlenW 5353->5354 5354->5350 5355->5353 5356 401662 5357 402bbf 18 API calls 5356->5357 5358 401668 5357->5358 5359 406375 2 API calls 5358->5359 5360 40166e 5359->5360 5361 4019e4 5362 402bbf 18 API calls 5361->5362 5363 4019eb 5362->5363 5364 402bbf 18 API calls 5363->5364 5365 4019f4 5364->5365 5366 4019fb lstrcmpiW 5365->5366 5367 401a0d lstrcmpW 5365->5367 5368 401a01 5366->5368 5367->5368 4674 4025e5 4675 402ba2 18 API calls 4674->4675 4683 4025f4 4675->4683 4676 40272d 4677 40263a ReadFile 4677->4676 4677->4683 4678 4026d3 4678->4676 4678->4683 4688 405ce8 SetFilePointer 4678->4688 4680 40267a MultiByteToWideChar 4680->4683 4681 40272f 4699 405f79 wsprintfW 4681->4699 4683->4676 4683->4677 4683->4678 4683->4680 4683->4681 4685 4026a0 SetFilePointer MultiByteToWideChar 4683->4685 4686 402740 4683->4686 4697 405c8a ReadFile 4683->4697 4685->4683 4686->4676 4687 402761 SetFilePointer 4686->4687 4687->4676 4689 405d04 4688->4689 4696 405d20 4688->4696 4690 405c8a ReadFile 4689->4690 4691 405d10 4690->4691 4692 405d51 SetFilePointer 4691->4692 4693 405d29 SetFilePointer 4691->4693 4691->4696 4692->4696 4693->4692 4694 405d34 4693->4694 4700 405cb9 WriteFile 4694->4700 4696->4678 4698 405ca8 4697->4698 4698->4683 4699->4676 4701 405cd7 4700->4701 4701->4696 4702 401e66 4703 402bbf 18 API calls 4702->4703 4704 401e6c 4703->4704 4705 405191 25 API calls 4704->4705 4706 401e76 4705->4706 4720 405712 CreateProcessW 4706->4720 4709 401edb CloseHandle 4712 40281e 4709->4712 4710 401e8c WaitForSingleObject 4711 401e9e 4710->4711 4713 401eb0 GetExitCodeProcess 4711->4713 4723 406444 4711->4723 4715 401ec2 4713->4715 4716 401ecf 4713->4716 4727 405f79 wsprintfW 4715->4727 4716->4709 4717 401ecd 4716->4717 4717->4709 4721 401e7c 4720->4721 4722 405745 CloseHandle 4720->4722 4721->4709 4721->4710 4721->4712 4722->4721 4724 406461 PeekMessageW 4723->4724 4725 401ea5 WaitForSingleObject 4724->4725 4726 406457 DispatchMessageW 4724->4726 4725->4711 4726->4724 4727->4717 4728 401767 4729 402bbf 18 API calls 4728->4729 4730 40176e 4729->4730 4731 401796 4730->4731 4732 40178e 4730->4732 4792 406032 lstrcpynW 4731->4792 4791 406032 lstrcpynW 4732->4791 4735 401794 4739 4062c6 5 API calls 4735->4739 4736 4017a1 4793 4059e6 lstrlenW CharPrevW 4736->4793 4745 4017b3 4739->4745 4743 4017c5 CompareFileTime 4743->4745 4744 401885 4746 405191 25 API calls 4744->4746 4745->4743 4745->4744 4748 406032 lstrcpynW 4745->4748 4755 406054 18 API calls 4745->4755 4765 40185c 4745->4765 4767 405be2 GetFileAttributesW 4745->4767 4770 405c07 GetFileAttributesW CreateFileW 4745->4770 4796 406375 FindFirstFileW 4745->4796 4799 405777 4745->4799 4749 40188f 4746->4749 4747 405191 25 API calls 4754 401871 4747->4754 4748->4745 4771 403027 4749->4771 4752 4018b6 SetFileTime 4753 4018c8 CloseHandle 4752->4753 4756 4018d9 4753->4756 4757 402288 4753->4757 4755->4745 4758 4018f1 4756->4758 4759 4018de 4756->4759 4757->4754 4761 406054 18 API calls 4758->4761 4760 406054 18 API calls 4759->4760 4762 4018e6 lstrcatW 4760->4762 4763 4018f9 4761->4763 4762->4763 4766 405777 MessageBoxIndirectW 4763->4766 4765->4747 4765->4754 4766->4757 4768 405c01 4767->4768 4769 405bf4 SetFileAttributesW 4767->4769 4768->4745 4769->4768 4770->4745 4772 403040 4771->4772 4773 40306e 4772->4773 4806 403235 SetFilePointer 4772->4806 4803 40321f 4773->4803 4777 4031b8 4779 4031fa 4777->4779 4784 4031bc 4777->4784 4778 40308b GetTickCount 4780 4018a2 4778->4780 4787 4030b7 4778->4787 4781 40321f ReadFile 4779->4781 4780->4752 4780->4753 4781->4780 4782 40321f ReadFile 4782->4787 4783 40321f ReadFile 4783->4784 4784->4780 4784->4783 4785 405cb9 WriteFile 4784->4785 4785->4784 4786 40310d GetTickCount 4786->4787 4787->4780 4787->4782 4787->4786 4788 403132 MulDiv wsprintfW 4787->4788 4790 405cb9 WriteFile 4787->4790 4789 405191 25 API calls 4788->4789 4789->4787 4790->4787 4791->4735 4792->4736 4794 405a02 lstrcatW 4793->4794 4795 4017a7 lstrcatW 4793->4795 4794->4795 4795->4735 4797 406396 4796->4797 4798 40638b FindClose 4796->4798 4797->4745 4798->4797 4802 40578c 4799->4802 4800 4057d8 4800->4745 4801 4057a0 MessageBoxIndirectW 4801->4800 4802->4800 4802->4801 4804 405c8a ReadFile 4803->4804 4805 403079 4804->4805 4805->4777 4805->4778 4805->4780 4806->4773 5372 4048e7 5373 404913 5372->5373 5374 4048f7 5372->5374 5376 404946 5373->5376 5377 404919 SHGetPathFromIDListW 5373->5377 5383 40575b GetDlgItemTextW 5374->5383 5379 404929 5377->5379 5382 404930 SendMessageW 5377->5382 5378 404904 SendMessageW 5378->5373 5381 40140b 2 API calls 5379->5381 5381->5382 5382->5376 5383->5378 5384 401ee9 5385 402bbf 18 API calls 5384->5385 5386 401ef0 5385->5386 5387 406375 2 API calls 5386->5387 5388 401ef6 5387->5388 5390 401f07 5388->5390 5391 405f79 wsprintfW 5388->5391 5391->5390 5392 100018a9 5393 100018cc 5392->5393 5394 100018ff GlobalFree 5393->5394 5395 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5393->5395 5394->5395 5396 10001272 2 API calls 5395->5396 5397 10001a87 GlobalFree GlobalFree 5396->5397 5398 4021ea 5399 402bbf 18 API calls 5398->5399 5400 4021f0 5399->5400 5401 402bbf 18 API calls 5400->5401 5402 4021f9 5401->5402 5403 402bbf 18 API calls 5402->5403 5404 402202 5403->5404 5405 406375 2 API calls 5404->5405 5406 40220b 5405->5406 5407 40221c lstrlenW lstrlenW 5406->5407 5408 40220f 5406->5408 5410 405191 25 API calls 5407->5410 5409 405191 25 API calls 5408->5409 5412 402217 5408->5412 5409->5412 5411 40225a SHFileOperationW 5410->5411 5411->5408 5411->5412 4807 40156b 4808 401584 4807->4808 4809 40157b ShowWindow 4807->4809 4810 401592 ShowWindow 4808->4810 4811 402a4c 4808->4811 4809->4808 4810->4811 5413 40226e 5414 402288 5413->5414 5415 402275 5413->5415 5416 406054 18 API calls 5415->5416 5417 402282 5416->5417 5418 405777 MessageBoxIndirectW 5417->5418 5418->5414 5419 4014f1 SetForegroundWindow 5420 402a4c 5419->5420 4816 401673 4817 402bbf 18 API calls 4816->4817 4818 40167a 4817->4818 4819 402bbf 18 API calls 4818->4819 4820 401683 4819->4820 4821 402bbf 18 API calls 4820->4821 4822 40168c MoveFileW 4821->4822 4823 40169f 4822->4823 4829 401698 4822->4829 4825 406375 2 API calls 4823->4825 4827 4021e1 4823->4827 4824 401423 25 API calls 4824->4827 4826 4016ae 4825->4826 4826->4827 4830 405ed3 MoveFileExW 4826->4830 4829->4824 4831 405ef4 4830->4831 4832 405ee7 4830->4832 4831->4829 4834 405d61 lstrcpyW 4832->4834 4835 405d89 4834->4835 4836 405daf GetShortPathNameW 4834->4836 4861 405c07 GetFileAttributesW CreateFileW 4835->4861 4838 405dc4 4836->4838 4839 405ece 4836->4839 4838->4839 4841 405dcc wsprintfA 4838->4841 4839->4831 4840 405d93 CloseHandle GetShortPathNameW 4840->4839 4842 405da7 4840->4842 4843 406054 18 API calls 4841->4843 4842->4836 4842->4839 4844 405df4 4843->4844 4862 405c07 GetFileAttributesW CreateFileW 4844->4862 4846 405e01 4846->4839 4847 405e10 GetFileSize GlobalAlloc 4846->4847 4848 405e32 4847->4848 4849 405ec7 CloseHandle 4847->4849 4850 405c8a ReadFile 4848->4850 4849->4839 4851 405e3a 4850->4851 4851->4849 4863 405b6c lstrlenA 4851->4863 4854 405e51 lstrcpyA 4857 405e73 4854->4857 4855 405e65 4856 405b6c 4 API calls 4855->4856 4856->4857 4858 405eaa SetFilePointer 4857->4858 4859 405cb9 WriteFile 4858->4859 4860 405ec0 GlobalFree 4859->4860 4860->4849 4861->4840 4862->4846 4864 405bad lstrlenA 4863->4864 4865 405b86 lstrcmpiA 4864->4865 4866 405bb5 4864->4866 4865->4866 4867 405ba4 CharNextA 4865->4867 4866->4854 4866->4855 4867->4864 5421 100016b6 5422 100016e5 5421->5422 5423 10001b18 20 API calls 5422->5423 5424 100016ec 5423->5424 5425 100016f3 5424->5425 5426 100016ff 5424->5426 5427 10001272 2 API calls 5425->5427 5428 10001726 5426->5428 5429 10001709 5426->5429 5434 100016fd 5427->5434 5431 10001750 5428->5431 5432 1000172c 5428->5432 5430 1000153d 3 API calls 5429->5430 5436 1000170e 5430->5436 5435 1000153d 3 API calls 5431->5435 5433 100015b4 3 API calls 5432->5433 5437 10001731 5433->5437 5435->5434 5438 100015b4 3 API calls 5436->5438 5439 10001272 2 API calls 5437->5439 5440 10001714 5438->5440 5441 10001737 GlobalFree 5439->5441 5442 10001272 2 API calls 5440->5442 5441->5434 5443 1000174b GlobalFree 5441->5443 5444 1000171a GlobalFree 5442->5444 5443->5434 5444->5434 5445 10002238 5446 10002296 5445->5446 5447 100022cc 5445->5447 5446->5447 5448 100022a8 GlobalAlloc 5446->5448 5448->5446 5449 401cfa GetDlgItem GetClientRect 5450 402bbf 18 API calls 5449->5450 5451 401d2c LoadImageW SendMessageW 5450->5451 5452 401d4a DeleteObject 5451->5452 5453 402a4c 5451->5453 5452->5453 4980 40237b 4981 402381 4980->4981 4982 402bbf 18 API calls 4981->4982 4983 402393 4982->4983 4984 402bbf 18 API calls 4983->4984 4985 40239d RegCreateKeyExW 4984->4985 4986 4023c7 4985->4986 4987 40281e 4985->4987 4988 402bbf 18 API calls 4986->4988 4990 4023e2 4986->4990 4992 4023d8 lstrlenW 4988->4992 4989 4023ee 4991 402409 RegSetValueExW 4989->4991 4994 403027 32 API calls 4989->4994 4990->4989 4993 402ba2 18 API calls 4990->4993 4995 40241f RegCloseKey 4991->4995 4992->4990 4993->4989 4994->4991 4995->4987 5454 4027fb 5455 402bbf 18 API calls 5454->5455 5456 402802 FindFirstFileW 5455->5456 5457 40282a 5456->5457 5461 402815 5456->5461 5459 402833 5457->5459 5462 405f79 wsprintfW 5457->5462 5463 406032 lstrcpynW 5459->5463 5462->5459 5463->5461 4997 40327d SetErrorMode GetVersion 4998 4032b1 4997->4998 4999 4032b7 4997->4999 5000 406408 5 API calls 4998->5000 5001 40639c 3 API calls 4999->5001 5000->4999 5002 4032ce 5001->5002 5003 40639c 3 API calls 5002->5003 5004 4032d8 5003->5004 5005 40639c 3 API calls 5004->5005 5006 4032e2 5005->5006 5007 406408 5 API calls 5006->5007 5008 4032e9 5007->5008 5009 406408 5 API calls 5008->5009 5010 4032f0 #17 OleInitialize SHGetFileInfoW 5009->5010 5088 406032 lstrcpynW 5010->5088 5012 40332d GetCommandLineW 5089 406032 lstrcpynW 5012->5089 5014 40333f GetModuleHandleW 5015 403357 5014->5015 5016 405a13 CharNextW 5015->5016 5017 403366 CharNextW 5016->5017 5018 403491 GetTempPathW 5017->5018 5028 40337f 5017->5028 5090 40324c 5018->5090 5020 4034a9 5021 403503 DeleteFileW 5020->5021 5022 4034ad GetWindowsDirectoryW lstrcatW 5020->5022 5100 402dee GetTickCount GetModuleFileNameW 5021->5100 5023 40324c 12 API calls 5022->5023 5026 4034c9 5023->5026 5024 405a13 CharNextW 5024->5028 5026->5021 5029 4034cd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 5026->5029 5027 403517 5034 4035ba 5027->5034 5038 405a13 CharNextW 5027->5038 5084 4035ca 5027->5084 5028->5024 5031 40347c 5028->5031 5033 40347a 5028->5033 5032 40324c 12 API calls 5029->5032 5184 406032 lstrcpynW 5031->5184 5036 4034fb 5032->5036 5033->5018 5128 40387b 5034->5128 5036->5021 5036->5084 5051 403536 5038->5051 5040 403705 5043 403789 ExitProcess 5040->5043 5044 40370d GetCurrentProcess OpenProcessToken 5040->5044 5041 4035e5 5042 405777 MessageBoxIndirectW 5041->5042 5048 4035f3 ExitProcess 5042->5048 5049 403725 LookupPrivilegeValueW AdjustTokenPrivileges 5044->5049 5050 403759 5044->5050 5046 403594 5052 405aee 18 API calls 5046->5052 5047 4035fb 5053 4056fa 5 API calls 5047->5053 5049->5050 5054 406408 5 API calls 5050->5054 5051->5046 5051->5047 5055 4035a0 5052->5055 5056 403600 lstrcatW 5053->5056 5057 403760 5054->5057 5055->5084 5185 406032 lstrcpynW 5055->5185 5058 403611 lstrcatW 5056->5058 5059 40361c lstrcatW lstrcmpiW 5056->5059 5060 403775 ExitWindowsEx 5057->5060 5061 403782 5057->5061 5058->5059 5063 403638 5059->5063 5059->5084 5060->5043 5060->5061 5064 40140b 2 API calls 5061->5064 5066 403644 5063->5066 5067 40363d 5063->5067 5064->5043 5065 4035af 5186 406032 lstrcpynW 5065->5186 5068 4056dd 2 API calls 5066->5068 5070 405660 4 API calls 5067->5070 5071 403649 SetCurrentDirectoryW 5068->5071 5072 403642 5070->5072 5073 403664 5071->5073 5074 403659 5071->5074 5072->5071 5195 406032 lstrcpynW 5073->5195 5194 406032 lstrcpynW 5074->5194 5077 403672 5078 406054 18 API calls 5077->5078 5081 4036f9 5077->5081 5083 405ed3 38 API calls 5077->5083 5085 406054 18 API calls 5077->5085 5086 405712 2 API calls 5077->5086 5087 4036e4 CloseHandle 5077->5087 5079 4036a3 DeleteFileW 5078->5079 5079->5077 5080 4036b0 CopyFileW 5079->5080 5080->5077 5082 405ed3 38 API calls 5081->5082 5082->5084 5083->5077 5187 4037a1 5084->5187 5085->5077 5086->5077 5087->5077 5088->5012 5089->5014 5091 4062c6 5 API calls 5090->5091 5092 403258 5091->5092 5093 403262 5092->5093 5094 4059e6 3 API calls 5092->5094 5093->5020 5095 40326a 5094->5095 5096 4056dd 2 API calls 5095->5096 5097 403270 5096->5097 5098 405c36 2 API calls 5097->5098 5099 40327b 5098->5099 5099->5020 5196 405c07 GetFileAttributesW CreateFileW 5100->5196 5102 402e2e 5120 402e3e 5102->5120 5197 406032 lstrcpynW 5102->5197 5104 402e54 5105 405a32 2 API calls 5104->5105 5106 402e5a 5105->5106 5198 406032 lstrcpynW 5106->5198 5108 402e65 GetFileSize 5113 402e7c 5108->5113 5125 402f61 5108->5125 5110 402f6a 5112 402f9a GlobalAlloc 5110->5112 5110->5120 5211 403235 SetFilePointer 5110->5211 5111 40321f ReadFile 5111->5113 5210 403235 SetFilePointer 5112->5210 5113->5111 5115 402fcd 5113->5115 5113->5120 5124 402d8a 6 API calls 5113->5124 5113->5125 5117 402d8a 6 API calls 5115->5117 5117->5120 5118 402f83 5121 40321f ReadFile 5118->5121 5119 402fb5 5122 403027 32 API calls 5119->5122 5120->5027 5123 402f8e 5121->5123 5126 402fc1 5122->5126 5123->5112 5123->5120 5124->5113 5199 402d8a 5125->5199 5126->5120 5127 402ffe SetFilePointer 5126->5127 5127->5120 5129 406408 5 API calls 5128->5129 5130 40388f 5129->5130 5131 403895 5130->5131 5132 4038a7 5130->5132 5221 405f79 wsprintfW 5131->5221 5133 405eff 3 API calls 5132->5133 5135 4038d7 5133->5135 5136 4038f6 lstrcatW 5135->5136 5138 405eff 3 API calls 5135->5138 5137 4038a5 5136->5137 5212 403b51 5137->5212 5138->5136 5141 405aee 18 API calls 5142 403928 5141->5142 5143 4039bc 5142->5143 5145 405eff 3 API calls 5142->5145 5144 405aee 18 API calls 5143->5144 5146 4039c2 5144->5146 5147 40395a 5145->5147 5148 4039d2 LoadImageW 5146->5148 5149 406054 18 API calls 5146->5149 5147->5143 5153 40397b lstrlenW 5147->5153 5156 405a13 CharNextW 5147->5156 5150 403a78 5148->5150 5151 4039f9 RegisterClassW 5148->5151 5149->5148 5152 40140b 2 API calls 5150->5152 5154 403a2f SystemParametersInfoW CreateWindowExW 5151->5154 5183 403a82 5151->5183 5155 403a7e 5152->5155 5157 403989 lstrcmpiW 5153->5157 5158 4039af 5153->5158 5154->5150 5163 403b51 19 API calls 5155->5163 5155->5183 5161 403978 5156->5161 5157->5158 5159 403999 GetFileAttributesW 5157->5159 5160 4059e6 3 API calls 5158->5160 5162 4039a5 5159->5162 5164 4039b5 5160->5164 5161->5153 5162->5158 5165 405a32 2 API calls 5162->5165 5166 403a8f 5163->5166 5222 406032 lstrcpynW 5164->5222 5165->5158 5168 403a9b ShowWindow 5166->5168 5169 403b1e 5166->5169 5171 40639c 3 API calls 5168->5171 5170 405264 5 API calls 5169->5170 5172 403b24 5170->5172 5173 403ab3 5171->5173 5174 403b40 5172->5174 5175 403b28 5172->5175 5176 403ac1 GetClassInfoW 5173->5176 5178 40639c 3 API calls 5173->5178 5177 40140b 2 API calls 5174->5177 5181 40140b 2 API calls 5175->5181 5175->5183 5179 403ad5 GetClassInfoW RegisterClassW 5176->5179 5180 403aeb DialogBoxParamW 5176->5180 5177->5183 5178->5176 5179->5180 5182 40140b 2 API calls 5180->5182 5181->5183 5182->5183 5183->5084 5184->5033 5185->5065 5186->5034 5188 4037b9 5187->5188 5189 4037ab CloseHandle 5187->5189 5224 4037e6 5188->5224 5189->5188 5192 405823 69 API calls 5193 4035d3 OleUninitialize 5192->5193 5193->5040 5193->5041 5194->5073 5195->5077 5196->5102 5197->5104 5198->5108 5200 402d93 5199->5200 5201 402dab 5199->5201 5202 402da3 5200->5202 5203 402d9c DestroyWindow 5200->5203 5204 402db3 5201->5204 5205 402dbb GetTickCount 5201->5205 5202->5110 5203->5202 5208 406444 2 API calls 5204->5208 5206 402dc9 CreateDialogParamW ShowWindow 5205->5206 5207 402dec 5205->5207 5206->5207 5207->5110 5209 402db9 5208->5209 5209->5110 5210->5119 5211->5118 5213 403b65 5212->5213 5223 405f79 wsprintfW 5213->5223 5215 403bd6 5216 406054 18 API calls 5215->5216 5217 403be2 SetWindowTextW 5216->5217 5218 403906 5217->5218 5219 403bfe 5217->5219 5218->5141 5219->5218 5220 406054 18 API calls 5219->5220 5220->5219 5221->5137 5222->5143 5223->5215 5225 4037f4 5224->5225 5226 4037be 5225->5226 5227 4037f9 FreeLibrary GlobalFree 5225->5227 5226->5192 5227->5226 5227->5227 5464 1000103d 5465 1000101b 5 API calls 5464->5465 5466 10001056 5465->5466 5467 4014ff 5468 401507 5467->5468 5470 40151a 5467->5470 5469 402ba2 18 API calls 5468->5469 5469->5470 5471 401000 5472 401037 BeginPaint GetClientRect 5471->5472 5473 40100c DefWindowProcW 5471->5473 5474 4010f3 5472->5474 5476 401179 5473->5476 5477 401073 CreateBrushIndirect FillRect DeleteObject 5474->5477 5478 4010fc 5474->5478 5477->5474 5479 401102 CreateFontIndirectW 5478->5479 5480 401167 EndPaint 5478->5480 5479->5480 5481 401112 6 API calls 5479->5481 5480->5476 5481->5480 5482 401904 5483 40193b 5482->5483 5484 402bbf 18 API calls 5483->5484 5485 401940 5484->5485 5486 405823 69 API calls 5485->5486 5487 401949 5486->5487 5488 402d04 5489 402d16 SetTimer 5488->5489 5490 402d2f 5488->5490 5489->5490 5491 402d84 5490->5491 5492 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5490->5492 5492->5491 5493 8b194f GetCommandLineW lstrcpynW 5494 8b19a3 5493->5494 5495 8b19c4 CharNextW 5494->5495 5496 8b19b9 CharNextW 5494->5496 5497 8b19c9 CreateProcessW 5495->5497 5496->5494 5499 8b1a28 ExitProcess 5497->5499 5500 8b19f7 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 5497->5500 5501 405105 5502 405115 5501->5502 5503 405129 5501->5503 5505 405172 5502->5505 5506 40511b 5502->5506 5504 405131 IsWindowVisible 5503->5504 5512 405148 5503->5512 5504->5505 5507 40513e 5504->5507 5508 405177 CallWindowProcW 5505->5508 5509 404142 SendMessageW 5506->5509 5514 404a5b SendMessageW 5507->5514 5510 405125 5508->5510 5509->5510 5512->5508 5519 404adb 5512->5519 5515 404aba SendMessageW 5514->5515 5516 404a7e GetMessagePos ScreenToClient SendMessageW 5514->5516 5517 404ab2 5515->5517 5516->5517 5518 404ab7 5516->5518 5517->5512 5518->5515 5528 406032 lstrcpynW 5519->5528 5521 404aee 5529 405f79 wsprintfW 5521->5529 5523 404af8 5524 40140b 2 API calls 5523->5524 5525 404b01 5524->5525 5530 406032 lstrcpynW 5525->5530 5527 404b08 5527->5505 5528->5521 5529->5523 5530->5527 4280 402786 4281 40278d 4280->4281 4287 4029f7 4280->4287 4288 402ba2 4281->4288 4283 402798 4284 40279f SetFilePointer 4283->4284 4285 4027af 4284->4285 4284->4287 4291 405f79 wsprintfW 4285->4291 4289 406054 18 API calls 4288->4289 4290 402bb6 4289->4290 4290->4283 4291->4287 5531 401907 5532 402bbf 18 API calls 5531->5532 5533 40190e 5532->5533 5534 405777 MessageBoxIndirectW 5533->5534 5535 401917 5534->5535 5536 401e08 5537 402bbf 18 API calls 5536->5537 5538 401e0e 5537->5538 5539 402bbf 18 API calls 5538->5539 5540 401e17 5539->5540 5541 402bbf 18 API calls 5540->5541 5542 401e20 5541->5542 5543 402bbf 18 API calls 5542->5543 5544 401e29 5543->5544 5545 401423 25 API calls 5544->5545 5546 401e30 ShellExecuteW 5545->5546 5547 401e61 5546->5547 5553 40420a lstrcpynW lstrlenW 5554 404b0d GetDlgItem GetDlgItem 5555 404b5f 7 API calls 5554->5555 5558 404d78 5554->5558 5556 404c02 DeleteObject 5555->5556 5557 404bf5 SendMessageW 5555->5557 5559 404c0b 5556->5559 5557->5556 5570 404e5c 5558->5570 5572 404a5b 5 API calls 5558->5572 5584 404de9 5558->5584 5560 404c42 5559->5560 5561 406054 18 API calls 5559->5561 5562 4040f6 19 API calls 5560->5562 5564 404c24 SendMessageW SendMessageW 5561->5564 5567 404c56 5562->5567 5563 404f08 5565 404f12 SendMessageW 5563->5565 5566 404f1a 5563->5566 5564->5559 5565->5566 5576 404f33 5566->5576 5577 404f2c ImageList_Destroy 5566->5577 5585 404f43 5566->5585 5573 4040f6 19 API calls 5567->5573 5568 404d6b 5569 40415d 8 API calls 5568->5569 5575 4050fe 5569->5575 5570->5563 5570->5568 5574 404eb5 SendMessageW 5570->5574 5571 404e4e SendMessageW 5571->5570 5572->5584 5589 404c64 5573->5589 5574->5568 5579 404eca SendMessageW 5574->5579 5580 404f3c GlobalFree 5576->5580 5576->5585 5577->5576 5578 4050b2 5578->5568 5586 4050c4 ShowWindow GetDlgItem ShowWindow 5578->5586 5582 404edd 5579->5582 5580->5585 5581 404d39 GetWindowLongW SetWindowLongW 5583 404d52 5581->5583 5594 404eee SendMessageW 5582->5594 5587 404d70 5583->5587 5588 404d58 ShowWindow 5583->5588 5584->5570 5584->5571 5585->5578 5597 404adb 4 API calls 5585->5597 5601 404f7e 5585->5601 5586->5568 5606 40412b SendMessageW 5587->5606 5605 40412b SendMessageW 5588->5605 5589->5581 5590 404d33 5589->5590 5593 404cb4 SendMessageW 5589->5593 5595 404cf0 SendMessageW 5589->5595 5596 404d01 SendMessageW 5589->5596 5590->5581 5590->5583 5593->5589 5594->5563 5595->5589 5596->5589 5597->5601 5598 405088 InvalidateRect 5598->5578 5599 40509e 5598->5599 5607 404a16 5599->5607 5600 404fac SendMessageW 5604 404fc2 5600->5604 5601->5600 5601->5604 5603 405036 SendMessageW SendMessageW 5603->5604 5604->5598 5604->5603 5605->5568 5606->5558 5610 40494d 5607->5610 5609 404a2b 5609->5578 5612 404966 5610->5612 5611 406054 18 API calls 5613 4049ca 5611->5613 5612->5611 5614 406054 18 API calls 5613->5614 5615 4049d5 5614->5615 5616 406054 18 API calls 5615->5616 5617 4049eb lstrlenW wsprintfW SetDlgItemTextW 5616->5617 5617->5609 5618 1000164f 5619 10001516 GlobalFree 5618->5619 5621 10001667 5619->5621 5620 100016ad GlobalFree 5621->5620 5622 10001682 5621->5622 5623 10001699 VirtualFree 5621->5623 5622->5620 5623->5620 4375 8b105a 4378 8b1112 4375->4378 4456 8b1096 GetModuleHandleW GetProcAddress 4378->4456 4381 8b128c GlobalAlloc 4383 8b12aa 4381->4383 4382 8b1147 GetModuleFileNameW GlobalAlloc 4384 8b118e 4382->4384 4385 8b12c2 FindWindowExW FindWindowExW 4383->4385 4398 8b12e4 4383->4398 4386 8b11ae 4384->4386 4387 8b1194 CharPrevW 4384->4387 4385->4398 4389 8b11b8 4386->4389 4390 8b11ce GetTempFileNameW CopyFileW 4386->4390 4387->4384 4387->4386 4472 8b1a73 4389->4472 4392 8b126d lstrcatW lstrlenW 4390->4392 4393 8b1203 CreateFileW CreateFileMappingW MapViewOfFile 4390->4393 4392->4383 4396 8b1239 UnmapViewOfFile 4393->4396 4397 8b125f CloseHandle CloseHandle 4393->4397 4395 8b11c2 GlobalFree 4399 8b1085 4395->4399 4396->4397 4397->4392 4400 8b1326 4398->4400 4459 8b1a33 4398->4459 4464 8b1849 lstrlenW lstrlenW 4398->4464 4401 8b132b 4400->4401 4402 8b1357 GetVersion 4400->4402 4403 8b1a73 2 API calls 4401->4403 4404 8b13ca GlobalAlloc 4402->4404 4405 8b13fc 4402->4405 4408 8b1335 4403->4408 4410 8b16f8 lstrcpyW 4404->4410 4416 8b13f2 GlobalLock 4404->4416 4406 8b1406 InitializeSecurityDescriptor SetSecurityDescriptorDacl 4405->4406 4407 8b1424 CreatePipe 4405->4407 4406->4407 4407->4410 4411 8b1441 CreatePipe 4407->4411 4408->4395 4415 8b1349 DeleteFileW 4408->4415 4413 8b170a 4410->4413 4411->4410 4414 8b1458 GetStartupInfoW CreateProcessW 4411->4414 4417 8b1718 4413->4417 4418 8b1710 4413->4418 4414->4410 4419 8b14a6 GetTickCount 4414->4419 4415->4395 4416->4405 4421 8b1731 4417->4421 4423 8b1726 4417->4423 4420 8b1a73 2 API calls 4418->4420 4453 8b14af 4419->4453 4420->4417 4424 8b173a lstrcpyW 4421->4424 4425 8b174c 4421->4425 4422 8b14c2 PeekNamedPipe 4426 8b14dc GetTickCount ReadFile 4422->4426 4422->4453 4427 8b17dd 3 API calls 4423->4427 4424->4425 4428 8b176d 4425->4428 4429 8b1755 wsprintfW 4425->4429 4468 8b10d3 lstrlenA 4426->4468 4431 8b172f 4427->4431 4434 8b1a73 2 API calls 4428->4434 4429->4428 4431->4421 4432 8b1692 GetTickCount 4433 8b16c0 Sleep 4432->4433 4437 8b16a1 TerminateProcess lstrcpyW 4432->4437 4435 8b16c8 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 4433->4435 4436 8b1779 6 API calls 4434->4436 4435->4453 4438 8b17a8 4436->4438 4437->4435 4440 8b17ba GlobalFree 4438->4440 4441 8b17b1 DeleteFileW 4438->4441 4439 8b1520 lstrlenW 4442 8b1531 lstrlenW lstrcpynW 4439->4442 4443 8b1550 lstrlenW GlobalSize 4439->4443 4440->4399 4444 8b17ca GlobalUnlock GlobalFree 4440->4444 4441->4440 4442->4435 4445 8b159e lstrcatW 4443->4445 4446 8b156d GlobalUnlock GlobalReAlloc 4443->4446 4444->4399 4445->4453 4446->4410 4447 8b1594 GlobalLock 4446->4447 4447->4445 4448 8b1849 4 API calls 4448->4453 4449 8b15b2 GlobalSize 4450 8b15d4 lstrlenW 4449->4450 4449->4453 4451 8b15f3 lstrcpyW 4450->4451 4450->4453 4451->4453 4452 8b165f CharNextW 4452->4453 4453->4413 4453->4422 4453->4432 4453->4433 4453->4435 4453->4439 4453->4448 4453->4449 4453->4451 4453->4452 4454 8b164e 4453->4454 4454->4453 4475 8b17dd 4454->4475 4457 8b10b8 GetCurrentProcess 4456->4457 4458 8b10c5 4456->4458 4457->4458 4458->4381 4458->4382 4460 8b1a3d 4459->4460 4461 8b1a6c 4459->4461 4460->4461 4462 8b1a4a lstrcpyW 4460->4462 4463 8b1a5d GlobalFree 4460->4463 4461->4398 4462->4463 4463->4461 4465 8b186a 4464->4465 4466 8b18a4 4464->4466 4465->4466 4467 8b1893 CharNextW lstrlenW 4465->4467 4466->4398 4467->4465 4467->4466 4469 8b10ee MultiByteToWideChar 4468->4469 4470 8b1102 lstrcpyW 4468->4470 4471 8b110c 4469->4471 4470->4471 4471->4453 4473 8b1a7c GlobalAlloc lstrcpynW 4472->4473 4474 8b1ab6 4472->4474 4473->4474 4474->4395 4476 8b17fd SendMessageW SendMessageW SendMessageW 4475->4476 4477 8b1845 4475->4477 4476->4477 4477->4454 5624 404591 5625 4045bd 5624->5625 5626 4045ce 5624->5626 5685 40575b GetDlgItemTextW 5625->5685 5628 4045da GetDlgItem 5626->5628 5633 404639 5626->5633 5630 4045ee 5628->5630 5629 4045c8 5632 4062c6 5 API calls 5629->5632 5635 404602 SetWindowTextW 5630->5635 5640 405a91 4 API calls 5630->5640 5631 40471d 5683 4048cc 5631->5683 5687 40575b GetDlgItemTextW 5631->5687 5632->5626 5633->5631 5636 406054 18 API calls 5633->5636 5633->5683 5638 4040f6 19 API calls 5635->5638 5641 4046ad SHBrowseForFolderW 5636->5641 5637 40474d 5642 405aee 18 API calls 5637->5642 5643 40461e 5638->5643 5639 40415d 8 API calls 5644 4048e0 5639->5644 5645 4045f8 5640->5645 5641->5631 5646 4046c5 CoTaskMemFree 5641->5646 5647 404753 5642->5647 5648 4040f6 19 API calls 5643->5648 5645->5635 5651 4059e6 3 API calls 5645->5651 5649 4059e6 3 API calls 5646->5649 5688 406032 lstrcpynW 5647->5688 5650 40462c 5648->5650 5652 4046d2 5649->5652 5686 40412b SendMessageW 5650->5686 5651->5635 5655 404709 SetDlgItemTextW 5652->5655 5660 406054 18 API calls 5652->5660 5655->5631 5656 404632 5658 406408 5 API calls 5656->5658 5657 40476a 5659 406408 5 API calls 5657->5659 5658->5633 5667 404771 5659->5667 5661 4046f1 lstrcmpiW 5660->5661 5661->5655 5664 404702 lstrcatW 5661->5664 5662 4047b2 5689 406032 lstrcpynW 5662->5689 5664->5655 5665 4047b9 5666 405a91 4 API calls 5665->5666 5668 4047bf GetDiskFreeSpaceW 5666->5668 5667->5662 5670 405a32 2 API calls 5667->5670 5672 40480a 5667->5672 5671 4047e3 MulDiv 5668->5671 5668->5672 5670->5667 5671->5672 5673 404a16 21 API calls 5672->5673 5674 40487b 5672->5674 5676 404868 5673->5676 5675 40489e 5674->5675 5677 40140b 2 API calls 5674->5677 5690 404118 KiUserCallbackDispatcher 5675->5690 5679 40487d SetDlgItemTextW 5676->5679 5680 40486d 5676->5680 5677->5675 5679->5674 5682 40494d 21 API calls 5680->5682 5681 4048ba 5681->5683 5691 404526 5681->5691 5682->5674 5683->5639 5685->5629 5686->5656 5687->5637 5688->5657 5689->5665 5690->5681 5692 404534 5691->5692 5693 404539 SendMessageW 5691->5693 5692->5693 5693->5683 5694 404293 5695 4043c5 5694->5695 5696 4042ab 5694->5696 5697 40442f 5695->5697 5698 404501 5695->5698 5703 404400 GetDlgItem SendMessageW 5695->5703 5700 4040f6 19 API calls 5696->5700 5697->5698 5699 404439 GetDlgItem 5697->5699 5705 40415d 8 API calls 5698->5705 5701 4044c2 5699->5701 5702 404453 5699->5702 5704 404312 5700->5704 5701->5698 5706 4044d4 5701->5706 5702->5701 5710 404479 6 API calls 5702->5710 5725 404118 KiUserCallbackDispatcher 5703->5725 5708 4040f6 19 API calls 5704->5708 5709 4044fc 5705->5709 5711 4044ea 5706->5711 5712 4044da SendMessageW 5706->5712 5714 40431f CheckDlgButton 5708->5714 5710->5701 5711->5709 5715 4044f0 SendMessageW 5711->5715 5712->5711 5713 40442a 5716 404526 SendMessageW 5713->5716 5723 404118 KiUserCallbackDispatcher 5714->5723 5715->5709 5716->5697 5718 40433d GetDlgItem 5724 40412b SendMessageW 5718->5724 5720 404353 SendMessageW 5721 404370 GetSysColor 5720->5721 5722 404379 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5720->5722 5721->5722 5722->5709 5723->5718 5724->5720 5725->5713 4488 402095 4489 402bbf 18 API calls 4488->4489 4490 40209c 4489->4490 4491 402bbf 18 API calls 4490->4491 4492 4020a6 4491->4492 4493 402bbf 18 API calls 4492->4493 4494 4020b0 4493->4494 4495 402bbf 18 API calls 4494->4495 4496 4020ba 4495->4496 4497 402bbf 18 API calls 4496->4497 4499 4020c4 4497->4499 4498 402103 CoCreateInstance 4501 402122 4498->4501 4499->4498 4500 402bbf 18 API calls 4499->4500 4500->4498 4502 401423 25 API calls 4501->4502 4503 4021e1 4501->4503 4502->4503 5726 401a15 5727 402bbf 18 API calls 5726->5727 5728 401a1e ExpandEnvironmentStringsW 5727->5728 5729 401a32 5728->5729 5730 401a45 5728->5730 5729->5730 5731 401a37 lstrcmpW 5729->5731 5731->5730 5732 402515 5733 402bbf 18 API calls 5732->5733 5734 40251c 5733->5734 5737 405c07 GetFileAttributesW CreateFileW 5734->5737 5736 402528 5737->5736 5738 401b16 5739 402bbf 18 API calls 5738->5739 5740 401b1d 5739->5740 5741 402ba2 18 API calls 5740->5741 5742 401b26 wsprintfW 5741->5742 5743 402a4c 5742->5743 5744 10001058 5745 10001074 5744->5745 5746 100010dd 5745->5746 5747 10001516 GlobalFree 5745->5747 5748 10001092 5745->5748 5747->5748 5749 10001516 GlobalFree 5748->5749 5750 100010a2 5749->5750 5751 100010b2 5750->5751 5752 100010a9 GlobalSize 5750->5752 5753 100010b6 GlobalAlloc 5751->5753 5754 100010c7 5751->5754 5752->5751 5755 1000153d 3 API calls 5753->5755 5756 100010d2 GlobalFree 5754->5756 5755->5754 5756->5746 4517 40159b 4518 402bbf 18 API calls 4517->4518 4519 4015a2 SetFileAttributesW 4518->4519 4520 4015b4 4519->4520 5757 40229d 5758 4022a5 5757->5758 5759 4022ab 5757->5759 5760 402bbf 18 API calls 5758->5760 5761 402bbf 18 API calls 5759->5761 5763 4022b9 5759->5763 5760->5759 5761->5763 5762 402bbf 18 API calls 5766 4022d0 WritePrivateProfileStringW 5762->5766 5764 402bbf 18 API calls 5763->5764 5765 4022c7 5763->5765 5764->5765 5765->5762 5767 401f1d 5768 402bbf 18 API calls 5767->5768 5769 401f24 5768->5769 5770 406408 5 API calls 5769->5770 5771 401f33 5770->5771 5772 401f4f GlobalAlloc 5771->5772 5774 401fb7 5771->5774 5773 401f63 5772->5773 5772->5774 5775 406408 5 API calls 5773->5775 5776 401f6a 5775->5776 5777 406408 5 API calls 5776->5777 5778 401f74 5777->5778 5778->5774 5782 405f79 wsprintfW 5778->5782 5780 401fa9 5783 405f79 wsprintfW 5780->5783 5782->5780 5783->5774 4529 403c1e 4530 403d71 4529->4530 4531 403c36 4529->4531 4533 403d82 GetDlgItem GetDlgItem 4530->4533 4536 403dc2 4530->4536 4531->4530 4532 403c42 4531->4532 4537 403c60 4532->4537 4538 403c4d SetWindowPos 4532->4538 4534 4040f6 19 API calls 4533->4534 4541 403dac KiUserCallbackDispatcher 4534->4541 4535 403e1c 4542 404142 SendMessageW 4535->4542 4547 403d6c 4535->4547 4536->4535 4546 401389 2 API calls 4536->4546 4539 403c65 ShowWindow 4537->4539 4540 403c7d 4537->4540 4538->4537 4539->4540 4543 403c85 DestroyWindow 4540->4543 4544 403c9f 4540->4544 4599 40140b 4541->4599 4567 403e2e 4542->4567 4548 40407f 4543->4548 4549 403ca4 SetWindowLongW 4544->4549 4550 403cb5 4544->4550 4551 403df4 4546->4551 4548->4547 4560 4040b0 ShowWindow 4548->4560 4549->4547 4553 403cc1 GetDlgItem 4550->4553 4554 403d5e 4550->4554 4551->4535 4555 403df8 SendMessageW 4551->4555 4552 404081 DestroyWindow EndDialog 4552->4548 4557 403cf1 4553->4557 4558 403cd4 SendMessageW IsWindowEnabled 4553->4558 4559 40415d 8 API calls 4554->4559 4555->4547 4556 40140b 2 API calls 4556->4567 4562 403cfe 4557->4562 4564 403d45 SendMessageW 4557->4564 4565 403d11 4557->4565 4573 403cf6 4557->4573 4558->4547 4558->4557 4559->4547 4560->4547 4561 406054 18 API calls 4561->4567 4562->4564 4562->4573 4563 4040cf SendMessageW 4566 403d2c 4563->4566 4564->4554 4568 403d19 4565->4568 4569 403d2e 4565->4569 4566->4554 4567->4547 4567->4552 4567->4556 4567->4561 4571 4040f6 19 API calls 4567->4571 4575 4040f6 19 API calls 4567->4575 4590 403fc1 DestroyWindow 4567->4590 4570 40140b 2 API calls 4568->4570 4572 40140b 2 API calls 4569->4572 4570->4573 4571->4567 4574 403d35 4572->4574 4573->4563 4574->4554 4574->4573 4576 403ea9 GetDlgItem 4575->4576 4577 403ec6 ShowWindow KiUserCallbackDispatcher 4576->4577 4578 403ebe 4576->4578 4602 404118 KiUserCallbackDispatcher 4577->4602 4578->4577 4580 403ef0 EnableWindow 4583 403f04 4580->4583 4581 403f09 GetSystemMenu EnableMenuItem SendMessageW 4582 403f39 SendMessageW 4581->4582 4581->4583 4582->4583 4583->4581 4603 40412b SendMessageW 4583->4603 4604 406032 lstrcpynW 4583->4604 4586 403f67 lstrlenW 4587 406054 18 API calls 4586->4587 4588 403f7d SetWindowTextW 4587->4588 4589 401389 2 API calls 4588->4589 4589->4567 4590->4548 4591 403fdb CreateDialogParamW 4590->4591 4591->4548 4592 40400e 4591->4592 4593 4040f6 19 API calls 4592->4593 4594 404019 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4593->4594 4595 401389 2 API calls 4594->4595 4596 40405f 4595->4596 4596->4547 4597 404067 ShowWindow 4596->4597 4598 404142 SendMessageW 4597->4598 4598->4548 4600 401389 2 API calls 4599->4600 4601 401420 4600->4601 4601->4536 4602->4580 4603->4583 4604->4586 4605 40249e 4616 402cc9 4605->4616 4607 4024a8 4608 402ba2 18 API calls 4607->4608 4609 4024b1 4608->4609 4610 4024bc 4609->4610 4611 40281e 4609->4611 4612 4024d5 RegEnumValueW 4610->4612 4613 4024c9 RegEnumKeyW 4610->4613 4612->4611 4614 4024ee RegCloseKey 4612->4614 4613->4614 4614->4611 4617 402bbf 18 API calls 4616->4617 4618 402ce2 4617->4618 4619 402cf0 RegOpenKeyExW 4618->4619 4619->4607 5784 40149e 5785 402288 5784->5785 5786 4014ac PostQuitMessage 5784->5786 5786->5785 4642 40231f 4643 402324 4642->4643 4644 40234f 4642->4644 4645 402cc9 19 API calls 4643->4645 4646 402bbf 18 API calls 4644->4646 4648 40232b 4645->4648 4647 402356 4646->4647 4654 402bff RegOpenKeyExW 4647->4654 4649 402335 4648->4649 4652 40236c 4648->4652 4650 402bbf 18 API calls 4649->4650 4653 40233c RegDeleteValueW RegCloseKey 4650->4653 4653->4652 4655 402c93 4654->4655 4658 402c2a 4654->4658 4655->4652 4656 402c50 RegEnumKeyW 4657 402c62 RegCloseKey 4656->4657 4656->4658 4665 406408 GetModuleHandleA 4657->4665 4658->4656 4658->4657 4659 402c87 RegCloseKey 4658->4659 4661 402bff 5 API calls 4658->4661 4663 402c76 4659->4663 4661->4658 4663->4655 4664 402ca2 RegDeleteKeyW 4664->4663 4666 406424 4665->4666 4667 40642e GetProcAddress 4665->4667 4671 40639c GetSystemDirectoryW 4666->4671 4670 402c72 4667->4670 4669 40642a 4669->4667 4669->4670 4670->4663 4670->4664 4672 4063be wsprintfW LoadLibraryW 4671->4672 4672->4669 5787 100010e1 5788 10001111 5787->5788 5789 100011d8 GlobalFree 5788->5789 5790 100012ba 2 API calls 5788->5790 5791 100011d3 5788->5791 5792 100011f8 GlobalFree 5788->5792 5793 10001272 2 API calls 5788->5793 5794 10001164 GlobalAlloc 5788->5794 5795 100012e1 lstrcpyW 5788->5795 5796 100011c4 GlobalFree 5788->5796 5790->5788 5791->5789 5792->5788 5793->5796 5794->5788 5795->5788 5796->5788 5797 401ca3 5798 402ba2 18 API calls 5797->5798 5799 401ca9 IsWindow 5798->5799 5800 401a05 5799->5800 5801 402a27 SendMessageW 5802 402a41 InvalidateRect 5801->5802 5803 402a4c 5801->5803 5802->5803 5804 40242a 5805 402cc9 19 API calls 5804->5805 5806 402434 5805->5806 5807 402bbf 18 API calls 5806->5807 5808 40243d 5807->5808 5809 402448 RegQueryValueExW 5808->5809 5813 40281e 5808->5813 5810 402468 5809->5810 5811 40246e RegCloseKey 5809->5811 5810->5811 5815 405f79 wsprintfW 5810->5815 5811->5813 5815->5811 4812 40172d 4813 402bbf 18 API calls 4812->4813 4814 401734 SearchPathW 4813->4814 4815 40174f 4814->4815 5816 4027b4 5817 4027ba 5816->5817 5818 4027c2 FindClose 5817->5818 5819 402a4c 5817->5819 5818->5819 5820 401b37 5821 401b44 5820->5821 5822 401b88 5820->5822 5828 401bcd 5821->5828 5829 401b5b 5821->5829 5823 401bb2 GlobalAlloc 5822->5823 5824 401b8d 5822->5824 5825 406054 18 API calls 5823->5825 5835 402288 5824->5835 5841 406032 lstrcpynW 5824->5841 5825->5828 5826 406054 18 API calls 5830 402282 5826->5830 5828->5826 5828->5835 5839 406032 lstrcpynW 5829->5839 5834 405777 MessageBoxIndirectW 5830->5834 5831 401b9f GlobalFree 5831->5835 5833 401b6a 5840 406032 lstrcpynW 5833->5840 5834->5835 5837 401b79 5842 406032 lstrcpynW 5837->5842 5839->5833 5840->5837 5841->5831 5842->5835 5843 402537 5844 402562 5843->5844 5845 40254b 5843->5845 5846 402596 5844->5846 5847 402567 5844->5847 5848 402ba2 18 API calls 5845->5848 5850 402bbf 18 API calls 5846->5850 5849 402bbf 18 API calls 5847->5849 5855 402552 5848->5855 5851 40256e WideCharToMultiByte lstrlenA 5849->5851 5852 40259d lstrlenW 5850->5852 5851->5855 5852->5855 5853 4025ca 5854 405cb9 WriteFile 5853->5854 5856 4025e0 5853->5856 5854->5856 5855->5853 5855->5856 5857 405ce8 5 API calls 5855->5857 5857->5853 5858 4014b8 5859 4014be 5858->5859 5860 401389 2 API calls 5859->5860 5861 4014c6 5860->5861 4868 4015b9 4869 402bbf 18 API calls 4868->4869 4870 4015c0 4869->4870 4887 405a91 CharNextW CharNextW 4870->4887 4872 401629 4874 40165b 4872->4874 4875 40162e 4872->4875 4873 405a13 CharNextW 4883 4015c9 4873->4883 4878 401423 25 API calls 4874->4878 4876 401423 25 API calls 4875->4876 4877 401635 4876->4877 4901 406032 lstrcpynW 4877->4901 4884 401653 4878->4884 4882 401642 SetCurrentDirectoryW 4882->4884 4883->4872 4883->4873 4885 40160f GetFileAttributesW 4883->4885 4893 4056fa 4883->4893 4896 405660 CreateDirectoryW 4883->4896 4902 4056dd CreateDirectoryW 4883->4902 4885->4883 4888 405ac0 4887->4888 4889 405aae 4887->4889 4891 405a13 CharNextW 4888->4891 4892 405ae4 4888->4892 4889->4888 4890 405abb CharNextW 4889->4890 4890->4892 4891->4888 4892->4883 4894 406408 5 API calls 4893->4894 4895 405701 4894->4895 4895->4883 4897 4056b1 GetLastError 4896->4897 4898 4056ad 4896->4898 4897->4898 4899 4056c0 SetFileSecurityW 4897->4899 4898->4883 4899->4898 4900 4056d6 GetLastError 4899->4900 4900->4898 4901->4882 4903 4056f1 GetLastError 4902->4903 4904 4056ed 4902->4904 4903->4904 4904->4883 4905 401939 4906 40193b 4905->4906 4907 402bbf 18 API calls 4906->4907 4908 401940 4907->4908 4911 405823 4908->4911 4951 405aee 4911->4951 4914 405862 4917 40598d 4914->4917 4965 406032 lstrcpynW 4914->4965 4915 40584b DeleteFileW 4916 401949 4915->4916 4917->4916 4924 406375 2 API calls 4917->4924 4919 405888 4920 40589b 4919->4920 4921 40588e lstrcatW 4919->4921 4966 405a32 lstrlenW 4920->4966 4922 4058a1 4921->4922 4925 4058b1 lstrcatW 4922->4925 4926 4058a7 4922->4926 4927 4059a7 4924->4927 4928 4058bc lstrlenW FindFirstFileW 4925->4928 4926->4925 4926->4928 4927->4916 4929 4059ab 4927->4929 4931 405982 4928->4931 4950 4058de 4928->4950 4930 4059e6 3 API calls 4929->4930 4932 4059b1 4930->4932 4931->4917 4934 4057db 5 API calls 4932->4934 4933 405965 FindNextFileW 4937 40597b FindClose 4933->4937 4933->4950 4936 4059bd 4934->4936 4938 4059c1 4936->4938 4939 4059d7 4936->4939 4937->4931 4938->4916 4943 405191 25 API calls 4938->4943 4941 405191 25 API calls 4939->4941 4941->4916 4942 405823 62 API calls 4942->4950 4944 4059ce 4943->4944 4945 405ed3 38 API calls 4944->4945 4947 4059d5 4945->4947 4946 405191 25 API calls 4946->4933 4947->4916 4948 405191 25 API calls 4948->4950 4949 405ed3 38 API calls 4949->4950 4950->4933 4950->4942 4950->4946 4950->4948 4950->4949 4970 406032 lstrcpynW 4950->4970 4971 4057db 4950->4971 4979 406032 lstrcpynW 4951->4979 4953 405aff 4954 405a91 4 API calls 4953->4954 4955 405b05 4954->4955 4956 405843 4955->4956 4957 4062c6 5 API calls 4955->4957 4956->4914 4956->4915 4963 405b15 4957->4963 4958 405b46 lstrlenW 4959 405b51 4958->4959 4958->4963 4961 4059e6 3 API calls 4959->4961 4960 406375 2 API calls 4960->4963 4962 405b56 GetFileAttributesW 4961->4962 4962->4956 4963->4956 4963->4958 4963->4960 4964 405a32 2 API calls 4963->4964 4964->4958 4965->4919 4967 405a40 4966->4967 4968 405a52 4967->4968 4969 405a46 CharPrevW 4967->4969 4968->4922 4969->4967 4969->4968 4970->4950 4972 405be2 2 API calls 4971->4972 4973 4057e7 4972->4973 4974 405808 4973->4974 4975 4057f6 RemoveDirectoryW 4973->4975 4976 4057fe DeleteFileW 4973->4976 4974->4950 4977 405804 4975->4977 4976->4977 4977->4974 4978 405814 SetFileAttributesW 4977->4978 4978->4974 4979->4953 5862 403839 5863 403844 5862->5863 5864 40384b GlobalAlloc 5863->5864 5865 403848 5863->5865 5864->5865 5866 40293b 5867 402ba2 18 API calls 5866->5867 5868 402941 5867->5868 5869 402964 5868->5869 5870 40297d 5868->5870 5877 40281e 5868->5877 5873 402969 5869->5873 5874 40297a 5869->5874 5871 402993 5870->5871 5872 402987 5870->5872 5876 406054 18 API calls 5871->5876 5875 402ba2 18 API calls 5872->5875 5880 406032 lstrcpynW 5873->5880 5881 405f79 wsprintfW 5874->5881 5875->5877 5876->5877 5880->5877 5881->5877 5882 10002a7f 5883 10002a97 5882->5883 5884 1000158f 2 API calls 5883->5884 5885 10002ab2 5884->5885

                                                Executed Functions

                                                Function 008B1112 Relevance: 130.1, APIs: 65, Strings: 9, Instructions: 582stringfilememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 8b1112-8b1141 call 8b1096 3 8b128c-8b12a8 GlobalAlloc 0->3 4 8b1147-8b118b GetModuleFileNameW GlobalAlloc 0->4 5 8b12aa-8b12c0 3->5 6 8b118e-8b1192 4->6 7 8b12c2-8b12df FindWindowExW * 2 5->7 8 8b12e4-8b12f9 call 8b1a33 call 8b1849 5->8 9 8b11ae-8b11b6 6->9 10 8b1194-8b11ac CharPrevW 6->10 7->8 24 8b12fb-8b1308 call 8b18af 8->24 25 8b130a-8b1318 8->25 12 8b11b8-8b11bd call 8b1a73 9->12 13 8b11ce-8b1201 GetTempFileNameW CopyFileW 9->13 10->6 10->9 19 8b11c2-8b11c9 GlobalFree 12->19 16 8b126d-8b128a lstrcatW lstrlenW 13->16 17 8b1203-8b1237 CreateFileW CreateFileMappingW MapViewOfFile 13->17 16->5 20 8b1239-8b1259 UnmapViewOfFile 17->20 21 8b125f-8b126b CloseHandle * 2 17->21 23 8b17d8-8b17dc 19->23 20->21 21->16 31 8b1321-8b1324 24->31 29 8b131a 25->29 30 8b1326-8b1329 25->30 29->31 32 8b132b-8b133a call 8b1a73 30->32 33 8b1357-8b13c8 GetVersion 30->33 31->8 44 8b133c 32->44 45 8b1340-8b1343 32->45 35 8b13ca-8b13ce 33->35 36 8b13fc-8b1404 33->36 40 8b13d9 35->40 41 8b13d0-8b13d7 35->41 37 8b1406-8b1421 InitializeSecurityDescriptor SetSecurityDescriptorDacl 36->37 38 8b1424-8b143b CreatePipe 36->38 37->38 42 8b16f8-8b1704 lstrcpyW 38->42 43 8b1441-8b1452 CreatePipe 38->43 46 8b13de-8b13ec GlobalAlloc 40->46 41->46 47 8b170a-8b170e 42->47 43->42 48 8b1458-8b14a0 GetStartupInfoW CreateProcessW 43->48 44->45 45->19 49 8b1349-8b1352 DeleteFileW 45->49 46->42 50 8b13f2-8b13f9 GlobalLock 46->50 51 8b1718-8b171c 47->51 52 8b1710-8b1713 call 8b1a73 47->52 48->42 53 8b14a6-8b14ac GetTickCount 48->53 49->19 50->36 56 8b171e-8b1724 51->56 57 8b1731-8b1738 51->57 52->51 55 8b14af-8b14b7 53->55 58 8b14b9-8b14bc 55->58 59 8b14c2-8b14d6 PeekNamedPipe 55->59 56->57 60 8b1726-8b1730 call 8b17dd 56->60 61 8b173a-8b1746 lstrcpyW 57->61 62 8b174c-8b1753 57->62 58->47 58->59 63 8b168b-8b1690 59->63 64 8b14dc-8b150f GetTickCount ReadFile call 8b10d3 59->64 60->57 61->62 66 8b176d-8b17a6 call 8b1a73 CloseHandle * 6 62->66 67 8b1755-8b176a wsprintfW 62->67 70 8b1692-8b169f GetTickCount 63->70 71 8b16c0-8b16c2 Sleep 63->71 75 8b1514-8b151a 64->75 77 8b17a8 66->77 78 8b17ac-8b17af 66->78 67->66 70->71 76 8b16a1-8b16be TerminateProcess lstrcpyW 70->76 73 8b16c8-8b16f3 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 71->73 73->55 75->73 79 8b1520-8b152f lstrlenW 75->79 76->73 77->78 80 8b17ba-8b17c8 GlobalFree 78->80 81 8b17b1-8b17b4 DeleteFileW 78->81 82 8b1531-8b154b lstrlenW lstrcpynW 79->82 83 8b1550-8b156b lstrlenW GlobalSize 79->83 80->23 84 8b17ca-8b17d6 GlobalUnlock GlobalFree 80->84 81->80 82->73 85 8b159e-8b15b0 lstrcatW 83->85 86 8b156d-8b158e GlobalUnlock GlobalReAlloc 83->86 84->23 87 8b160d-8b1618 call 8b1849 85->87 86->42 88 8b1594-8b159b GlobalLock 86->88 91 8b161a-8b1622 87->91 92 8b15b2-8b15c9 GlobalSize 87->92 88->85 91->73 95 8b1628-8b162f 91->95 93 8b15cb-8b15d2 92->93 94 8b15d4-8b15e4 lstrlenW 92->94 96 8b1607-8b160c 93->96 97 8b15f3-8b1602 lstrcpyW 94->97 98 8b15e6-8b15f1 94->98 99 8b1638-8b163c 95->99 100 8b1631-8b1636 95->100 96->87 97->96 98->97 98->98 102 8b165f-8b1666 CharNextW 99->102 103 8b163e-8b1641 99->103 101 8b1668-8b166b 100->101 101->95 104 8b166d-8b1670 101->104 102->101 105 8b1649-8b164c 103->105 104->73 108 8b1672-8b1675 104->108 106 8b164e-8b165d call 8b17dd 105->106 107 8b1643-8b1645 105->107 106->101 107->106 109 8b1647-8b1648 107->109 111 8b167e-8b1684 108->111 109->105 113 8b1677-8b167d 111->113 114 8b1686-8b1689 111->114 113->111 114->73
                                                C-Code - Quality: 88%
                                                			E008B1112(void* __eflags, signed int _a4) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				long _v20;
				WCHAR* _v24;
				void* _v28;
				long _v32;
				void* _v36;
				void* _v40;
				long _v44;
				void* _v48;
				struct _OVERLAPPED* _v52;
				struct _OVERLAPPED* _v56;
				long _v60;
				void* _v64;
				struct _SECURITY_ATTRIBUTES _v76;
				struct _PROCESS_INFORMATION _v92;
				void* _v111;
				struct _SECURITY_DESCRIPTOR _v112;
				struct _STARTUPINFOW _v180;
				void _v434;
				short _v436;
				short _v956;
				short _t177;
				intOrPtr _t181;
				void* _t183;
				struct HWND__* _t184;
				void* _t186;
				int _t196;
				void* _t207;
				void* _t208;
				void* _t225;
				int _t228;
				int _t246;
				long _t248;
				unsigned int _t251;
				signed int _t254;
				short _t256;
				struct _OVERLAPPED* _t258;
				void* _t262;
				long _t272;
				void* _t273;
				intOrPtr _t275;
				struct _OVERLAPPED* _t281;
				struct HWND__* _t282;
				struct HWND__* _t283;
				long _t285;
				intOrPtr _t286;
				void* _t298;
				void* _t300;
				struct _OVERLAPPED* _t308;
				signed int _t309;
				signed int _t312;
				intOrPtr _t326;
				struct _OVERLAPPED** _t328;
				WCHAR* _t333;
				WCHAR* _t339;
				signed int _t345;
				void* _t349;
				WCHAR* _t350;
				short* _t351;
				WCHAR* _t353;
				signed int _t358;
				short* _t359;
				short* _t360;
				void* _t362;
				void* _t364;
				struct _OVERLAPPED* _t370;
				WCHAR* _t371;
				WCHAR* _t375;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t380;

				_t177 =  *0x8b3cb8; // 0x0
				_v436 = _t177;
				_t309 = 0x3f;
				memset( &_v434, 0, _t309 << 2);
				_t379 = _t378 + 0xc;
				_t310 = 0;
				asm("stosw");
				if(E008B1096(0) != 0) {
					_t181 =  *0x8b3cc8; // 0x400
					_t308 = 0;
					_v16 = 0;
					_t183 = GlobalAlloc(0x40, _t181 + _t181 + 2);
					_v24 = _t183;
					_t339 = _t183;
					_t364 = _t183;
					goto L13;
				} else {
					_t285 = GetModuleFileNameW( *0x8b3cbc,  &_v956, 0x104);
					_t286 =  *0x8b3cc8; // 0x400
					_t358 = _t285 + 2;
					_t364 = GlobalAlloc(0x40, _t286 + _t358 + _t286 + _t358 + 4);
					_t359 = _t377 + _t358 * 2 - 0x3bc;
					_v24 = _t364;
					_t11 = _t364 + 2; // 0x2
					 *_t364 = 0x22;
					_v16 = _t11;
					while( *_t359 != 0x5c) {
						_push(_t359);
						_push( &_v956);
						_t359 = CharPrevW();
						if(_t359 >  &_v956) {
							continue;
						}
						break;
					}
					if(_t359 !=  &_v956) {
						_t308 = 0;
						 *_t359 = 0;
						GetTempFileNameW( &_v956, L"ns", 0, _v16);
						 *_t359 = 0x5c;
						if(CopyFileW( &_v956, _v16, 0) == 0) {
							L11:
							lstrcatW(_t364, "\"");
							_t360 = _t364 + lstrlenW(_t364) * 2;
							 *_t360 = 0x20;
							_t339 = _t360 + 2;
							L13:
							_t184 =  *0x8b3cc4; // 0xb0248
							_v36 = _t339;
							_v56 = _t308;
							_v52 = _t308;
							 *0x8b3cc0 = _t308;
							if(_t184 != _t308) {
								_t282 = FindWindowExW(_t184, _t308, L"#32770", _t308); // executed
								_t283 = FindWindowExW(_t282, _t308, L"SysListView32", _t308); // executed
								_t364 = _v24;
								 *0x8b3cc0 = _t283;
							}
							while(1) {
								E008B1A33(_t339);
								_t186 = E008B1849(_t310, _t339, L"/TIMEOUT=");
								_pop(_t310);
								if(_t186 != _t339) {
									goto L17;
								}
								_t37 =  &(_t339[9]); // 0x12
								_t281 = E008B18AF(_t37);
								_pop(_t310);
								_v56 = _t281;
								L19:
								 *_t339 = _t308;
								continue;
								L17:
								if(lstrcmpiW(_t339, L"/OEM") != 0) {
									if( *_t339 != _t308) {
										_t312 = 0x10;
										_v180.cb = 0x44;
										_v76.nLength = 0xc;
										memset( &(_v180.lpReserved), 0, _t312 << 2);
										_t380 = _t379 + 0xc;
										_v112.Revision = _t308;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosw");
										asm("stosb");
										_v92.hProcess = _t308;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										GetVersion();
										_v40 = _t308;
										asm("sbb edi, edi");
										_t345 =  ~( &(_v92.hThread));
										_v28 = _t308;
										_v48 = _t308;
										_v64 = _t308;
										_v20 = 1;
										_v44 = _t308;
										_v32 = 0x102;
										_v12 = _t308;
										_v8 = _t308;
										if(_a4 == _t308) {
											L31:
											_v76.bInheritHandle = 1;
											_v76.lpSecurityDescriptor = _t308;
											if(_t345 != _t308) {
												InitializeSecurityDescriptor( &_v112, 1);
												SetSecurityDescriptorDacl( &_v112, 1, _t308, _t308);
												_v76.lpSecurityDescriptor =  &_v112;
											}
											_t196 = CreatePipe( &_v28,  &_v40,  &_v76, _t308); // executed
											if(_t196 == 0 || CreatePipe( &_v64,  &_v48,  &_v76, _t308) == 0) {
												L75:
												lstrcpyW( &_v436, L"error");
												goto L76;
											} else {
												GetStartupInfoW( &_v180);
												_v180.dwFlags = 0x101;
												_v180.hStdInput = _v48;
												_t225 = _v40;
												_v180.hStdOutput = _t225;
												_v180.hStdError = _t225;
												_v180.wShowWindow = _t308;
												_t228 = CreateProcessW(_t308, _v24, _t308, _t308, 1, 0x10, _t308, _t308,  &_v180,  &_v92); // executed
												if(_t228 == 0) {
													goto L75;
												}
												_v60 = GetTickCount();
												while(_v32 != _t308 || _v20 != _t308) {
													PeekNamedPipe(_v28, _t308, _t308, _t308,  &_v20, _t308); // executed
													if(_v20 == _t308) {
														_t370 = _v56;
														if(_t370 == _t308 || GetTickCount() <= _v60 + _t370) {
															Sleep(0x64); // executed
														} else {
															TerminateProcess(_v92.hProcess, 0xffffffff);
															lstrcpyW( &_v436, L"timeout");
														}
														L74:
														_v32 = WaitForSingleObject(_v92.hProcess, _t308);
														GetExitCodeProcess(_v92.hProcess,  &_v44); // executed
														PeekNamedPipe(_v28, _t308, _t308, _t308,  &_v20, _t308); // executed
														continue;
													}
													_v60 = GetTickCount();
													ReadFile(_v28, 0x8b30b8, 0x3ff,  &_v20, _t308); // executed
													 *(0x8b30b8 + _v20) = _t308;
													E008B10D3(0x8b30b8, _v20, 0x8b34b8, 0x400);
													_t380 = _t380 + 0x10;
													if(_a4 == _t308) {
														goto L74;
													}
													_t246 = lstrlenW(_v8);
													if((_a4 & 0x00000002) == 0) {
														_v32 = _t246;
														_t114 = 1 + lstrlenW(0x8b34b8); // 0x103
														_t349 = _v32 + _t114;
														_t248 = GlobalSize(_v12);
														_t318 = _t349 + _t349;
														if(_t248 >= _t349 + _t349) {
															L46:
															lstrcatW(_v8, 0x8b34b8);
															_push("\t");
															_push(_v8);
															while(1) {
																_t350 = E008B1849(_t318);
																if(_t350 == _t308) {
																	break;
																}
																_t251 = GlobalSize(_v12);
																_t318 = _t350 - _v8 >> 1;
																if(_t350 - _v8 >> 1 <= (_t251 >> 1) - 0x12) {
																	_t254 = lstrlenW(_t350);
																	_t127 = _t254 * 2; // 0x22
																	_t318 = _t350 + _t127 + 0x22;
																	_t333 =  &(_t350[_t254]);
																	if(_t254 <= _t308) {
																		L51:
																		lstrcpyW(_t350, L"        ");
																		_t351 =  &(_t350[0x11]);
																		 *_t351 = 0x20;
																		L52:
																		_push("\t");
																		_push(_t351);
																		continue;
																	} else {
																		goto L50;
																	}
																	do {
																		L50:
																		 *_t318 =  *_t333;
																		_t318 = _t318;
																		_t333 = _t333;
																		_t254 = _t254 - 1;
																	} while (_t254 != 0);
																	goto L51;
																}
																 *_t350 = 0x20;
																_t351 =  &(_t350[1]);
																goto L52;
															}
															_t371 = _v8;
															_t353 = _t371;
															if( *_t371 == _t308) {
																goto L74;
															} else {
																goto L55;
															}
															do {
																L55:
																_t256 =  *_t371;
																if(_t256 != 0xd) {
																	if(_t256 != 0xa) {
																		_t371 = CharNextW(_t371);
																		goto L64;
																	}
																	 *_t371 = _t308;
																	while( *_t353 == _t308) {
																		if(_t353 == _t371) {
																			break;
																		}
																		_t353 =  &(_t353[1]);
																	}
																	_push(_v52);
																	E008B17DD(_t353);
																	_t371 =  &(_t371[1]);
																	_t353 = _t371;
																	goto L64;
																}
																 *_t371 = _t308;
																_t371 =  &(_t371[1]);
																L64:
															} while ( *_t371 != _t308);
															if(_t353 == _v8) {
																goto L74;
															}
															_t328 = _v8;
															while(1) {
																_t258 =  *_t353;
																if(_t258 == _t308) {
																	break;
																}
																 *_t328 = _t258;
																_t328 =  &(_t328[0]);
																_t353 =  &(_t353[1]);
															}
															 *_t328 = _t308;
															goto L74;
														}
														GlobalUnlock(_v12);
														_t118 = _t349 + 0x800; // 0x903
														_t262 = GlobalReAlloc(_v12, _t349 + _t118, 0x42);
														_v12 = _t262;
														if(_t262 == _t308) {
															goto L75;
														}
														_v8 = GlobalLock(_t262);
														goto L46;
													}
													_t326 =  *0x8b3cc8; // 0x400
													_t375 = _v8;
													lstrcpynW( &(_t375[lstrlenW(_t375)]), 0x8b34b8, _t326 - _t246);
													goto L74;
												}
												L76:
												if((_a4 & 0x00000002) != 0) {
													E008B1A73(_v8);
												}
												if((_a4 & 0x00000001) != 0) {
													_t216 = _v8;
													if( *_v8 != _t308) {
														_push(_v52);
														E008B17DD(_t216);
													}
												}
												if(_v44 == 0xc000001d) {
													lstrcpyW( &_v436, L"error");
												}
												if(_v436 == _t308) {
													wsprintfW( &_v436, L"%d", _v44);
												}
												E008B1A73( &_v436);
												CloseHandle(_v92.hThread);
												CloseHandle(_v92);
												CloseHandle(_v40);
												CloseHandle(_v28);
												CloseHandle(_v48);
												CloseHandle(_v64);
												_t207 = _v36;
												if(_t207 - 4 >= _v24) {
													 *(_t207 - 4) = _t308;
												}
												if(_v16 != _t308) {
													DeleteFileW(_v16);
												}
												_t208 = GlobalFree(_v24);
												if(_a4 == _t308) {
													return _t208;
												} else {
													GlobalUnlock(_v12);
													return GlobalFree(_v12);
												}
											}
										}
										if((_a4 & 0x00000002) == 0) {
											_t272 = 0x2000;
										} else {
											_t275 =  *0x8b3cc8; // 0x400
											_t272 = _t275 + _t275;
										}
										_t273 = GlobalAlloc(0x42, _t272);
										_v12 = _t273;
										if(_t273 == _t308) {
											goto L75;
										} else {
											_v8 = GlobalLock(_t273);
											goto L31;
										}
									}
									E008B1A73(L"error");
									_t40 = _t339 - 4; // -4
									if(_t40 >= _t364) {
										 *(_t339 - 4) = _t308;
									}
									if(_v16 != _t308) {
										DeleteFileW(_v16);
									}
									goto L6;
								}
								_v52 = 1;
								goto L19;
							}
						}
						_t298 = CreateFileW(_v16, 0xc0000000, 0, 0, 3, 0, 0);
						_v36 = _t298;
						_t362 = CreateFileMappingW(_t298, 0, 4, 0, 0, 0);
						_t300 = MapViewOfFile(_t362, 2, 0, 0, 0);
						if(_t300 != 0) {
							_t310 =  *((intOrPtr*)(_t300 + 0x3c)) + _t300;
							 *((short*)(_t310 + 0x16)) = 0x10e;
							 *((short*)(_t310 + 0x5c)) = 3;
							 *((intOrPtr*)(_t310 + 0x28)) = E008B194F -  *0x8b3cbc;
							UnmapViewOfFile(_t300);
						}
						CloseHandle(_t362);
						CloseHandle(_v36);
						goto L11;
					} else {
						E008B1A73(L"error");
						L6:
						return GlobalFree(_t364);
					}
				}
			}













































































                                                0x008b111b
                                                0x008b1126
                                                0x008b112d
                                                0x008b1136
                                                0x008b1136
                                                0x008b1136
                                                0x008b1138
                                                0x008b1141
                                                0x008b128c
                                                0x008b1291
                                                0x008b1293
                                                0x008b129d
                                                0x008b12a3
                                                0x008b12a6
                                                0x008b12a8
                                                0x00000000
                                                0x008b1147
                                                0x008b1159
                                                0x008b1161
                                                0x008b1167
                                                0x008b1177
                                                0x008b1179
                                                0x008b1180
                                                0x008b1183
                                                0x008b1186
                                                0x008b118b
                                                0x008b118e
                                                0x008b119a
                                                0x008b119b
                                                0x008b11a2
                                                0x008b11ac
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b11ac
                                                0x008b11b6
                                                0x008b11d1
                                                0x008b11d9
                                                0x008b11e3
                                                0x008b11f3
                                                0x008b1201
                                                0x008b126d
                                                0x008b1273
                                                0x008b1280
                                                0x008b1283
                                                0x008b1289
                                                0x008b12aa
                                                0x008b12aa
                                                0x008b12af
                                                0x008b12b4
                                                0x008b12b7
                                                0x008b12ba
                                                0x008b12c0
                                                0x008b12d7
                                                0x008b12da
                                                0x008b12dc
                                                0x008b12df
                                                0x008b12df
                                                0x008b12e4
                                                0x008b12e5
                                                0x008b12f0
                                                0x008b12f8
                                                0x008b12f9
                                                0x00000000
                                                0x00000000
                                                0x008b12fb
                                                0x008b12ff
                                                0x008b1304
                                                0x008b1305
                                                0x008b1321
                                                0x008b1321
                                                0x00000000
                                                0x008b130a
                                                0x008b1318
                                                0x008b1329
                                                0x008b135b
                                                0x008b1362
                                                0x008b136c
                                                0x008b1373
                                                0x008b1373
                                                0x008b1378
                                                0x008b137b
                                                0x008b137c
                                                0x008b1382
                                                0x008b1383
                                                0x008b1384
                                                0x008b1385
                                                0x008b1386
                                                0x008b1388
                                                0x008b138e
                                                0x008b1391
                                                0x008b1392
                                                0x008b1393
                                                0x008b1394
                                                0x008b139f
                                                0x008b13a2
                                                0x008b13a6
                                                0x008b13ac
                                                0x008b13af
                                                0x008b13b2
                                                0x008b13b5
                                                0x008b13b8
                                                0x008b13bb
                                                0x008b13c2
                                                0x008b13c5
                                                0x008b13c8
                                                0x008b13fc
                                                0x008b13fe
                                                0x008b1401
                                                0x008b1404
                                                0x008b140b
                                                0x008b1418
                                                0x008b1421
                                                0x008b1421
                                                0x008b1437
                                                0x008b143b
                                                0x008b16f8
                                                0x008b1704
                                                0x00000000
                                                0x008b1458
                                                0x008b145f
                                                0x008b1468
                                                0x008b1472
                                                0x008b1475
                                                0x008b1478
                                                0x008b147b
                                                0x008b1481
                                                0x008b1498
                                                0x008b14a0
                                                0x00000000
                                                0x00000000
                                                0x008b14ac
                                                0x008b14af
                                                0x008b14cd
                                                0x008b14d6
                                                0x008b168b
                                                0x008b1690
                                                0x008b16c2
                                                0x008b16a1
                                                0x008b16a6
                                                0x008b16b8
                                                0x008b16b8
                                                0x008b16c8
                                                0x008b16d2
                                                0x008b16dc
                                                0x008b16ed
                                                0x00000000
                                                0x008b16ed
                                                0x008b14e2
                                                0x008b14f8
                                                0x008b1509
                                                0x008b150f
                                                0x008b1514
                                                0x008b151a
                                                0x00000000
                                                0x00000000
                                                0x008b1529
                                                0x008b152f
                                                0x008b1551
                                                0x008b155c
                                                0x008b155c
                                                0x008b1560
                                                0x008b1566
                                                0x008b156b
                                                0x008b159e
                                                0x008b15a2
                                                0x008b15a8
                                                0x008b15ad
                                                0x008b160d
                                                0x008b1612
                                                0x008b1618
                                                0x00000000
                                                0x00000000
                                                0x008b15b5
                                                0x008b15c5
                                                0x008b15c9
                                                0x008b15d5
                                                0x008b15dd
                                                0x008b15dd
                                                0x008b15e1
                                                0x008b15e4
                                                0x008b15f3
                                                0x008b15f9
                                                0x008b15ff
                                                0x008b1602
                                                0x008b1607
                                                0x008b1607
                                                0x008b160c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b15e6
                                                0x008b15e6
                                                0x008b15e9
                                                0x008b15ed
                                                0x008b15ef
                                                0x008b15f0
                                                0x008b15f0
                                                0x00000000
                                                0x008b15e6
                                                0x008b15cb
                                                0x008b15d1
                                                0x00000000
                                                0x008b15d1
                                                0x008b161a
                                                0x008b161d
                                                0x008b1622
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b1628
                                                0x008b1628
                                                0x008b1628
                                                0x008b162f
                                                0x008b163c
                                                0x008b1666
                                                0x00000000
                                                0x008b1666
                                                0x008b163e
                                                0x008b1649
                                                0x008b1645
                                                0x00000000
                                                0x00000000
                                                0x008b1648
                                                0x008b1648
                                                0x008b164e
                                                0x008b1652
                                                0x008b1659
                                                0x008b165b
                                                0x00000000
                                                0x008b165b
                                                0x008b1631
                                                0x008b1635
                                                0x008b1668
                                                0x008b1668
                                                0x008b1670
                                                0x00000000
                                                0x00000000
                                                0x008b1672
                                                0x008b167e
                                                0x008b167e
                                                0x008b1684
                                                0x00000000
                                                0x00000000
                                                0x008b1677
                                                0x008b167b
                                                0x008b167d
                                                0x008b167d
                                                0x008b1686
                                                0x00000000
                                                0x008b1686
                                                0x008b1570
                                                0x008b1576
                                                0x008b1583
                                                0x008b158b
                                                0x008b158e
                                                0x00000000
                                                0x00000000
                                                0x008b159b
                                                0x00000000
                                                0x008b159b
                                                0x008b1531
                                                0x008b153b
                                                0x008b1545
                                                0x00000000
                                                0x008b1545
                                                0x008b170a
                                                0x008b170e
                                                0x008b1713
                                                0x008b1713
                                                0x008b171c
                                                0x008b171e
                                                0x008b1724
                                                0x008b1726
                                                0x008b172a
                                                0x008b1730
                                                0x008b1724
                                                0x008b1738
                                                0x008b1746
                                                0x008b1746
                                                0x008b1753
                                                0x008b1764
                                                0x008b176a
                                                0x008b1774
                                                0x008b1782
                                                0x008b1787
                                                0x008b178c
                                                0x008b1791
                                                0x008b1796
                                                0x008b179b
                                                0x008b179d
                                                0x008b17a6
                                                0x008b17a8
                                                0x008b17a8
                                                0x008b17af
                                                0x008b17b4
                                                0x008b17b4
                                                0x008b17c3
                                                0x008b17c8
                                                0x008b17dc
                                                0x008b17ca
                                                0x008b17cd
                                                0x00000000
                                                0x008b17d6
                                                0x008b17c8
                                                0x008b143b
                                                0x008b13ce
                                                0x008b13d9
                                                0x008b13d0
                                                0x008b13d0
                                                0x008b13d5
                                                0x008b13d5
                                                0x008b13e1
                                                0x008b13e9
                                                0x008b13ec
                                                0x00000000
                                                0x008b13f2
                                                0x008b13f9
                                                0x00000000
                                                0x008b13f9
                                                0x008b13ec
                                                0x008b1330
                                                0x008b1335
                                                0x008b133a
                                                0x008b133c
                                                0x008b133c
                                                0x008b1343
                                                0x008b134c
                                                0x008b134c
                                                0x00000000
                                                0x008b1343
                                                0x008b131a
                                                0x00000000
                                                0x008b131a
                                                0x008b12e4
                                                0x008b1211
                                                0x008b121e
                                                0x008b1229
                                                0x008b122f
                                                0x008b1237
                                                0x008b1241
                                                0x008b1244
                                                0x008b124a
                                                0x008b1256
                                                0x008b1259
                                                0x008b1259
                                                0x008b1266
                                                0x008b126b
                                                0x00000000
                                                0x008b11b8
                                                0x008b11bd
                                                0x008b11c2
                                                0x00000000
                                                0x008b11c3
                                                0x008b11b6

                                                APIs
                                                  • Part of subcall function 008B1096: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,008B113F), ref: 008B10A5
                                                  • Part of subcall function 008B1096: GetProcAddress.KERNEL32(00000000), ref: 008B10AC
                                                  • Part of subcall function 008B1096: GetCurrentProcess.KERNEL32(?,?,0000003F,?,008B113F), ref: 008B10BC
                                                • GetModuleFileNameW.KERNEL32(?,00000104), ref: 008B1159
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 008B1171
                                                • CharPrevW.USER32(?,?), ref: 008B119C
                                                • GlobalFree.KERNEL32 ref: 008B11C3
                                                • GetTempFileNameW.KERNEL32(?,008B30A4,00000000,?), ref: 008B11E3
                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 008B11F9
                                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 008B1211
                                                • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 008B1221
                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 008B122F
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 008B1259
                                                • CloseHandle.KERNEL32(00000000), ref: 008B1266
                                                • CloseHandle.KERNEL32(?), ref: 008B126B
                                                • lstrcatW.KERNEL32(00000000,008B30A0), ref: 008B1273
                                                • lstrlenW.KERNEL32(00000000), ref: 008B127A
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 008B129D
                                                • FindWindowExW.USER32(000B0248,00000000,#32770,00000000), ref: 008B12D7
                                                • FindWindowExW.USER32(00000000), ref: 008B12DA
                                                • lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 008B1310
                                                • DeleteFileW.KERNEL32(?,error), ref: 008B134C
                                                • GetVersion.KERNEL32 ref: 008B1394
                                                • GlobalAlloc.KERNEL32(00000042,00002000), ref: 008B13E1
                                                • GlobalLock.KERNEL32 ref: 008B13F3
                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 008B140B
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 008B1418
                                                • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 008B1437
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008B144E
                                                • GetStartupInfoW.KERNEL32(00000044), ref: 008B145F
                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 008B1498
                                                • GetTickCount.KERNEL32 ref: 008B14A6
                                                • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 008B14CD
                                                • GetTickCount.KERNEL32 ref: 008B14DC
                                                • ReadFile.KERNELBASE(?,008B30B8,000003FF,?,00000000), ref: 008B14F8
                                                • lstrlenW.KERNEL32(?), ref: 008B1529
                                                • lstrlenW.KERNEL32(?,008B34B8,00000400), ref: 008B153F
                                                • lstrcpynW.KERNEL32(00000000), ref: 008B1545
                                                • lstrlenW.KERNEL32(008B34B8), ref: 008B1554
                                                • GlobalSize.KERNEL32(00000002), ref: 008B1560
                                                • GlobalUnlock.KERNEL32(00000002), ref: 008B1570
                                                • GlobalReAlloc.KERNEL32 ref: 008B1583
                                                • GlobalLock.KERNEL32 ref: 008B1595
                                                • lstrcatW.KERNEL32(?,008B34B8), ref: 008B15A2
                                                • GlobalSize.KERNEL32(00000002), ref: 008B15B5
                                                • lstrlenW.KERNEL32(00000000), ref: 008B15D5
                                                • lstrcpyW.KERNEL32 ref: 008B15F9
                                                • CharNextW.USER32(?), ref: 008B1660
                                                • GetTickCount.KERNEL32 ref: 008B1692
                                                • TerminateProcess.KERNEL32(?,000000FF), ref: 008B16A6
                                                • lstrcpyW.KERNEL32 ref: 008B16B8
                                                • Sleep.KERNELBASE(00000064), ref: 008B16C2
                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 008B16CC
                                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 008B16DC
                                                • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 008B16ED
                                                • lstrcpyW.KERNEL32 ref: 008B1704
                                                • lstrcpyW.KERNEL32 ref: 008B1746
                                                • wsprintfW.USER32 ref: 008B1764
                                                • CloseHandle.KERNEL32(?,?), ref: 008B1782
                                                • CloseHandle.KERNEL32(?), ref: 008B1787
                                                • CloseHandle.KERNEL32(?), ref: 008B178C
                                                • CloseHandle.KERNEL32(?), ref: 008B1791
                                                • CloseHandle.KERNEL32(?), ref: 008B1796
                                                • CloseHandle.KERNEL32(?), ref: 008B179B
                                                • DeleteFileW.KERNEL32(?), ref: 008B17B4
                                                • GlobalFree.KERNEL32 ref: 008B17C3
                                                • GlobalUnlock.KERNEL32(00000001), ref: 008B17CD
                                                • GlobalFree.KERNEL32 ref: 008B17D6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.567614093.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008B0000, based on PE: true
                                                • Associated: 00000000.00000002.567601921.00000000008B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567622930.00000000008B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567691044.00000000008B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567805328.00000000008B4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_8b0000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$File$Handle$Close$Createlstrlen$AllocPipeProcesslstrcpy$CountFreeTick$CharDeleteDescriptorFindLockModuleNameNamedPeekSecuritySizeUnlockViewWindowlstrcat$AddressCodeCopyCurrentDaclExitInfoInitializeMappingNextObjectPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcmpilstrcpynwsprintf
                                                • String ID: $ ihv$#32770$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
                                                • API String ID: 4049317599-774827891
                                                • Opcode ID: 9e70e7841585f1b86b025ccd6cc873c8bcdeeb67056d1765442515862641e086
                                                • Instruction ID: c0cf91f8cd8fb3bdff221b98f61772539c65d2a75ba541b6bcd88903a2c60753
                                                • Opcode Fuzzy Hash: 9e70e7841585f1b86b025ccd6cc873c8bcdeeb67056d1765442515862641e086
                                                • Instruction Fuzzy Hash: E6226C71900609EFDF21AFA4DC98AEEBBB9FF08344F544169E505EB260DB345E86CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040327D Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 115 40327d-4032af SetErrorMode GetVersion 116 4032b1-4032b9 call 406408 115->116 117 4032c2-403355 call 40639c * 3 call 406408 * 2 #17 OleInitialize SHGetFileInfoW call 406032 GetCommandLineW call 406032 GetModuleHandleW 115->117 116->117 122 4032bb 116->122 135 403357-40335e 117->135 136 40335f-403379 call 405a13 CharNextW 117->136 122->117 135->136 139 403491-4034ab GetTempPathW call 40324c 136->139 140 40337f-403385 136->140 147 403503-40351d DeleteFileW call 402dee 139->147 148 4034ad-4034cb GetWindowsDirectoryW lstrcatW call 40324c 139->148 142 403387-40338c 140->142 143 40338e-403394 140->143 142->142 142->143 145 403396-40339a 143->145 146 40339b-40339f 143->146 145->146 149 4033a5-4033ab 146->149 150 40345d-40346a call 405a13 146->150 168 403523-403529 147->168 169 4035ce-4035df call 4037a1 OleUninitialize 147->169 148->147 165 4034cd-4034fd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40324c 148->165 154 4033c5-4033fe 149->154 155 4033ad-4033b4 149->155 166 40346c-40346d 150->166 167 40346e-403474 150->167 156 403400-403405 154->156 157 40341b-403455 154->157 161 4033b6-4033b9 155->161 162 4033bb 155->162 156->157 163 403407-40340f 156->163 157->150 164 403457-40345b 157->164 161->154 161->162 162->154 171 403411-403414 163->171 172 403416 163->172 164->150 173 40347c-40348a call 406032 164->173 165->147 165->169 166->167 167->140 175 40347a 167->175 176 4035be-4035c5 call 40387b 168->176 177 40352f-40353a call 405a13 168->177 185 403705-40370b 169->185 186 4035e5-4035f5 call 405777 ExitProcess 169->186 171->157 171->172 172->157 180 40348f 173->180 175->180 184 4035ca 176->184 188 403588-403592 177->188 189 40353c-403571 177->189 180->139 184->169 191 403789-403791 185->191 192 40370d-403723 GetCurrentProcess OpenProcessToken 185->192 196 403594-4035a2 call 405aee 188->196 197 4035fb-40360f call 4056fa lstrcatW 188->197 193 403573-403577 189->193 194 403793 191->194 195 403797-40379b ExitProcess 191->195 199 403725-403753 LookupPrivilegeValueW AdjustTokenPrivileges 192->199 200 403759-403767 call 406408 192->200 201 403580-403584 193->201 202 403579-40357e 193->202 194->195 196->169 210 4035a4-4035ba call 406032 * 2 196->210 211 403611-403617 lstrcatW 197->211 212 40361c-403636 lstrcatW lstrcmpiW 197->212 199->200 213 403775-403780 ExitWindowsEx 200->213 214 403769-403773 200->214 201->193 206 403586 201->206 202->201 202->206 206->188 210->176 211->212 212->169 217 403638-40363b 212->217 213->191 215 403782-403784 call 40140b 213->215 214->213 214->215 215->191 221 403644 call 4056dd 217->221 222 40363d-403642 call 405660 217->222 226 403649-403657 SetCurrentDirectoryW 221->226 222->226 229 403664-40368d call 406032 226->229 230 403659-40365f call 406032 226->230 234 403692-4036ae call 406054 DeleteFileW 229->234 230->229 237 4036b0-4036c0 CopyFileW 234->237 238 4036ef-4036f7 234->238 237->238 240 4036c2-4036e2 call 405ed3 call 406054 call 405712 237->240 238->234 239 4036f9-403700 call 405ed3 238->239 239->169 240->238 249 4036e4-4036eb CloseHandle 240->249 249->238
                                                C-Code - Quality: 82%
                                                			_entry_() {
				struct _SHFILEINFOW _v716;
				int _v720;
				WCHAR* _v724;
				struct _TOKEN_PRIVILEGES _v732;
				signed int _v736;
				void* _v740;
				int _v744;
				WCHAR* _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				int _v764;
				void* _v772;
				intOrPtr _t53;
				WCHAR* _t57;
				char* _t60;
				void* _t63;
				void* _t65;
				intOrPtr _t67;
				signed int _t69;
				int _t72;
				intOrPtr* _t73;
				int _t74;
				int _t76;
				void* _t100;
				signed int _t117;
				void* _t120;
				void* _t125;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr* _t146;
				void* _t148;
				char* _t149;
				void* _t152;
				int _t153;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				void* _t169;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				void* _t184;
				WCHAR* _t185;
				int _t191;
				signed int _t194;
				void* _t237;

				_t191 = 0;
				_t184 = 0x20;
				_v720 = 0;
				_v724 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v716.iIcon = 0;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t146 = E00406408(0);
					if(_t146 != 0) {
						 *_t146(0xc00);
					}
				}
				E0040639C("UXTHEME"); // executed
				E0040639C("USERENV"); // executed
				E0040639C("SETUPAPI"); // executed
				E00406408(9);
				_t53 = E00406408(7);
				 *0x7a8a44 = _t53;
				__imp__#17(_t169, _t148);
				__imp__OleInitialize(_t191); // executed
				 *0x7a8af8 = _t53;
				SHGetFileInfoW(0x79ff00, _t191,  &_v716, 0x2b4, _t191); // executed
				E00406032("Ottomans Setup", L"NSIS Error");
				_t57 = GetCommandLineW();
				_t149 = L"\"C:\\Users\\alfons\\Desktop\\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe\" ";
				E00406032(_t149, _t57);
				 *0x7a8a40 = GetModuleHandleW(_t191);
				_t60 = _t149;
				if(L"\"C:\\Users\\alfons\\Desktop\\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe\" " == 0x22) {
					_t60 =  &M007B3002;
					_t184 = 0x22;
				}
				_t153 = CharNextW(E00405A13(_t60, _t184));
				_v748 = _t153;
				_t63 =  *_t153;
				if(_t63 == _t191) {
					L28:
					_t185 = L"C:\\Users\\alfons\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t65 = E0040324C(_t153, 0);
					_t219 = _t65;
					if(_t65 != 0) {
						L31:
						DeleteFileW(L"1033"); // executed
						_t67 = E00402DEE(_t221, _v736); // executed
						_v752 = _t67;
						if(_t67 != _t191) {
							L43:
							E004037A1();
							__imp__OleUninitialize();
							_t233 = _v748 - _t191;
							if(_v748 == _t191) {
								__eflags =  *0x7a8ad4 - _t191;
								if( *0x7a8ad4 == _t191) {
									L67:
									_t69 =  *0x7a8aec;
									__eflags = _t69 - 0xffffffff;
									if(_t69 != 0xffffffff) {
										_v744 = _t69;
									}
									ExitProcess(_v744);
								}
								_t72 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v740);
								__eflags = _t72;
								if(_t72 != 0) {
									LookupPrivilegeValueW(_t191, L"SeShutdownPrivilege",  &(_v732.Privileges));
									_v732.PrivilegeCount = 1;
									_v720 = 2;
									AdjustTokenPrivileges(_v740, _t191,  &_v732, _t191, _t191, _t191);
								}
								_t73 = E00406408(4);
								__eflags = _t73 - _t191;
								if(_t73 == _t191) {
									L65:
									_t74 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L67;
									}
									goto L66;
								} else {
									_t76 =  *_t73(_t191, _t191, _t191, 0x25, 0x80040002);
									__eflags = _t76;
									if(_t76 == 0) {
										L66:
										E0040140B(9);
										goto L67;
									}
									goto L65;
								}
							}
							E00405777(_v748, 0x200010);
							ExitProcess(2);
						}
						if( *0x7a8a5c == _t191) {
							L42:
							 *0x7a8aec =  *0x7a8aec | 0xffffffff;
							_v744 = E0040387B( *0x7a8aec);
							goto L43;
						}
						_t174 = E00405A13(_t149, _t191);
						if(_t174 < _t149) {
							L39:
							_t230 = _t174 - _t149;
							_v748 = L"Error launching installer";
							if(_t174 < _t149) {
								_t172 = E004056FA(_t233);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t191) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t151 = L"C:\\Users\\alfons\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\alfons\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t191) {
										E004056DD();
									} else {
										E00405660();
									}
									SetCurrentDirectoryW(_t185);
									_t237 = L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis" - _t191; // 0x43
									if(_t237 == 0) {
										E00406032(L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t151);
									}
									E00406032(0x7a9000, _v740);
									_t154 = "A" & 0x0000ffff;
									 *0x7a9800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t152 = 0x1a;
									do {
										E00406054(_t152, 0x79f700, _t185, 0x79f700,  *((intOrPtr*)( *0x7a8a50 + 0x120)));
										DeleteFileW(0x79f700);
										if(_v756 != _t191 && CopyFileW(L"C:\\Users\\alfons\\Desktop\\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe", 0x79f700, 1) != 0) {
											E00405ED3(_t154, 0x79f700, _t191);
											E00406054(_t152, 0x79f700, _t185, 0x79f700,  *((intOrPtr*)( *0x7a8a50 + 0x124)));
											_t100 = E00405712(0x79f700);
											if(_t100 != _t191) {
												CloseHandle(_t100);
												_v748 = _t191;
											}
										}
										 *0x7a9800 =  *0x7a9800 + 1;
										_t152 = _t152 - 1;
									} while (_t152 != 0);
									E00405ED3(_t154, _t185, _t191);
								}
								goto L43;
							}
							 *_t174 = _t191;
							_t175 =  &(_t174[2]);
							if(E00405AEE(_t230,  &(_t174[2])) == 0) {
								goto L43;
							}
							E00406032(L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t175);
							E00406032(L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Sekstal", _t175);
							_v764 = _t191;
							goto L42;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t157 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t117 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t162 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t174 != _t157 || _t174[1] != _t117) {
							_t174 = _t174;
							if(_t174 >= _t149) {
								continue;
							}
							break;
						}
						_t191 = 0;
						goto L39;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t120 = E0040324C(_t153, _t219);
					_t220 = _t120;
					if(_t120 != 0) {
						goto L31;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t125 = E0040324C(_t153, _t220);
					_t221 = _t125;
					if(_t125 == 0) {
						goto L43;
					}
					goto L31;
				} else {
					goto L6;
				}
				do {
					L6:
					_t162 = 0x20;
					if(_t63 != _t162) {
						L8:
						_t194 = _t162;
						if( *_t153 == 0x22) {
							_t153 = _t153 + 2;
							_t194 = 0x22;
						}
						if( *_t153 != 0x2f) {
							goto L22;
						} else {
							_t153 = _t153 + 2;
							if( *_t153 == 0x53) {
								_t145 =  *((intOrPtr*)(_t153 + 2));
								if(_t145 == _t162 || _t145 == 0) {
									 *0x7a8ae0 = 1;
								}
							}
							asm("cdq");
							asm("cdq");
							_t167 = L"NCRC" & 0x0000ffff;
							asm("cdq");
							_t180 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t167;
							if( *_t153 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t167) &&  *((intOrPtr*)(_t153 + 4)) == _t180) {
								_t144 =  *((intOrPtr*)(_t153 + 8));
								if(_t144 == 0x20 || _t144 == 0) {
									_v736 = _v736 | 0x00000004;
								}
							}
							asm("cdq");
							asm("cdq");
							_t162 = L" /D=" & 0x0000ffff;
							asm("cdq");
							_t183 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t162;
							if( *(_t153 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t162) ||  *_t153 != _t183) {
								goto L22;
							} else {
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								__eflags = _t153;
								E00406032(L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t153);
								L27:
								_t191 = 0;
								goto L28;
							}
						}
					} else {
						goto L7;
					}
					do {
						L7:
						_t153 = _t153 + 2;
					} while ( *_t153 == _t162);
					goto L8;
					L22:
					_t153 = E00405A13(_t153, _t194);
					if( *_t153 == 0x22) {
						_t153 = _t153 + 2;
					}
					_t63 =  *_t153;
				} while (_t63 != 0);
				goto L27;
			}


















































                                                0x00403287
                                                0x00403289
                                                0x0040328a
                                                0x00403293
                                                0x0040329b
                                                0x0040329f
                                                0x004032af
                                                0x004032b2
                                                0x004032b9
                                                0x004032c0
                                                0x004032c0
                                                0x004032b9
                                                0x004032c9
                                                0x004032d3
                                                0x004032dd
                                                0x004032e4
                                                0x004032eb
                                                0x004032f0
                                                0x004032f5
                                                0x004032fc
                                                0x00403302
                                                0x00403318
                                                0x00403328
                                                0x0040332d
                                                0x00403333
                                                0x0040333a
                                                0x0040334e
                                                0x00403353
                                                0x00403355
                                                0x00403359
                                                0x0040335e
                                                0x0040335e
                                                0x0040336d
                                                0x0040336f
                                                0x00403373
                                                0x00403379
                                                0x00403491
                                                0x00403497
                                                0x004034a2
                                                0x004034a4
                                                0x004034a9
                                                0x004034ab
                                                0x00403503
                                                0x00403508
                                                0x00403512
                                                0x00403519
                                                0x0040351d
                                                0x004035ce
                                                0x004035ce
                                                0x004035d3
                                                0x004035d9
                                                0x004035df
                                                0x00403705
                                                0x0040370b
                                                0x00403789
                                                0x00403789
                                                0x0040378e
                                                0x00403791
                                                0x00403793
                                                0x00403793
                                                0x0040379b
                                                0x0040379b
                                                0x0040371b
                                                0x00403721
                                                0x00403723
                                                0x00403730
                                                0x00403743
                                                0x0040374b
                                                0x00403753
                                                0x00403753
                                                0x0040375b
                                                0x00403760
                                                0x00403767
                                                0x00403775
                                                0x00403778
                                                0x0040377e
                                                0x00403780
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403769
                                                0x0040376f
                                                0x00403771
                                                0x00403773
                                                0x00403782
                                                0x00403784
                                                0x00000000
                                                0x00403784
                                                0x00000000
                                                0x00403773
                                                0x00403767
                                                0x004035ee
                                                0x004035f5
                                                0x004035f5
                                                0x00403529
                                                0x004035be
                                                0x004035be
                                                0x004035ca
                                                0x00000000
                                                0x004035ca
                                                0x00403536
                                                0x0040353a
                                                0x00403588
                                                0x00403588
                                                0x0040358a
                                                0x00403592
                                                0x00403606
                                                0x00403608
                                                0x0040360f
                                                0x00403617
                                                0x00403617
                                                0x00403622
                                                0x00403627
                                                0x00403636
                                                0x0040363a
                                                0x0040363b
                                                0x00403644
                                                0x0040363d
                                                0x0040363d
                                                0x0040363d
                                                0x0040364a
                                                0x00403650
                                                0x00403657
                                                0x0040365f
                                                0x0040365f
                                                0x0040366d
                                                0x00403679
                                                0x00403687
                                                0x0040368c
                                                0x00403692
                                                0x0040369e
                                                0x004036a4
                                                0x004036ae
                                                0x004036c4
                                                0x004036d5
                                                0x004036db
                                                0x004036e2
                                                0x004036e5
                                                0x004036eb
                                                0x004036eb
                                                0x004036e2
                                                0x004036ef
                                                0x004036f6
                                                0x004036f6
                                                0x004036fb
                                                0x004036fb
                                                0x00000000
                                                0x00403636
                                                0x00403594
                                                0x00403597
                                                0x004035a2
                                                0x00000000
                                                0x00000000
                                                0x004035aa
                                                0x004035b5
                                                0x004035ba
                                                0x00000000
                                                0x004035ba
                                                0x00403543
                                                0x0040355b
                                                0x0040356c
                                                0x0040356d
                                                0x00403571
                                                0x00403573
                                                0x00403581
                                                0x00403584
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403584
                                                0x00403586
                                                0x00000000
                                                0x00403586
                                                0x004034b3
                                                0x004034bf
                                                0x004034c4
                                                0x004034c9
                                                0x004034cb
                                                0x00000000
                                                0x00000000
                                                0x004034d3
                                                0x004034db
                                                0x004034ec
                                                0x004034f4
                                                0x004034f6
                                                0x004034fb
                                                0x004034fd
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040337f
                                                0x0040337f
                                                0x00403381
                                                0x00403385
                                                0x0040338e
                                                0x00403392
                                                0x00403394
                                                0x00403399
                                                0x0040339a
                                                0x0040339a
                                                0x0040339f
                                                0x00000000
                                                0x004033a5
                                                0x004033a6
                                                0x004033ab
                                                0x004033ad
                                                0x004033b4
                                                0x004033bb
                                                0x004033bb
                                                0x004033b4
                                                0x004033cc
                                                0x004033df
                                                0x004033e0
                                                0x004033f5
                                                0x004033fa
                                                0x004033fe
                                                0x00403407
                                                0x0040340f
                                                0x00403416
                                                0x00403416
                                                0x0040340f
                                                0x00403422
                                                0x00403435
                                                0x00403436
                                                0x0040344b
                                                0x00403451
                                                0x00403455
                                                0x00000000
                                                0x0040347c
                                                0x0040347c
                                                0x00403481
                                                0x0040348a
                                                0x0040348f
                                                0x0040348f
                                                0x00000000
                                                0x0040348f
                                                0x00403455
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403387
                                                0x00403387
                                                0x00403388
                                                0x00403389
                                                0x00000000
                                                0x0040345d
                                                0x00403464
                                                0x0040346a
                                                0x0040346d
                                                0x0040346d
                                                0x0040346e
                                                0x00403471
                                                0x00000000

                                                APIs
                                                • SetErrorMode.KERNELBASE ref: 0040329F
                                                • GetVersion.KERNEL32 ref: 004032A5
                                                • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032F5
                                                • OleInitialize.OLE32(00000000), ref: 004032FC
                                                • SHGetFileInfoW.SHELL32(0079FF00,00000000,?,000002B4,00000000), ref: 00403318
                                                • GetCommandLineW.KERNEL32(Ottomans Setup,NSIS Error), ref: 0040332D
                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,00000000), ref: 00403340
                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,00000020), ref: 00403367
                                                  • Part of subcall function 00406408: GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
                                                  • Part of subcall function 00406408: GetProcAddress.KERNEL32(00000000,?), ref: 00406435
                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034A2
                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034B3
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034BF
                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034D3
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034DB
                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034EC
                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034F4
                                                • DeleteFileW.KERNELBASE(1033), ref: 00403508
                                                  • Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Ottomans Setup,NSIS Error), ref: 0040603F
                                                • OleUninitialize.OLE32(?), ref: 004035D3
                                                • ExitProcess.KERNEL32 ref: 004035F5
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403608
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403617
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403622
                                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,00000000,?), ref: 0040362E
                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040364A
                                                • DeleteFileW.KERNEL32(0079F700,0079F700,?,007A9000,?), ref: 004036A4
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,0079F700,00000001), ref: 004036B8
                                                • CloseHandle.KERNEL32(00000000,0079F700,0079F700,?,0079F700,00000000), ref: 004036E5
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403714
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0040371B
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403730
                                                • AdjustTokenPrivileges.ADVAPI32 ref: 00403753
                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403778
                                                • ExitProcess.KERNEL32 ref: 0040379B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                                • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe$Error launching installer$Low$NSIS Error$Ottomans Setup$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                                • API String ID: 3586999533-3438020855
                                                • Opcode ID: 55e1c2b6fe71988611f999325c05d3c9627bfef59b93c94f4dc9f559726788cb
                                                • Instruction ID: 4150c076459d7de682cc7567c7be7d1922bd71d2f30956bacb70bd1bfbc75f2d
                                                • Opcode Fuzzy Hash: 55e1c2b6fe71988611f999325c05d3c9627bfef59b93c94f4dc9f559726788cb
                                                • Instruction Fuzzy Hash: A1D10770240310ABD710BF659D45B2B3AADEB81746F11843FF581B62D2DF7D8A418B6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004052D0 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 250 4052d0-4052eb 251 4052f1-4053b8 GetDlgItem * 3 call 40412b call 404a2e GetClientRect GetSystemMetrics SendMessageW * 2 250->251 252 40547a-405481 250->252 274 4053d6-4053d9 251->274 275 4053ba-4053d4 SendMessageW * 2 251->275 254 405483-4054a5 GetDlgItem CreateThread FindCloseChangeNotification 252->254 255 4054ab-4054b8 252->255 254->255 257 4054d6-4054e0 255->257 258 4054ba-4054c0 255->258 259 4054e2-4054e8 257->259 260 405536-40553a 257->260 262 4054c2-4054d1 ShowWindow * 2 call 40412b 258->262 263 4054fb-405504 call 40415d 258->263 264 405510-405520 ShowWindow 259->264 265 4054ea-4054f6 call 4040cf 259->265 260->263 268 40553c-405542 260->268 262->257 271 405509-40550d 263->271 272 405530-405531 call 4040cf 264->272 273 405522-40552b call 405191 264->273 265->263 268->263 276 405544-405557 SendMessageW 268->276 272->260 273->272 279 4053e9-405400 call 4040f6 274->279 280 4053db-4053e7 SendMessageW 274->280 275->274 281 405659-40565b 276->281 282 40555d-405588 CreatePopupMenu call 406054 AppendMenuW 276->282 289 405402-405416 ShowWindow 279->289 290 405436-405457 GetDlgItem SendMessageW 279->290 280->279 281->271 287 40558a-40559a GetWindowRect 282->287 288 40559d-4055b2 TrackPopupMenu 282->288 287->288 288->281 291 4055b8-4055cf 288->291 292 405425 289->292 293 405418-405423 ShowWindow 289->293 290->281 294 40545d-405475 SendMessageW * 2 290->294 295 4055d4-4055ef SendMessageW 291->295 296 40542b-405431 call 40412b 292->296 293->296 294->281 295->295 297 4055f1-405614 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 295->297 296->290 299 405616-40563d SendMessageW 297->299 299->299 300 40563f-405653 GlobalUnlock SetClipboardData CloseClipboard 299->300 300->281
                                                C-Code - Quality: 96%
                                                			E004052D0(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a24; // 0x103d4
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405264, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406054(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f40;
								_v44 = 0x1fff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x7a7a0c - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a8a48, 8);
							__eflags =  *0x7a8acc - _t156;
							if( *0x7a8acc == _t156) {
								_t119 =  *0x7a0f18; // 0xa3657c
								E00405191( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E004040CF(_t171);
							goto L25;
						}
						 *0x7a0710 = 2;
						E004040CF(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040415D(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a10, _t156);
						ShowWindow(_t169, 8);
						E0040412B(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a50;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a10 = GetDlgItem(_a4, 0x403);
				 *0x7a7a08 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a24 = _t134;
				_v8 = _t134;
				E0040412B( *0x7a7a10);
				 *0x7a7a14 = E00404A2E(4);
				 *0x7a7a2c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004040F6(_a4);
				if(( *0x7a8a58 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a10, _t156); // executed
					if(( *0x7a8a58 & 0x00000002) != 0) {
						 *0x7a7a10 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040412B( *0x7a7a08);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a58 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}





































                                                0x004052d8
                                                0x004052de
                                                0x004052e8
                                                0x004052eb
                                                0x0040547a
                                                0x00405481
                                                0x0040549e
                                                0x004054a5
                                                0x004054a5
                                                0x004054ab
                                                0x004054b8
                                                0x004054d6
                                                0x004054d8
                                                0x004054d9
                                                0x004054e0
                                                0x00405536
                                                0x00405536
                                                0x0040553a
                                                0x00000000
                                                0x00000000
                                                0x0040553c
                                                0x0040553f
                                                0x00405542
                                                0x00000000
                                                0x00000000
                                                0x0040554c
                                                0x00405552
                                                0x00405554
                                                0x00405557
                                                0x00405659
                                                0x00000000
                                                0x00405659
                                                0x00405566
                                                0x00405571
                                                0x0040557a
                                                0x00405581
                                                0x00405585
                                                0x00405588
                                                0x00405591
                                                0x00405597
                                                0x0040559a
                                                0x0040559a
                                                0x004055aa
                                                0x004055b0
                                                0x004055b2
                                                0x004055bb
                                                0x004055be
                                                0x004055c5
                                                0x004055cc
                                                0x004055d4
                                                0x004055d4
                                                0x004055e2
                                                0x004055e8
                                                0x004055eb
                                                0x004055eb
                                                0x004055f2
                                                0x004055f8
                                                0x00405604
                                                0x0040560b
                                                0x00405614
                                                0x00405616
                                                0x00405619
                                                0x00405628
                                                0x0040562b
                                                0x00405631
                                                0x00405632
                                                0x00405638
                                                0x00405639
                                                0x0040563a
                                                0x0040563a
                                                0x00405642
                                                0x0040564d
                                                0x00405653
                                                0x00405653
                                                0x00000000
                                                0x004055b2
                                                0x004054e2
                                                0x004054e8
                                                0x00405518
                                                0x0040551a
                                                0x00405520
                                                0x00405522
                                                0x0040552b
                                                0x0040552b
                                                0x00405531
                                                0x00000000
                                                0x00405531
                                                0x004054ec
                                                0x004054f6
                                                0x00000000
                                                0x004054ba
                                                0x004054ba
                                                0x004054c0
                                                0x004054fb
                                                0x00000000
                                                0x00405504
                                                0x004054c9
                                                0x004054ce
                                                0x004054d1
                                                0x00000000
                                                0x004054d1
                                                0x004054b8
                                                0x004052f1
                                                0x004052f5
                                                0x004052fd
                                                0x00405301
                                                0x00405304
                                                0x00405307
                                                0x0040530a
                                                0x0040530d
                                                0x0040530e
                                                0x0040530f
                                                0x00405328
                                                0x0040532b
                                                0x00405335
                                                0x00405344
                                                0x0040534c
                                                0x00405354
                                                0x00405359
                                                0x0040535c
                                                0x00405368
                                                0x00405371
                                                0x0040537a
                                                0x0040539c
                                                0x004053a2
                                                0x004053b3
                                                0x004053b8
                                                0x004053c6
                                                0x004053d4
                                                0x004053d4
                                                0x004053d9
                                                0x004053e7
                                                0x004053e7
                                                0x004053ec
                                                0x004053ef
                                                0x004053f4
                                                0x00405400
                                                0x00405409
                                                0x00405416
                                                0x00405425
                                                0x00405418
                                                0x0040541d
                                                0x0040541d
                                                0x00405431
                                                0x00405431
                                                0x00405445
                                                0x0040544e
                                                0x00405457
                                                0x00405467
                                                0x00405473
                                                0x00405473
                                                0x00000000

                                                APIs
                                                • GetDlgItem.USER32 ref: 0040532E
                                                • GetDlgItem.USER32 ref: 0040533D
                                                • GetClientRect.USER32 ref: 0040537A
                                                • GetSystemMetrics.USER32 ref: 00405381
                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 004053A2
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B3
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C6
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D4
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053E7
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405409
                                                • ShowWindow.USER32(?,00000008), ref: 0040541D
                                                • GetDlgItem.USER32 ref: 0040543E
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040544E
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405467
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405473
                                                • GetDlgItem.USER32 ref: 0040534C
                                                  • Part of subcall function 0040412B: SendMessageW.USER32(00000028,?,00000001,00403F57), ref: 00404139
                                                • GetDlgItem.USER32 ref: 00405490
                                                • CreateThread.KERNELBASE ref: 0040549E
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A5
                                                • ShowWindow.USER32(00000000), ref: 004054C9
                                                • ShowWindow.USER32(000103D4,00000008), ref: 004054CE
                                                • ShowWindow.USER32(00000008), ref: 00405518
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554C
                                                • CreatePopupMenu.USER32 ref: 0040555D
                                                • AppendMenuW.USER32 ref: 00405571
                                                • GetWindowRect.USER32 ref: 00405591
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AA
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E2
                                                • OpenClipboard.USER32(00000000), ref: 004055F2
                                                • EmptyClipboard.USER32 ref: 004055F8
                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405604
                                                • GlobalLock.KERNEL32 ref: 0040560E
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405622
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405642
                                                • SetClipboardData.USER32 ref: 0040564D
                                                • CloseClipboard.USER32 ref: 00405653
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                • String ID: {
                                                • API String ID: 4154960007-366298937
                                                • Opcode ID: 0f8705b072d52cd725f611a43b3dd691b97b3b0e52058a32ec52f25ce34b23e5
                                                • Instruction ID: d666eaf08a066d9579ddfae71cfc5fc92f0d71f62ebd549160e6baeed9b36ff9
                                                • Opcode Fuzzy Hash: 0f8705b072d52cd725f611a43b3dd691b97b3b0e52058a32ec52f25ce34b23e5
                                                • Instruction Fuzzy Hash: A3B16A71900608FFDF11AF64DD89EAE3B79FB48355F00842AFA41BA1A0CB784A51DF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 10001B18 Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 544stringmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}
































































                                                0x10001b20
                                                0x10001b23
                                                0x10001b26
                                                0x10001b29
                                                0x10001b2c
                                                0x10001b2f
                                                0x10001b32
                                                0x10001b34
                                                0x10001b37
                                                0x10001b3c
                                                0x10001b3f
                                                0x10001b47
                                                0x10001b4f
                                                0x10001b51
                                                0x10001b54
                                                0x10001b5c
                                                0x10001b5c
                                                0x10001b61
                                                0x10001b64
                                                0x00000000
                                                0x00000000
                                                0x10001b6e
                                                0x10001b71
                                                0x10001b76
                                                0x10001b78
                                                0x10001beb
                                                0x10001beb
                                                0x10001beb
                                                0x10001bef
                                                0x10001bf2
                                                0x10001bf4
                                                0x10001c16
                                                0x10001c18
                                                0x10001c1b
                                                0x10001c24
                                                0x10001c2a
                                                0x10001c2c
                                                0x10001c32
                                                0x10001c32
                                                0x10001c38
                                                0x10001c3b
                                                0x10001c3b
                                                0x10001c3e
                                                0x10001c3e
                                                0x10001c44
                                                0x10001c46
                                                0x10001c46
                                                0x10001c48
                                                0x10001c4b
                                                0x10001c4e
                                                0x10001c54
                                                0x10001c5a
                                                0x10001c5d
                                                0x10001c81
                                                0x10001c84
                                                0x00000000
                                                0x00000000
                                                0x10001c87
                                                0x10001c89
                                                0x10001c97
                                                0x10001c9a
                                                0x10001c9c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001c9e
                                                0x10001c9e
                                                0x10001c9e
                                                0x10001ca4
                                                0x10001ca6
                                                0x00000000
                                                0x00000000
                                                0x10001ca8
                                                0x10001caa
                                                0x10001cac
                                                0x10001cae
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001cae
                                                0x10001cb0
                                                0x10001cb2
                                                0x10001cb4
                                                0x10001cb4
                                                0x10001cba
                                                0x10001cc0
                                                0x10001cc2
                                                0x10001cd6
                                                0x10001cd6
                                                0x10001cd8
                                                0x10001cc4
                                                0x10001cca
                                                0x10001ccd
                                                0x10001ccd
                                                0x00000000
                                                0x10001c5f
                                                0x10001c5f
                                                0x10001c5f
                                                0x10001c60
                                                0x10001c68
                                                0x10001c6c
                                                0x10001c72
                                                0x10001c76
                                                0x10001cde
                                                0x10001ce1
                                                0x10001ce5
                                                0x10001d70
                                                0x10001d74
                                                0x10001b59
                                                0x00000000
                                                0x10001b59
                                                0x00000000
                                                0x10001d74
                                                0x10001c62
                                                0x10001c62
                                                0x10001c63
                                                0x00000000
                                                0x00000000
                                                0x10001c65
                                                0x10001c66
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001c66
                                                0x10001c5d
                                                0x10001bf7
                                                0x00000000
                                                0x00000000
                                                0x10001c00
                                                0x10001c03
                                                0x10001c10
                                                0x10001c10
                                                0x10001c05
                                                0x00000000
                                                0x10001c05
                                                0x10001b7a
                                                0x10001b7d
                                                0x10001bce
                                                0x10001bd1
                                                0x10001be3
                                                0x10001be3
                                                0x10001be6
                                                0x00000000
                                                0x10001be6
                                                0x10001bd3
                                                0x10001bd8
                                                0x00000000
                                                0x00000000
                                                0x10001bda
                                                0x10001bdd
                                                0x10001ced
                                                0x10001cf0
                                                0x10001cf0
                                                0x10001cf2
                                                0x10002048
                                                0x1000204b
                                                0x100020b2
                                                0x10001d60
                                                0x10001d63
                                                0x10001d66
                                                0x10001d69
                                                0x10001d69
                                                0x10001d6b
                                                0x10001d6c
                                                0x10001d6c
                                                0x10001d6d
                                                0x00000000
                                                0x10001d6d
                                                0x1000204d
                                                0x10002050
                                                0x10002057
                                                0x10002057
                                                0x1000205b
                                                0x1000206f
                                                0x1000206f
                                                0x10002072
                                                0x10002076
                                                0x100020be
                                                0x100020c1
                                                0x100020c5
                                                0x00000000
                                                0x100020c5
                                                0x10002078
                                                0x1000207c
                                                0x00000000
                                                0x00000000
                                                0x1000207e
                                                0x10002085
                                                0x10002085
                                                0x1000208b
                                                0x1000208e
                                                0x100020aa
                                                0x10002090
                                                0x10002099
                                                0x1000209c
                                                0x1000209c
                                                0x00000000
                                                0x1000208e
                                                0x1000205d
                                                0x10002060
                                                0x10002064
                                                0x00000000
                                                0x00000000
                                                0x10002066
                                                0x00000000
                                                0x10002066
                                                0x10002052
                                                0x10002055
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10002055
                                                0x10001cf8
                                                0x10001cf8
                                                0x10001cf9
                                                0x10001e29
                                                0x10001e29
                                                0x10001e2e
                                                0x10001e31
                                                0x00000000
                                                0x00000000
                                                0x10001e3e
                                                0x00000000
                                                0x10001fe5
                                                0x10001fe8
                                                0x10001feb
                                                0x10001feb
                                                0x10001fec
                                                0x10001fed
                                                0x10001ff0
                                                0x10001ff3
                                                0x10001ff6
                                                0x00000000
                                                0x00000000
                                                0x10001ff8
                                                0x10001ff8
                                                0x10001ffc
                                                0x10002014
                                                0x10002017
                                                0x10002021
                                                0x00000000
                                                0x10002021
                                                0x10001ffe
                                                0x10001ffe
                                                0x10002001
                                                0x00000000
                                                0x00000000
                                                0x10002003
                                                0x10002006
                                                0x10002008
                                                0x10002009
                                                0x10002009
                                                0x10002009
                                                0x1000200a
                                                0x1000200d
                                                0x10002010
                                                0x10002011
                                                0x10001feb
                                                0x10001fec
                                                0x10001fed
                                                0x10001ff0
                                                0x10001ff3
                                                0x10001ff6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001ff6
                                                0x00000000
                                                0x10001e85
                                                0x00000000
                                                0x00000000
                                                0x10001e91
                                                0x00000000
                                                0x00000000
                                                0x10001e78
                                                0x10001e7c
                                                0x10001e80
                                                0x00000000
                                                0x00000000
                                                0x10001fb6
                                                0x10001fba
                                                0x00000000
                                                0x00000000
                                                0x10001fc0
                                                0x10001fc9
                                                0x10001fd0
                                                0x10001fd8
                                                0x00000000
                                                0x00000000
                                                0x10001f53
                                                0x10001f53
                                                0x00000000
                                                0x00000000
                                                0x10001e9a
                                                0x00000000
                                                0x00000000
                                                0x10002040
                                                0x00000000
                                                0x00000000
                                                0x10002030
                                                0x00000000
                                                0x00000000
                                                0x10002034
                                                0x00000000
                                                0x00000000
                                                0x1000203c
                                                0x00000000
                                                0x00000000
                                                0x10001f76
                                                0x00000000
                                                0x00000000
                                                0x10001f5b
                                                0x10001f5d
                                                0x00000000
                                                0x00000000
                                                0x10001f7e
                                                0x00000000
                                                0x00000000
                                                0x10001f63
                                                0x00000000
                                                0x00000000
                                                0x10001f67
                                                0x00000000
                                                0x00000000
                                                0x10002038
                                                0x10002042
                                                0x10002042
                                                0x00000000
                                                0x00000000
                                                0x10001f86
                                                0x10001f8a
                                                0x10001f8f
                                                0x10001f92
                                                0x10001f93
                                                0x10001f96
                                                0x10001f9c
                                                0x10001f9c
                                                0x00000000
                                                0x00000000
                                                0x10002028
                                                0x00000000
                                                0x00000000
                                                0x10001f6b
                                                0x10001f6e
                                                0x10001f70
                                                0x00000000
                                                0x00000000
                                                0x10001ea1
                                                0x10001ea1
                                                0x00000000
                                                0x00000000
                                                0x10001f7a
                                                0x10001f80
                                                0x10001f80
                                                0x10001ea3
                                                0x10001ea3
                                                0x10001ea6
                                                0x10001ead
                                                0x10001eb0
                                                0x10001eb2
                                                0x10001eb4
                                                0x10001eb5
                                                0x10001eb9
                                                0x10001ebc
                                                0x10001ec2
                                                0x10001ec8
                                                0x10001ec8
                                                0x10001eca
                                                0x10001eca
                                                0x10001ecd
                                                0x10001ed3
                                                0x10001ed5
                                                0x10001ed9
                                                0x10001ede
                                                0x10001ede
                                                0x10001ee0
                                                0x10001ee0
                                                0x10001ee3
                                                0x10001ee6
                                                0x10001eef
                                                0x10001ef5
                                                0x10001ef8
                                                0x10001ef8
                                                0x10001efa
                                                0x10001efd
                                                0x10001f03
                                                0x00000000
                                                0x10001f03
                                                0x10001ec4
                                                0x10001ec6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001e45
                                                0x10001e4b
                                                0x10001e4e
                                                0x10001e50
                                                0x10001e50
                                                0x10001e53
                                                0x10001e57
                                                0x10001e64
                                                0x10001e66
                                                0x10001e6c
                                                0x10001e6c
                                                0x10001e6c
                                                0x00000000
                                                0x00000000
                                                0x10001fa4
                                                0x10001fa8
                                                0x10001fad
                                                0x10001fb0
                                                0x10001f09
                                                0x10001f09
                                                0x10001f0b
                                                0x00000000
                                                0x00000000
                                                0x10001f11
                                                0x10001f11
                                                0x10001f15
                                                0x10001f1c
                                                0x10001f40
                                                0x10001f40
                                                0x10001f44
                                                0x10001f46
                                                0x10001f49
                                                0x10001f49
                                                0x10001f4c
                                                0x10001f4c
                                                0x00000000
                                                0x10001f44
                                                0x10001f21
                                                0x10001f24
                                                0x10001f24
                                                0x10001f2b
                                                0x10001f2d
                                                0x10001f30
                                                0x10001f37
                                                0x10001f38
                                                0x10001f3e
                                                0x10001f3e
                                                0x00000000
                                                0x10001f3e
                                                0x10001f32
                                                0x10001f35
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001e3e
                                                0x10001cff
                                                0x10001cff
                                                0x10001d00
                                                0x10001e26
                                                0x00000000
                                                0x10001e26
                                                0x10001d06
                                                0x10001d07
                                                0x00000000
                                                0x00000000
                                                0x10001d0f
                                                0x10001d0f
                                                0x10001d12
                                                0x10001d5d
                                                0x00000000
                                                0x10001d5d
                                                0x10001d14
                                                0x10001d14
                                                0x10001d17
                                                0x10001d41
                                                0x10001d44
                                                0x10001d47
                                                0x10001e18
                                                0x10001e18
                                                0x10001e18
                                                0x10001d4d
                                                0x10001d4d
                                                0x10001d4d
                                                0x10001e1e
                                                0x00000000
                                                0x10001e1e
                                                0x10001d1a
                                                0x10001d1a
                                                0x10001d1b
                                                0x10001d3e
                                                0x10001d40
                                                0x10001d40
                                                0x00000000
                                                0x10001d40
                                                0x10001d1d
                                                0x10001d1d
                                                0x10001d20
                                                0x10001d3a
                                                0x00000000
                                                0x10001d3a
                                                0x10001d22
                                                0x10001d22
                                                0x10001d25
                                                0x10001d36
                                                0x00000000
                                                0x10001d36
                                                0x10001d27
                                                0x10001d27
                                                0x10001d28
                                                0x10001d32
                                                0x00000000
                                                0x10001d32
                                                0x10001d2b
                                                0x10001d2c
                                                0x00000000
                                                0x00000000
                                                0x10001d2e
                                                0x00000000
                                                0x10001d2e
                                                0x00000000
                                                0x10001bdd
                                                0x10001b7f
                                                0x10001b82
                                                0x10001bb1
                                                0x10001bb5
                                                0x10001bbc
                                                0x10001bc3
                                                0x10001bc6
                                                0x10001bc9
                                                0x00000000
                                                0x10001bc9
                                                0x10001b84
                                                0x10001b85
                                                0x10001ba0
                                                0x10001ba7
                                                0x10001baa
                                                0x00000000
                                                0x10001baa
                                                0x10001b8a
                                                0x00000000
                                                0x10001b90
                                                0x10001b90
                                                0x10001b97
                                                0x00000000
                                                0x10001b97
                                                0x10001b8a
                                                0x10001d83
                                                0x10001d88
                                                0x10001d8d
                                                0x10001d91
                                                0x100021c5
                                                0x100021cb
                                                0x10001da3
                                                0x10001da5
                                                0x10001da6
                                                0x100020ee
                                                0x100020ee
                                                0x100020f1
                                                0x100020f4
                                                0x10002111
                                                0x10002117
                                                0x10002119
                                                0x1000211f
                                                0x10002136
                                                0x10002136
                                                0x10002136
                                                0x10002143
                                                0x10002149
                                                0x1000214c
                                                0x10002152
                                                0x10002154
                                                0x10002158
                                                0x1000215a
                                                0x10002161
                                                0x10002166
                                                0x10002169
                                                0x1000216b
                                                0x10002170
                                                0x10002182
                                                0x10002182
                                                0x10002170
                                                0x10002169
                                                0x10002158
                                                0x10002188
                                                0x1000218b
                                                0x10002195
                                                0x1000219d
                                                0x100021aa
                                                0x100021b0
                                                0x100021b3
                                                0x100020e3
                                                0x100020e3
                                                0x00000000
                                                0x100020e3
                                                0x100021b9
                                                0x100021bf
                                                0x100021bf
                                                0x00000000
                                                0x00000000
                                                0x100021c1
                                                0x100021c1
                                                0x100021c1
                                                0x100021c1
                                                0x00000000
                                                0x1000218d
                                                0x1000218d
                                                0x10002193
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10002193
                                                0x1000218b
                                                0x10002122
                                                0x10002128
                                                0x1000212a
                                                0x10002130
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10002130
                                                0x100020f6
                                                0x100020fd
                                                0x10002103
                                                0x10002109
                                                0x00000000
                                                0x10002109
                                                0x10001dac
                                                0x10001dad
                                                0x100020cd
                                                0x100020cd
                                                0x100020d3
                                                0x100020d6
                                                0x00000000
                                                0x00000000
                                                0x100020dd
                                                0x100020e2
                                                0x00000000
                                                0x100020e2
                                                0x10001db4
                                                0x00000000
                                                0x00000000
                                                0x10001dba
                                                0x10001dba
                                                0x10001dc3
                                                0x10001dc8
                                                0x10001dce
                                                0x00000000
                                                0x00000000
                                                0x10001dd4
                                                0x10001de1
                                                0x10001de7
                                                0x10001df1
                                                0x10001df7
                                                0x10001dff
                                                0x10001e0f
                                                0x00000000
                                                0x10001e0f

                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
                                                • lstrcpyW.KERNEL32 ref: 10001C6C
                                                • lstrcpyW.KERNEL32 ref: 10001C76
                                                • GlobalFree.KERNEL32 ref: 10001C89
                                                • GlobalFree.KERNEL32 ref: 10001D83
                                                • GlobalFree.KERNEL32 ref: 10001D88
                                                • GlobalFree.KERNEL32 ref: 10001D8D
                                                • GlobalFree.KERNEL32 ref: 10001F38
                                                • lstrcpyW.KERNEL32 ref: 1000209C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$Free$lstrcpy$Alloc
                                                • String ID: Nhv@hhv
                                                • API String ID: 4227406936-2967376847
                                                • Opcode ID: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                • Opcode Fuzzy Hash: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406054 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 746 406054-40605f 747 406061-406070 746->747 748 406072-406088 746->748 747->748 749 4062a0-4062a6 748->749 750 40608e-40609b 748->750 751 4062ac-4062b7 749->751 752 4060ad-4060ba 749->752 750->749 753 4060a1-4060a8 750->753 755 4062c2-4062c3 751->755 756 4062b9-4062bd call 406032 751->756 752->751 754 4060c0-4060cc 752->754 753->749 757 4060d2-40610e 754->757 758 40628d 754->758 756->755 760 406114-40611f GetVersion 757->760 761 40622e-406232 757->761 762 40629b-40629e 758->762 763 40628f-406299 758->763 764 406121-406125 760->764 765 406139 760->765 766 406234-406238 761->766 767 406267-40626b 761->767 762->749 763->749 764->765 768 406127-40612b 764->768 771 406140-406147 765->771 769 406248-406255 call 406032 766->769 770 40623a-406246 call 405f79 766->770 772 40627a-40628b lstrlenW 767->772 773 40626d-406275 call 406054 767->773 768->765 775 40612d-406131 768->775 784 40625a-406263 769->784 770->784 777 406149-40614b 771->777 778 40614c-40614e 771->778 772->749 773->772 775->765 780 406133-406137 775->780 777->778 782 406150-40616d call 405eff 778->782 783 40618a-40618d 778->783 780->771 792 406172-406176 782->792 785 40619d-4061a0 783->785 786 40618f-40619b GetSystemDirectoryW 783->786 784->772 788 406265 784->788 790 4061a2-4061b0 GetWindowsDirectoryW 785->790 791 40620b-40620d 785->791 789 40620f-406213 786->789 793 406226-40622c call 4062c6 788->793 789->793 794 406215-406219 789->794 790->791 791->789 796 4061b2-4061bc 791->796 792->794 797 40617c-406185 call 406054 792->797 793->772 794->793 799 40621b-406221 lstrcatW 794->799 801 4061d6-4061ec SHGetSpecialFolderLocation 796->801 802 4061be-4061c1 796->802 797->789 799->793 805 406207 801->805 806 4061ee-406205 SHGetPathFromIDListW CoTaskMemFree 801->806 802->801 804 4061c3-4061ca 802->804 807 4061d2-4061d4 804->807 805->791 806->789 806->805 807->789 807->801
                                                C-Code - Quality: 74%
                                                			E00406054(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				intOrPtr _t93;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t93 =  *0x7a7a1c; // 0xa39294
					_t48 =  *(_t93 - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x7a8a78 + _t48 * 2;
				_t49 = 0x7a69e0;
				_t114 = 0x7a69e0;
				if(_a4 >= 0x7a69e0 && _a4 - 0x7a69e0 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E00406054(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x7a69e0;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = (_a8 << 0xb) + 0x7a9000;
							E00406032(_t114, (_a8 << 0xb) + 0x7a9000);
						} else {
							E00405F79(_t114,  *0x7a8a48);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E004062C6(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7a8ac4;
						if( *0x7a8ac4 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x7a8a44;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x7a8a48,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x7a8a48,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E00405EFF(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a78 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040); // executed
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406054(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E00406032(_a4, _t49);
			}































                                                0x00406054
                                                0x00406054
                                                0x00406054
                                                0x0040605a
                                                0x0040605f
                                                0x00406061
                                                0x00406070
                                                0x00406070
                                                0x00406078
                                                0x00406079
                                                0x0040607a
                                                0x0040607b
                                                0x0040607e
                                                0x00406086
                                                0x00406088
                                                0x004060a1
                                                0x004060a4
                                                0x004060a4
                                                0x004062a0
                                                0x004062a0
                                                0x004062a6
                                                0x00000000
                                                0x00000000
                                                0x004060b4
                                                0x004060ba
                                                0x00000000
                                                0x00000000
                                                0x004060c2
                                                0x004060c3
                                                0x004060c5
                                                0x004060c9
                                                0x004060cc
                                                0x0040628d
                                                0x0040629b
                                                0x0040629e
                                                0x0040629e
                                                0x0040628f
                                                0x00406292
                                                0x00406295
                                                0x00406297
                                                0x00406297
                                                0x00000000
                                                0x0040628d
                                                0x004060d2
                                                0x004060d5
                                                0x004060e4
                                                0x004060ea
                                                0x004060ed
                                                0x004060f0
                                                0x004060fa
                                                0x004060ff
                                                0x00406101
                                                0x00406105
                                                0x00406108
                                                0x0040610b
                                                0x0040610e
                                                0x0040622e
                                                0x00406232
                                                0x00406267
                                                0x0040626b
                                                0x00406270
                                                0x00406275
                                                0x00406275
                                                0x0040627a
                                                0x0040627b
                                                0x00406280
                                                0x00406283
                                                0x00406286
                                                0x00000000
                                                0x00406286
                                                0x00406234
                                                0x00406238
                                                0x0040624e
                                                0x00406255
                                                0x0040623a
                                                0x00406241
                                                0x00406241
                                                0x00406260
                                                0x00406263
                                                0x00406226
                                                0x00406227
                                                0x00406227
                                                0x00000000
                                                0x00406263
                                                0x00406116
                                                0x00406117
                                                0x0040611d
                                                0x0040611f
                                                0x00406139
                                                0x00406139
                                                0x00406140
                                                0x00406140
                                                0x00406147
                                                0x0040614b
                                                0x0040614b
                                                0x0040614c
                                                0x0040614e
                                                0x0040618a
                                                0x0040618d
                                                0x0040619d
                                                0x004061a0
                                                0x004061a8
                                                0x004061ae
                                                0x004061ae
                                                0x0040620b
                                                0x0040620b
                                                0x0040620d
                                                0x00000000
                                                0x00000000
                                                0x004061b2
                                                0x004061b9
                                                0x004061ba
                                                0x004061bc
                                                0x004061d6
                                                0x004061e4
                                                0x004061ea
                                                0x004061ec
                                                0x00406207
                                                0x00406207
                                                0x00406207
                                                0x00000000
                                                0x00406207
                                                0x004061f2
                                                0x004061fd
                                                0x00406203
                                                0x00406205
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406205
                                                0x004061be
                                                0x004061c1
                                                0x00000000
                                                0x00000000
                                                0x004061d0
                                                0x004061d2
                                                0x004061d4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004061d4
                                                0x00000000
                                                0x0040620b
                                                0x00406195
                                                0x00000000
                                                0x00406150
                                                0x00406152
                                                0x0040616d
                                                0x00406172
                                                0x00406176
                                                0x00406215
                                                0x00406215
                                                0x00406219
                                                0x00406221
                                                0x00406221
                                                0x00000000
                                                0x00406219
                                                0x00406180
                                                0x0040620f
                                                0x0040620f
                                                0x00406213
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406213
                                                0x0040614e
                                                0x00406121
                                                0x00406125
                                                0x00000000
                                                0x00000000
                                                0x00406127
                                                0x0040612b
                                                0x00000000
                                                0x00000000
                                                0x0040612d
                                                0x00406131
                                                0x00000000
                                                0x00406133
                                                0x00406133
                                                0x00000000
                                                0x00406133
                                                0x00406131
                                                0x004062ac
                                                0x004062b7
                                                0x004062c3
                                                0x004062c3
                                                0x00000000

                                                APIs
                                                • GetVersion.KERNEL32(00000000,007A0F20,?,004051C8,007A0F20,00000000,00000000,007924F8), ref: 00406117
                                                • GetSystemDirectoryW.KERNEL32(ExecToStack,00000400), ref: 00406195
                                                • GetWindowsDirectoryW.KERNEL32(ExecToStack,00000400), ref: 004061A8
                                                • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061E4
                                                • SHGetPathFromIDListW.SHELL32(?,ExecToStack), ref: 004061F2
                                                • CoTaskMemFree.OLE32(?), ref: 004061FD
                                                • lstrcatW.KERNEL32(ExecToStack,\Microsoft\Internet Explorer\Quick Launch), ref: 00406221
                                                • lstrlenW.KERNEL32(ExecToStack,00000000,007A0F20,?,004051C8,007A0F20,00000000,00000000,007924F8), ref: 0040627B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                • String ID: ExecToStack$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 900638850-4080303844
                                                • Opcode ID: 519102f416aae0167fe6a80eec88ce99d0a43be55d541feb02f87bd9ea180c8d
                                                • Instruction ID: 54f449c5e60a038f814dd9badb8d8d01ca624a198295cd2e3a2f801cab414967
                                                • Opcode Fuzzy Hash: 519102f416aae0167fe6a80eec88ce99d0a43be55d541feb02f87bd9ea180c8d
                                                • Instruction Fuzzy Hash: A3610271A00105ABDF20AF68CD40AAE37A4BF51314F12C17FE953BA2D1D67D8AA1CB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405823 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 808 405823-405849 call 405aee 811 405862-405869 808->811 812 40584b-40585d DeleteFileW 808->812 814 40586b-40586d 811->814 815 40587c-40588c call 406032 811->815 813 4059df-4059e3 812->813 816 405873-405876 814->816 817 40598d-405992 814->817 821 40589b-40589c call 405a32 815->821 822 40588e-405899 lstrcatW 815->822 816->815 816->817 817->813 819 405994-405997 817->819 823 4059a1-4059a9 call 406375 819->823 824 405999-40599f 819->824 825 4058a1-4058a5 821->825 822->825 823->813 832 4059ab-4059bf call 4059e6 call 4057db 823->832 824->813 828 4058b1-4058b7 lstrcatW 825->828 829 4058a7-4058af 825->829 831 4058bc-4058d8 lstrlenW FindFirstFileW 828->831 829->828 829->831 833 405982-405986 831->833 834 4058de-4058e6 831->834 848 4059c1-4059c4 832->848 849 4059d7-4059da call 405191 832->849 833->817 836 405988 833->836 837 405906-40591a call 406032 834->837 838 4058e8-4058f0 834->838 836->817 850 405931-40593c call 4057db 837->850 851 40591c-405924 837->851 840 4058f2-4058fa 838->840 841 405965-405975 FindNextFileW 838->841 840->837 844 4058fc-405904 840->844 841->834 847 40597b-40597c FindClose 841->847 844->837 844->841 847->833 848->824 854 4059c6-4059d5 call 405191 call 405ed3 848->854 849->813 861 40595d-405960 call 405191 850->861 862 40593e-405941 850->862 851->841 855 405926-40592f call 405823 851->855 854->813 855->841 861->841 864 405943-405953 call 405191 call 405ed3 862->864 865 405955-40595b 862->865 864->841 865->841
                                                C-Code - Quality: 98%
                                                			E00405823(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405AEE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ac8 =  *0x7a8ac8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406032(0x7a3f48, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405A32(_t68);
					} else {
						lstrcatW(0x7a3f48, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f48,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406032(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E004057DB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405191(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ac8 =  *0x7a8ac8 + 1;
										} else {
											E00405191(0xfffffff1, _t68);
											E00405ED3(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405823(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f48 - 0x5c;
					if( *0x7a3f48 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406375(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E004059E6(_t68);
							_t38 = E004057DB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405191(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405191(0xfffffff1, _t68);
							return E00405ED3(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ac8 =  *0x7a8ac8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                0x0040582d
                                                0x00405832
                                                0x0040583b
                                                0x0040583e
                                                0x00405846
                                                0x00405849
                                                0x0040584c
                                                0x00405854
                                                0x00405856
                                                0x00405857
                                                0x00000000
                                                0x00405857
                                                0x00405862
                                                0x00405865
                                                0x00405865
                                                0x00405865
                                                0x00405869
                                                0x0040587c
                                                0x00405883
                                                0x00405888
                                                0x0040588c
                                                0x0040589c
                                                0x0040588e
                                                0x00405894
                                                0x00405894
                                                0x004058a1
                                                0x004058a5
                                                0x004058b1
                                                0x004058b7
                                                0x004058bc
                                                0x004058c2
                                                0x004058cd
                                                0x004058d3
                                                0x004058d5
                                                0x004058d8
                                                0x00405982
                                                0x00405982
                                                0x00405986
                                                0x00405988
                                                0x00405988
                                                0x00405988
                                                0x00405988
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004058de
                                                0x004058de
                                                0x004058de
                                                0x004058e6
                                                0x00405906
                                                0x0040590e
                                                0x00405913
                                                0x0040591a
                                                0x00405935
                                                0x0040593a
                                                0x0040593c
                                                0x00405960
                                                0x0040593e
                                                0x0040593e
                                                0x00405941
                                                0x00405955
                                                0x00405943
                                                0x00405946
                                                0x0040594e
                                                0x0040594e
                                                0x00405941
                                                0x0040591c
                                                0x00405922
                                                0x00405924
                                                0x0040592a
                                                0x0040592a
                                                0x00405924
                                                0x00000000
                                                0x0040591a
                                                0x004058e8
                                                0x004058f0
                                                0x00000000
                                                0x00000000
                                                0x004058f2
                                                0x004058fa
                                                0x00000000
                                                0x00000000
                                                0x004058fc
                                                0x00405904
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405965
                                                0x0040596d
                                                0x00405973
                                                0x00405973
                                                0x0040597c
                                                0x00000000
                                                0x0040597c
                                                0x004058a7
                                                0x004058af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040586b
                                                0x0040586b
                                                0x0040586d
                                                0x0040598d
                                                0x0040598f
                                                0x00405992
                                                0x004059e3
                                                0x004059e3
                                                0x004059e3
                                                0x00405994
                                                0x00405997
                                                0x004059a2
                                                0x004059a7
                                                0x004059a9
                                                0x00000000
                                                0x00000000
                                                0x004059ac
                                                0x004059b8
                                                0x004059bd
                                                0x004059bf
                                                0x00000000
                                                0x004059da
                                                0x004059c1
                                                0x004059c4
                                                0x00000000
                                                0x00000000
                                                0x004059c9
                                                0x00000000
                                                0x004059d0
                                                0x00405999
                                                0x00405999
                                                0x00000000
                                                0x00405999
                                                0x00405873
                                                0x00405876
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405876

                                                APIs
                                                • DeleteFileW.KERNELBASE(?,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 0040584C
                                                • lstrcatW.KERNEL32(007A3F48,\*.*), ref: 00405894
                                                • lstrcatW.KERNEL32(?,0040A014), ref: 004058B7
                                                • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F48,?,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 004058BD
                                                • FindFirstFileW.KERNEL32(007A3F48,?,?,?,0040A014,?,007A3F48,?,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 004058CD
                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 0040596D
                                                • FindClose.KERNEL32(00000000), ref: 0040597C
                                                Strings
                                                • H?z, xrefs: 0040587C
                                                • \*.*, xrefs: 0040588E
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405830
                                                • "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" , xrefs: 0040582C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" $C:\Users\user\AppData\Local\Temp\$H?z$\*.*
                                                • API String ID: 2035342205-191500976
                                                • Opcode ID: b12d6577bcbfee63c8f1005f00baa83bc0992cbcdb087d25710020cb5acef1ed
                                                • Instruction ID: 14cb3427b362c018eba3739e9bf11da3c0c9d0e64928a5d047ed163a808d7245
                                                • Opcode Fuzzy Hash: b12d6577bcbfee63c8f1005f00baa83bc0992cbcdb087d25710020cb5acef1ed
                                                • Instruction Fuzzy Hash: 5441C271800A14FACB21AB658C89BAF7778EF42724F24817BF801B11D1D77C4995DEAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406375 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00406375(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f90); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f90;
			}




                                                0x00406380
                                                0x00406389
                                                0x00000000
                                                0x00406396
                                                0x0040638c
                                                0x00000000

                                                APIs
                                                • FindFirstFileW.KERNELBASE(766DFAA0,007A4F90,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00405B37,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,766DFAA0,?,C:\Users\user\AppData\Local\Temp\,00405843,?,766DFAA0,C:\Users\user\AppData\Local\Temp\), ref: 00406380
                                                • FindClose.KERNEL32(00000000), ref: 0040638C
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp, xrefs: 00406375
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp
                                                • API String ID: 2295610775-416103064
                                                • Opcode ID: 8868b6a2426bb8f5e231bf1a7a7d8febf10f258da88ac185063839d851748521
                                                • Instruction ID: 3fb5690f441cb67cce8948cff85e4bd0b52f5f4d7afbd4cfaa78c2f4b78b622c
                                                • Opcode Fuzzy Hash: 8868b6a2426bb8f5e231bf1a7a7d8febf10f258da88ac185063839d851748521
                                                • Instruction Fuzzy Hash: BAD013715151205FC2505F746E0C44777545F463313154F35F45AF11E0C7745C5645EC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 67%
                                                			E00402095() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x34)) = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t107 - 8)) = E00402BBF(0xffffffdf);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402BBF(2);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402BBF(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0x10)) = E00402BBF(0x45);
				_t52 =  *(_t107 - 0x1c);
				 *(_t107 - 0x40) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405A5D( *((intOrPtr*)(_t107 - 8))) == 0) {
					E00402BBF(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x40849c, _t83, 1, 0x40848c, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ac, _t107 - 0x48);
					 *((intOrPtr*)(_t107 - 0x14)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 8)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Sekstal");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x3c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x40));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 0xc)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0x10)));
						if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x48));
							 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x34)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x48));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                                                0x0040209e
                                                0x004020a8
                                                0x004020b2
                                                0x004020bc
                                                0x004020c7
                                                0x004020ca
                                                0x004020e4
                                                0x004020e7
                                                0x004020ed
                                                0x004020f0
                                                0x004020fa
                                                0x004020fe
                                                0x004020fe
                                                0x00402103
                                                0x00402114
                                                0x0040211c
                                                0x004021d3
                                                0x004021d3
                                                0x004021da
                                                0x00402122
                                                0x00402122
                                                0x00402131
                                                0x00402135
                                                0x00402138
                                                0x0040213e
                                                0x0040214c
                                                0x0040214f
                                                0x00402151
                                                0x0040215c
                                                0x0040215c
                                                0x00402161
                                                0x00402163
                                                0x0040216a
                                                0x0040216a
                                                0x0040216d
                                                0x00402176
                                                0x00402179
                                                0x0040217f
                                                0x00402181
                                                0x0040218b
                                                0x0040218b
                                                0x0040218e
                                                0x00402197
                                                0x0040219a
                                                0x004021a3
                                                0x004021a9
                                                0x004021ab
                                                0x004021b9
                                                0x004021b9
                                                0x004021bc
                                                0x004021c2
                                                0x004021c2
                                                0x004021c5
                                                0x004021cb
                                                0x004021d1
                                                0x004021e6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004021d1
                                                0x004021dc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                Strings
                                                • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal, xrefs: 00402154
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal
                                                • API String ID: 542301482-1167972383
                                                • Opcode ID: a02c29aecddc9ed142f4502ba50d2b7bf96e4c42ae4d7c546ad33a93e5c34623
                                                • Instruction ID: d47fca260cdd8e4185df19bb7459501af9c1372a1639466ce8116fcd6c853d94
                                                • Opcode Fuzzy Hash: a02c29aecddc9ed142f4502ba50d2b7bf96e4c42ae4d7c546ad33a93e5c34623
                                                • Instruction Fuzzy Hash: 2D414C71A00209AFCF00DFA4CD88AAD7BB5FF48314B20456AF515EB2D1DBB99A41CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403C1E Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 301 403c1e-403c30 302 403d71-403d80 301->302 303 403c36-403c3c 301->303 305 403d82-403dbd GetDlgItem * 2 call 4040f6 KiUserCallbackDispatcher call 40140b 302->305 306 403dcf-403de4 302->306 303->302 304 403c42-403c4b 303->304 310 403c60-403c63 304->310 311 403c4d-403c5a SetWindowPos 304->311 326 403dc2-403dca 305->326 308 403e24-403e29 call 404142 306->308 309 403de6-403de9 306->309 323 403e2e-403e49 308->323 315 403deb-403df6 call 401389 309->315 316 403e1c-403e1e 309->316 312 403c65-403c77 ShowWindow 310->312 313 403c7d-403c83 310->313 311->310 312->313 318 403c85-403c9a DestroyWindow 313->318 319 403c9f-403ca2 313->319 315->316 336 403df8-403e17 SendMessageW 315->336 316->308 322 4040c3 316->322 325 4040a0-4040a6 318->325 327 403ca4-403cb0 SetWindowLongW 319->327 328 403cb5-403cbb 319->328 324 4040c5-4040cc 322->324 330 403e52-403e58 323->330 331 403e4b-403e4d call 40140b 323->331 325->322 337 4040a8-4040ae 325->337 326->306 327->324 334 403cc1-403cd2 GetDlgItem 328->334 335 403d5e-403d6c call 40415d 328->335 332 404081-40409a DestroyWindow EndDialog 330->332 333 403e5e-403e69 330->333 331->330 332->325 333->332 339 403e6f-403ebc call 406054 call 4040f6 * 3 GetDlgItem 333->339 340 403cf1-403cf4 334->340 341 403cd4-403ceb SendMessageW IsWindowEnabled 334->341 335->324 336->324 337->322 343 4040b0-4040b9 ShowWindow 337->343 371 403ec6-403f02 ShowWindow KiUserCallbackDispatcher call 404118 EnableWindow 339->371 372 403ebe-403ec3 339->372 345 403cf6-403cf7 340->345 346 403cf9-403cfc 340->346 341->322 341->340 343->322 349 403d27-403d2c call 4040cf 345->349 350 403d0a-403d0f 346->350 351 403cfe-403d04 346->351 349->335 354 403d45-403d58 SendMessageW 350->354 356 403d11-403d17 350->356 351->354 355 403d06-403d08 351->355 354->335 355->349 359 403d19-403d1f call 40140b 356->359 360 403d2e-403d37 call 40140b 356->360 367 403d25 359->367 360->335 369 403d39-403d43 360->369 367->349 369->367 375 403f04-403f05 371->375 376 403f07 371->376 372->371 377 403f09-403f37 GetSystemMenu EnableMenuItem SendMessageW 375->377 376->377 378 403f39-403f4a SendMessageW 377->378 379 403f4c 377->379 380 403f52-403f90 call 40412b call 406032 lstrlenW call 406054 SetWindowTextW call 401389 378->380 379->380 380->323 389 403f96-403f98 380->389 389->323 390 403f9e-403fa2 389->390 391 403fc1-403fd5 DestroyWindow 390->391 392 403fa4-403faa 390->392 391->325 394 403fdb-404008 CreateDialogParamW 391->394 392->322 393 403fb0-403fb6 392->393 393->323 395 403fbc 393->395 394->325 396 40400e-404065 call 4040f6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 394->396 395->322 396->322 401 404067-40407a ShowWindow call 404142 396->401 403 40407f 401->403 403->325
                                                C-Code - Quality: 84%
                                                			E00403C1E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;
				void* _t144;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x7a1f28 = _t37;
					if(_t117 == 0x110) {
						 *0x7a8a48 = _t127;
						 *0x7a1f3c = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff08 = _t93;
						E004040F6(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a28); // executed
						 *0x7a7a0c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x7a1f28 = 1;
					}
					_t124 =  *0x40a388; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x7a8a60;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E00404142(0x40b);
						while(1) {
							_t39 =  *0x7a1f28;
							 *0x40a388 =  *0x40a388 + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x40a388; // 0x0
							__eflags = _t41 -  *0x7a8a64;
							if(_t41 ==  *0x7a8a64) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a0c - _t135; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a388 -  *0x7a8a64; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E00406054(_t118, _t127, _t132, 0x7b8000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E004040F6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E004040F6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E004040F6(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8acc - _t135;
							_v32 = _t51;
							if( *0x7a8acc != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E00404118(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x79ff08, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x7a8acc - _t135;
							if( *0x7a8acc == _t135) {
								_push( *0x7a1f3c);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x79ff08);
							}
							E0040412B();
							E00406032(0x7a1f40, "Ottomans Setup");
							E00406054(0x7a1f40, _t127, _t132,  &(0x7a1f40[lstrlenW(0x7a1f40)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f40); // executed
							_push(_t135);
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a7a18); // executed
									 *0x7a0f18 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x7a8a40,  *_t132 +  *0x7a7a20 & 0x0000ffff, _t127,  *(0x40a38c +  *(_t132 + 4) * 4), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x7a7a18 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E004040F6(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x7a7a18, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									_push(_t135);
									E00401389( *((intOrPtr*)(_t132 + 0xc)));
									__eflags =  *0x7a7a0c - _t135; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a7a18, 8); // executed
									E00404142(0x405);
									goto L58;
								}
								__eflags =  *0x7a8acc - _t135;
								if( *0x7a8acc != _t135) {
									goto L61;
								}
								__eflags =  *0x7a8ac0 - _t135;
								if( *0x7a8ac0 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a7a18);
						 *0x7a8a48 = _t135;
						EndDialog(_t127,  *0x7a0710);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x7a7a18, 0x40f, 0, 1);
						__eflags =  *0x7a7a0c - _t135; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x7a1f20, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f20,  ~(_a12 - 1) & _t117);
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E0040415D(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x7a7a18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a8acc - _t135;
										if( *0x7a8acc == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x7a0710 = 1;
											L21:
											_push(0x78);
											L22:
											E004040CF();
											goto L26;
										}
										E0040140B(_t129);
										 *0x7a0710 = _t129;
										goto L21;
									}
									__eflags =  *0x40a388 - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x7a7a18);
						 *0x7a7a18 = _a12;
						L58:
						if( *0x7a3f40 == _t135) {
							_t144 =  *0x7a7a18 - _t135; // 0x103ce
							if(_t144 != 0) {
								ShowWindow(_t127, 0xa); // executed
								 *0x7a3f40 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                0x00403c27
                                                0x00403c30
                                                0x00403d71
                                                0x00403d75
                                                0x00403d79
                                                0x00403d7b
                                                0x00403d80
                                                0x00403d8b
                                                0x00403d96
                                                0x00403d9b
                                                0x00403d9d
                                                0x00403d9f
                                                0x00403da2
                                                0x00403da7
                                                0x00403db5
                                                0x00403dc2
                                                0x00403dc9
                                                0x00403dc9
                                                0x00403dca
                                                0x00403dca
                                                0x00403dcf
                                                0x00403dd5
                                                0x00403ddc
                                                0x00403de2
                                                0x00403de4
                                                0x00403e24
                                                0x00403e29
                                                0x00403e2e
                                                0x00403e2e
                                                0x00403e33
                                                0x00403e3c
                                                0x00403e3e
                                                0x00403e43
                                                0x00403e49
                                                0x00403e4d
                                                0x00403e4d
                                                0x00403e52
                                                0x00403e58
                                                0x00000000
                                                0x00000000
                                                0x00403e63
                                                0x00403e69
                                                0x00000000
                                                0x00000000
                                                0x00403e72
                                                0x00403e7a
                                                0x00403e7f
                                                0x00403e82
                                                0x00403e88
                                                0x00403e8d
                                                0x00403e90
                                                0x00403e96
                                                0x00403e9b
                                                0x00403e9e
                                                0x00403ea4
                                                0x00403eac
                                                0x00403eb2
                                                0x00403eb8
                                                0x00403ebc
                                                0x00403ec3
                                                0x00403ec3
                                                0x00403ec3
                                                0x00403ecd
                                                0x00403edf
                                                0x00403eeb
                                                0x00403ef0
                                                0x00403efa
                                                0x00403f00
                                                0x00403f02
                                                0x00403f07
                                                0x00403f04
                                                0x00403f04
                                                0x00403f04
                                                0x00403f17
                                                0x00403f2f
                                                0x00403f31
                                                0x00403f37
                                                0x00403f4c
                                                0x00403f39
                                                0x00403f42
                                                0x00403f44
                                                0x00403f44
                                                0x00403f52
                                                0x00403f62
                                                0x00403f78
                                                0x00403f7f
                                                0x00403f85
                                                0x00403f89
                                                0x00403f8e
                                                0x00403f90
                                                0x00000000
                                                0x00403f96
                                                0x00403f96
                                                0x00403f98
                                                0x00000000
                                                0x00000000
                                                0x00403f9e
                                                0x00403fa2
                                                0x00403fc7
                                                0x00403fcd
                                                0x00403fd3
                                                0x00403fd5
                                                0x00000000
                                                0x00000000
                                                0x00403ffb
                                                0x00404001
                                                0x00404003
                                                0x00404008
                                                0x00000000
                                                0x00000000
                                                0x0040400e
                                                0x00404011
                                                0x00404014
                                                0x0040402b
                                                0x00404037
                                                0x00404050
                                                0x00404056
                                                0x0040405a
                                                0x0040405f
                                                0x00404065
                                                0x00000000
                                                0x00000000
                                                0x0040406f
                                                0x0040407a
                                                0x00000000
                                                0x0040407a
                                                0x00403fa4
                                                0x00403faa
                                                0x00000000
                                                0x00000000
                                                0x00403fb0
                                                0x00403fb6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403fbc
                                                0x00403f90
                                                0x00404087
                                                0x00404093
                                                0x0040409a
                                                0x00000000
                                                0x00403de6
                                                0x00403de6
                                                0x00403de9
                                                0x00403e1c
                                                0x00403e1c
                                                0x00403e1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403e1e
                                                0x00403deb
                                                0x00403def
                                                0x00403df4
                                                0x00403df6
                                                0x00000000
                                                0x00000000
                                                0x00403e06
                                                0x00403e0e
                                                0x00000000
                                                0x00403e14
                                                0x00403c42
                                                0x00403c42
                                                0x00403c46
                                                0x00403c4b
                                                0x00403c5a
                                                0x00403c5a
                                                0x00403c63
                                                0x00403c6c
                                                0x00403c77
                                                0x00403c77
                                                0x00403c83
                                                0x00403c9f
                                                0x00403ca2
                                                0x00403cb5
                                                0x00403cbb
                                                0x00403d5e
                                                0x00000000
                                                0x00403d67
                                                0x00403cc1
                                                0x00403cce
                                                0x00403cd0
                                                0x00403cd2
                                                0x00403cf1
                                                0x00403cf1
                                                0x00403cf4
                                                0x00403cf9
                                                0x00403cfc
                                                0x00403d0c
                                                0x00403d0d
                                                0x00403d0f
                                                0x00403d45
                                                0x00403d58
                                                0x00000000
                                                0x00403d58
                                                0x00403d11
                                                0x00403d17
                                                0x00403d30
                                                0x00403d35
                                                0x00403d37
                                                0x00000000
                                                0x00000000
                                                0x00403d39
                                                0x00403d25
                                                0x00403d25
                                                0x00403d27
                                                0x00403d27
                                                0x00000000
                                                0x00403d27
                                                0x00403d1a
                                                0x00403d1f
                                                0x00000000
                                                0x00403d1f
                                                0x00403cfe
                                                0x00403d04
                                                0x00000000
                                                0x00000000
                                                0x00403d06
                                                0x00000000
                                                0x00403d06
                                                0x00403cf6
                                                0x00000000
                                                0x00403cf6
                                                0x00403cdc
                                                0x00403ce3
                                                0x00403ce9
                                                0x00403ceb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403ceb
                                                0x00403ca7
                                                0x00000000
                                                0x00403c85
                                                0x00403c8b
                                                0x00403c95
                                                0x004040a0
                                                0x004040a6
                                                0x004040a8
                                                0x004040ae
                                                0x004040b3
                                                0x004040b9
                                                0x004040b9
                                                0x004040ae
                                                0x004040c3
                                                0x00000000
                                                0x004040c3
                                                0x00403c83

                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C5A
                                                • ShowWindow.USER32(?), ref: 00403C77
                                                • DestroyWindow.USER32 ref: 00403C8B
                                                • SetWindowLongW.USER32 ref: 00403CA7
                                                • GetDlgItem.USER32 ref: 00403CC8
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CDC
                                                • IsWindowEnabled.USER32(00000000), ref: 00403CE3
                                                • GetDlgItem.USER32 ref: 00403D91
                                                • GetDlgItem.USER32 ref: 00403D9B
                                                • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00403DB5
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E06
                                                • GetDlgItem.USER32 ref: 00403EAC
                                                • ShowWindow.USER32(00000000,?), ref: 00403ECD
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EDF
                                                • EnableWindow.USER32(?,?), ref: 00403EFA
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F10
                                                • EnableMenuItem.USER32 ref: 00403F17
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F2F
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F42
                                                • lstrlenW.KERNEL32(007A1F40,?,007A1F40,Ottomans Setup), ref: 00403F6B
                                                • SetWindowTextW.USER32(?,007A1F40), ref: 00403F7F
                                                • ShowWindow.USER32(?,0000000A), ref: 004040B3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
                                                • String ID: Ottomans Setup
                                                • API String ID: 3906175533-168369568
                                                • Opcode ID: 426f01107b3485b81cd68b564b608a380621adfe565edd953016c1e22f2525a4
                                                • Instruction ID: cca83e8e3ea8fbb2d4c878b4d098dd65b90ea533b8cc41e08898a63a3c4fefdb
                                                • Opcode Fuzzy Hash: 426f01107b3485b81cd68b564b608a380621adfe565edd953016c1e22f2525a4
                                                • Instruction Fuzzy Hash: FFC1BE71504204AFDB20AF61ED84E2B7BA8EB86745F00893EF641B11F0CB3D9952DB5E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040387B Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 404 40387b-403893 call 406408 407 403895-4038a5 call 405f79 404->407 408 4038a7-4038de call 405eff 404->408 415 403901-40392a call 403b51 call 405aee 407->415 413 4038e0-4038f1 call 405eff 408->413 414 4038f6-4038fc lstrcatW 408->414 413->414 414->415 422 403930-403935 415->422 423 4039bc-4039c4 call 405aee 415->423 422->423 424 40393b-403963 call 405eff 422->424 429 4039d2-4039f7 LoadImageW 423->429 430 4039c6-4039cd call 406054 423->430 424->423 431 403965-403969 424->431 433 403a78-403a80 call 40140b 429->433 434 4039f9-403a29 RegisterClassW 429->434 430->429 436 40397b-403987 lstrlenW 431->436 437 40396b-403978 call 405a13 431->437 446 403a82-403a85 433->446 447 403a8a-403a95 call 403b51 433->447 438 403b47 434->438 439 403a2f-403a73 SystemParametersInfoW CreateWindowExW 434->439 443 403989-403997 lstrcmpiW 436->443 444 4039af-4039b7 call 4059e6 call 406032 436->444 437->436 442 403b49-403b50 438->442 439->433 443->444 445 403999-4039a3 GetFileAttributesW 443->445 444->423 450 4039a5-4039a7 445->450 451 4039a9-4039aa call 405a32 445->451 446->442 457 403a9b-403ab5 ShowWindow call 40639c 447->457 458 403b1e-403b1f call 405264 447->458 450->444 450->451 451->444 465 403ac1-403ad3 GetClassInfoW 457->465 466 403ab7-403abc call 40639c 457->466 461 403b24-403b26 458->461 463 403b40-403b42 call 40140b 461->463 464 403b28-403b2e 461->464 463->438 464->446 467 403b34-403b3b call 40140b 464->467 470 403ad5-403ae5 GetClassInfoW RegisterClassW 465->470 471 403aeb-403b0e DialogBoxParamW call 40140b 465->471 466->465 467->446 470->471 474 403b13-403b1c call 4037cb 471->474 474->442
                                                C-Code - Quality: 96%
                                                			E0040387B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a50;
				_t22 = E00406408(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f40;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E00405EFF(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f40, 0);
					__eflags =  *0x7a1f40;
					if(__eflags == 0) {
						E00405EFF(0x80000003, L".DEFAULT\\Control Panel\\International",  &M0040838C, 0x7a1f40, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00405F79(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403B51(_t78, _t90);
				_t86 = L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis";
				 *0x7a8ac0 =  *0x7a8a58 & 0x00000020;
				 *0x7a8adc = 0x10000;
				if(E00405AEE(_t90, L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis") != 0) {
					L16:
					if(E00405AEE(_t98, _t86) == 0) {
						E00406054(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x7a8a40, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a28 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403B51(_t78, __eflags);
							__eflags =  *0x7a8ae0;
							if( *0x7a8ae0 != 0) {
								_t33 = E00405264(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f20, 5); // executed
							_t39 = E0040639C("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040639C("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a79e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a79e0);
								 *0x7a7a04 = _t87;
								RegisterClassW(0x7a79e0);
							}
							_t41 =  *0x7a7a20; // 0x0
							_t44 = DialogBoxParamW( *0x7a8a40, _t41 + 0x00000069 & 0x0000ffff, 0, E00403C1E, 0); // executed
							E004037CB(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a40;
						 *0x7a79e4 = E00401000;
						 *0x7a79f0 =  *0x7a8a40;
						 *0x7a79f4 = _t30;
						 *0x7a7a04 = 0x40a3a0;
						if(RegisterClassW(0x7a79e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f20 = CreateWindowExW(0x80, 0x40a3a0, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a40, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x7a69e0;
					E00405EFF( *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a78 + _t78 * 2,  *0x7a8a78 +  *(_t82 + 0x4c) * 2, 0x7a69e0, 0);
					_t63 =  *0x7a69e0; // 0x45
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a69e2;
						 *((short*)(E00405A13(0x7a69e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406032(_t86, E004059E6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405A32(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                                                0x00403881
                                                0x0040388a
                                                0x00403891
                                                0x00403893
                                                0x004038a7
                                                0x004038b9
                                                0x004038c2
                                                0x004038cb
                                                0x004038d2
                                                0x004038d7
                                                0x004038de
                                                0x004038f1
                                                0x004038f1
                                                0x004038fc
                                                0x00403895
                                                0x004038a0
                                                0x004038a0
                                                0x00403901
                                                0x0040390b
                                                0x00403914
                                                0x00403919
                                                0x0040392a
                                                0x004039bc
                                                0x004039c4
                                                0x004039cd
                                                0x004039cd
                                                0x004039e3
                                                0x004039e9
                                                0x004039f7
                                                0x00403a78
                                                0x00403a80
                                                0x00403a8a
                                                0x00403a8f
                                                0x00403a95
                                                0x00403b1f
                                                0x00403b24
                                                0x00403b26
                                                0x00403b42
                                                0x00000000
                                                0x00403b42
                                                0x00403b28
                                                0x00403b2e
                                                0x00403b36
                                                0x00403b36
                                                0x00000000
                                                0x00403b2e
                                                0x00403aa3
                                                0x00403aae
                                                0x00403ab3
                                                0x00403ab5
                                                0x00403abc
                                                0x00403abc
                                                0x00403ac7
                                                0x00403acf
                                                0x00403ad1
                                                0x00403ad3
                                                0x00403adc
                                                0x00403adf
                                                0x00403ae5
                                                0x00403ae5
                                                0x00403aeb
                                                0x00403b04
                                                0x00403b15
                                                0x00000000
                                                0x00403b1a
                                                0x00403a82
                                                0x00403a84
                                                0x00000000
                                                0x004039f9
                                                0x004039f9
                                                0x00403a05
                                                0x00403a0f
                                                0x00403a15
                                                0x00403a1a
                                                0x00403a29
                                                0x00403b47
                                                0x00403b47
                                                0x00000000
                                                0x00403b47
                                                0x00403a38
                                                0x00403a73
                                                0x00000000
                                                0x00403a73
                                                0x00403930
                                                0x00403930
                                                0x00403935
                                                0x00000000
                                                0x00000000
                                                0x00403943
                                                0x00403955
                                                0x0040395a
                                                0x00403963
                                                0x00000000
                                                0x00000000
                                                0x00403969
                                                0x0040396b
                                                0x00403978
                                                0x00403978
                                                0x00403981
                                                0x00403987
                                                0x004039af
                                                0x004039b7
                                                0x00000000
                                                0x00403999
                                                0x0040399a
                                                0x004039a3
                                                0x004039a9
                                                0x004039aa
                                                0x00000000
                                                0x004039aa
                                                0x004039a5
                                                0x004039a7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004039a7
                                                0x00403987

                                                APIs
                                                  • Part of subcall function 00406408: GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
                                                  • Part of subcall function 00406408: GetProcAddress.KERNEL32(00000000,?), ref: 00406435
                                                • lstrcatW.KERNEL32(1033,007A1F40), ref: 004038FC
                                                • lstrlenW.KERNEL32(ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis,1033,007A1F40,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F40,00000000,00000002,766DFAA0), ref: 0040397C
                                                • lstrcmpiW.KERNEL32(?,.exe,ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis,1033,007A1F40,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F40,00000000), ref: 0040398F
                                                • GetFileAttributesW.KERNEL32(ExecToStack), ref: 0040399A
                                                • LoadImageW.USER32 ref: 004039E3
                                                  • Part of subcall function 00405F79: wsprintfW.USER32 ref: 00405F86
                                                • RegisterClassW.USER32 ref: 00403A20
                                                • SystemParametersInfoW.USER32 ref: 00403A38
                                                • CreateWindowExW.USER32 ref: 00403A6D
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403AA3
                                                • GetClassInfoW.USER32 ref: 00403ACF
                                                • GetClassInfoW.USER32 ref: 00403ADC
                                                • RegisterClassW.USER32 ref: 00403AE5
                                                • DialogBoxParamW.USER32 ref: 00403B04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$Control Panel\Desktop\ResourceLocale$ExecToStack$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$yz
                                                • API String ID: 1975747703-1721108968
                                                • Opcode ID: d6a2569dce1583fa4271488535ea6afbb2ec52d86251b0d01a743b5b25147845
                                                • Instruction ID: b5c0bd5baa1962433b8b11afb21299241a1e412529c89f65b595a7484f15debb
                                                • Opcode Fuzzy Hash: d6a2569dce1583fa4271488535ea6afbb2ec52d86251b0d01a743b5b25147845
                                                • Instruction Fuzzy Hash: E761A570240600AED620BF669D46F2B3A6CEBC5B45F40857FF941B22E2DB7C9901CB6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 679 402dee-402e3c GetTickCount GetModuleFileNameW call 405c07 682 402e48-402e76 call 406032 call 405a32 call 406032 GetFileSize 679->682 683 402e3e-402e43 679->683 691 402f63-402f71 call 402d8a 682->691 692 402e7c 682->692 684 403020-403024 683->684 698 402f73-402f76 691->698 699 402fc6-402fcb 691->699 694 402e81-402e98 692->694 696 402e9a 694->696 697 402e9c-402ea5 call 40321f 694->697 696->697 705 402eab-402eb2 697->705 706 402fcd-402fd5 call 402d8a 697->706 701 402f78-402f90 call 403235 call 40321f 698->701 702 402f9a-402fc4 GlobalAlloc call 403235 call 403027 698->702 699->684 701->699 725 402f92-402f98 701->725 702->699 730 402fd7-402fe8 702->730 710 402eb4-402ec8 call 405bc2 705->710 711 402f2e-402f32 705->711 706->699 716 402f3c-402f42 710->716 728 402eca-402ed1 710->728 715 402f34-402f3b call 402d8a 711->715 711->716 715->716 721 402f51-402f5b 716->721 722 402f44-402f4e call 4064b9 716->722 721->694 729 402f61 721->729 722->721 725->699 725->702 728->716 734 402ed3-402eda 728->734 729->691 731 402ff0-402ff5 730->731 732 402fea 730->732 735 402ff6-402ffc 731->735 732->731 734->716 736 402edc-402ee3 734->736 735->735 738 402ffe-403019 SetFilePointer call 405bc2 735->738 736->716 737 402ee5-402eec 736->737 737->716 739 402eee-402f0e 737->739 742 40301e 738->742 739->699 741 402f14-402f18 739->741 743 402f20-402f28 741->743 744 402f1a-402f1e 741->744 742->684 743->716 745 402f2a-402f2c 743->745 744->729 744->743 745->716
                                                C-Code - Quality: 80%
                                                			E00402DEE(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\alfons\\Desktop\\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe";
				 *0x7a8a4c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\alfons\\Desktop\\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe", 0x400);
				_t89 = E00405C07(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\alfons\\Desktop";
				E00406032(L"C:\\Users\\alfons\\Desktop", _t91);
				E00406032(0x7b7000, E00405A32(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7976fc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402D8A(1);
					__eflags =  *0x7a8a54 - _t82;
					if( *0x7a8a54 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403235( *0x7a8a54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00403027(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a50 = _t94;
							 *0x7a8a58 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a5c =  *0x7a8a5c + 1;
								__eflags =  *0x7a8a5c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405BC2(0x7a8a60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403235( *0x78b6f4);
					_t65 = E0040321F( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a54) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040321F(0x797700, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402D8A(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a54;
						if( *0x7a8a54 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402D8A(0);
							}
							goto L20;
						}
						E00405BC2( &_v44, 0x797700, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78b6f4; // 0x22f40
						 *0x7a8ae0 =  *0x7a8ae0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a54 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7976fc; // 0x23628
						if(__eflags < 0) {
							_v12 = E004064B9(_v12, 0x797700, _t90);
						}
						 *0x78b6f4 =  *0x78b6f4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}































                                                0x00402df6
                                                0x00402df9
                                                0x00402dfc
                                                0x00402dff
                                                0x00402e05
                                                0x00402e16
                                                0x00402e1b
                                                0x00402e2e
                                                0x00402e33
                                                0x00402e36
                                                0x00402e3c
                                                0x00000000
                                                0x00402e3e
                                                0x00402e49
                                                0x00402e4f
                                                0x00402e60
                                                0x00402e67
                                                0x00402e6d
                                                0x00402e6f
                                                0x00402e74
                                                0x00402e76
                                                0x00402f63
                                                0x00402f65
                                                0x00402f6a
                                                0x00402f71
                                                0x00000000
                                                0x00000000
                                                0x00402f73
                                                0x00402f76
                                                0x00402f9a
                                                0x00402f9f
                                                0x00402fa5
                                                0x00402fb0
                                                0x00402fb5
                                                0x00402fb8
                                                0x00402fb9
                                                0x00402fba
                                                0x00402fbc
                                                0x00402fc1
                                                0x00402fc4
                                                0x00402fd7
                                                0x00402fdb
                                                0x00402fe3
                                                0x00402fe8
                                                0x00402fea
                                                0x00402fea
                                                0x00402fea
                                                0x00402ff2
                                                0x00402ff2
                                                0x00402ff5
                                                0x00402ff6
                                                0x00402ff6
                                                0x00402ff9
                                                0x00402ffb
                                                0x00402ffb
                                                0x00402ffb
                                                0x00403005
                                                0x0040300b
                                                0x00403019
                                                0x0040301e
                                                0x00000000
                                                0x0040301e
                                                0x00000000
                                                0x00402fc4
                                                0x00402f7e
                                                0x00402f89
                                                0x00402f8e
                                                0x00402f90
                                                0x00000000
                                                0x00000000
                                                0x00402f95
                                                0x00402f98
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402e7c
                                                0x00402e81
                                                0x00402e86
                                                0x00402e8a
                                                0x00402e91
                                                0x00402e96
                                                0x00402e98
                                                0x00402e9a
                                                0x00402e9a
                                                0x00402e9e
                                                0x00402ea3
                                                0x00402ea5
                                                0x00402fcf
                                                0x00402fc6
                                                0x00000000
                                                0x00402fc6
                                                0x00402eab
                                                0x00402eb2
                                                0x00402f2e
                                                0x00402f32
                                                0x00402f36
                                                0x00402f3b
                                                0x00000000
                                                0x00402f32
                                                0x00402ebb
                                                0x00402ec0
                                                0x00402ec3
                                                0x00402ec8
                                                0x00000000
                                                0x00000000
                                                0x00402eca
                                                0x00402ed1
                                                0x00000000
                                                0x00000000
                                                0x00402ed3
                                                0x00402eda
                                                0x00000000
                                                0x00000000
                                                0x00402edc
                                                0x00402ee3
                                                0x00000000
                                                0x00000000
                                                0x00402ee5
                                                0x00402eec
                                                0x00000000
                                                0x00000000
                                                0x00402eee
                                                0x00402ef4
                                                0x00402efd
                                                0x00402f03
                                                0x00402f06
                                                0x00402f08
                                                0x00402f0e
                                                0x00000000
                                                0x00000000
                                                0x00402f14
                                                0x00402f18
                                                0x00402f20
                                                0x00402f20
                                                0x00402f23
                                                0x00402f26
                                                0x00402f28
                                                0x00402f2a
                                                0x00402f2a
                                                0x00000000
                                                0x00402f28
                                                0x00402f1a
                                                0x00402f1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402f3c
                                                0x00402f3c
                                                0x00402f42
                                                0x00402f4e
                                                0x00402f4e
                                                0x00402f51
                                                0x00402f57
                                                0x00402f59
                                                0x00402f59
                                                0x00402f61
                                                0x00402f61
                                                0x00000000
                                                0x00402f61

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402DFF
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,00000400,?,?,00000000,00403517,?), ref: 00402E1B
                                                  • Part of subcall function 00405C07: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
                                                  • Part of subcall function 00405C07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D
                                                • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00402E67
                                                Strings
                                                • soft, xrefs: 00402EDC
                                                • Null, xrefs: 00402EE5
                                                • Error launching installer, xrefs: 00402E3E
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
                                                • C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
                                                • Inst, xrefs: 00402ED3
                                                • "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" , xrefs: 00402DF4
                                                • C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 4283519449-3504183816
                                                • Opcode ID: 2249d346c310f13e90e060258289ef97018bdecfafda78b47c803c2d5af002aa
                                                • Instruction ID: ab97cff943281949067decbc104515b53a1facb94f92f7dd678b53d189ae88d2
                                                • Opcode Fuzzy Hash: 2249d346c310f13e90e060258289ef97018bdecfafda78b47c803c2d5af002aa
                                                • Instruction Fuzzy Hash: 6351F671940206ABCB109F65DE49B9E7BB8FB15394F20813BF904B62C1D7BC9D809B5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 872 401767-40178c call 402bbf call 405a5d 877 401796-4017a8 call 406032 call 4059e6 lstrcatW 872->877 878 40178e-401794 call 406032 872->878 883 4017ad-4017ae call 4062c6 877->883 878->883 887 4017b3-4017b7 883->887 888 4017b9-4017c3 call 406375 887->888 889 4017ea-4017ed 887->889 897 4017d5-4017e7 888->897 898 4017c5-4017d3 CompareFileTime 888->898 890 4017f5-401811 call 405c07 889->890 891 4017ef-4017f0 call 405be2 889->891 899 401813-401816 890->899 900 401885-4018ae call 405191 call 403027 890->900 891->890 897->889 898->897 901 401867-401871 call 405191 899->901 902 401818-401856 call 406032 * 2 call 406054 call 406032 call 405777 899->902 914 4018b0-4018b4 900->914 915 4018b6-4018c2 SetFileTime 900->915 912 40187a-401880 901->912 902->887 934 40185c-40185d 902->934 917 402a55 912->917 914->915 916 4018c8-4018d3 CloseHandle 914->916 915->916 919 4018d9-4018dc 916->919 920 402a4c-402a4f 916->920 921 402a57-402a5b 917->921 923 4018f1-4018f4 call 406054 919->923 924 4018de-4018ef call 406054 lstrcatW 919->924 920->917 930 4018f9-40228d call 405777 923->930 924->930 930->921 934->912 937 40185f-401860 934->937 937->901
                                                C-Code - Quality: 61%
                                                			E00401767(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 0xc) = E00402BBF(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x2c) & 0x00000007;
				_t35 = E00405A5D( *(_t86 - 0xc));
				_push( *(_t86 - 0xc));
				_t84 = L"ExecToStack";
				if(_t35 == 0) {
					lstrcatW(E004059E6(E00406032(_t84, L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Sekstal")), ??);
				} else {
					E00406032();
				}
				E004062C6(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406375(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x20);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405BE2(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405C07(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 8) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405191(0xffffffe2,  *(_t86 - 0xc));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ac8;
						goto L32;
					} else {
						E00406032("C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp", _t81);
						E00406032(_t81, _t84);
						E00406054(_t77, _t81, _t84, "C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll",  *((intOrPtr*)(_t86 - 0x18)));
						E00406032(_t81, "C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp");
						_t64 = E00405777("C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll",  *(_t86 - 0x2c) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ac8 =  &( *0x7a8ac8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405191();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405191(0xffffffea,  *(_t86 - 0xc));
				 *0x7a8af4 =  *0x7a8af4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 8));
				_push( *((intOrPtr*)(_t86 - 0x24)));
				_t45 = E00403027(); // executed
				 *0x7a8af4 =  *0x7a8af4 - 1;
				__eflags =  *(_t86 - 0x20) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x20) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 8), _t86 - 0x20, _t77, _t86 - 0x20); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x1c)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 8));
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406054(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406054(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 0xc));
					}
					_push(0x200010);
					_push(_t84);
					E00405777();
					goto L29;
				}
				goto L33;
			}


















                                                0x00401767
                                                0x0040176e
                                                0x0040177a
                                                0x0040177d
                                                0x00401782
                                                0x00401785
                                                0x0040178c
                                                0x004017a8
                                                0x0040178e
                                                0x0040178f
                                                0x0040178f
                                                0x004017ae
                                                0x004017b3
                                                0x004017b3
                                                0x004017b7
                                                0x004017ba
                                                0x004017bf
                                                0x004017c1
                                                0x004017c3
                                                0x004017c8
                                                0x004017c8
                                                0x004017d3
                                                0x004017d3
                                                0x004017e4
                                                0x004017e6
                                                0x004017e6
                                                0x004017e7
                                                0x004017e7
                                                0x004017ea
                                                0x004017ed
                                                0x004017f0
                                                0x004017f0
                                                0x004017f7
                                                0x00401806
                                                0x0040180b
                                                0x0040180e
                                                0x00401811
                                                0x00000000
                                                0x00000000
                                                0x00401813
                                                0x00401816
                                                0x0040186c
                                                0x00401871
                                                0x004015ae
                                                0x0040281e
                                                0x0040281e
                                                0x00402a4c
                                                0x00402a4f
                                                0x00402a4f
                                                0x00000000
                                                0x00401818
                                                0x0040181e
                                                0x00401825
                                                0x00401832
                                                0x0040183d
                                                0x00401853
                                                0x00401853
                                                0x00401856
                                                0x00000000
                                                0x0040185c
                                                0x0040185c
                                                0x0040185d
                                                0x0040187a
                                                0x00402a55
                                                0x00402a55
                                                0x00402a55
                                                0x0040185f
                                                0x0040185f
                                                0x00401860
                                                0x00401493
                                                0x00402288
                                                0x00402288
                                                0x00402288
                                                0x0040185d
                                                0x00401856
                                                0x00402a57
                                                0x00402a5b
                                                0x00402a5b
                                                0x0040188a
                                                0x0040188f
                                                0x00401895
                                                0x00401896
                                                0x00401897
                                                0x0040189a
                                                0x0040189d
                                                0x004018a2
                                                0x004018a8
                                                0x004018ac
                                                0x004018ae
                                                0x004018b6
                                                0x004018c2
                                                0x004018b0
                                                0x004018b0
                                                0x004018b4
                                                0x00000000
                                                0x00000000
                                                0x004018b4
                                                0x004018cb
                                                0x004018d1
                                                0x004018d3
                                                0x00000000
                                                0x004018d9
                                                0x004018d9
                                                0x004018dc
                                                0x004018f4
                                                0x004018de
                                                0x004018e1
                                                0x004018ea
                                                0x004018ea
                                                0x004018f9
                                                0x004018fe
                                                0x00402283
                                                0x00000000
                                                0x00402283
                                                0x00000000

                                                APIs
                                                • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal,?,?,00000031), ref: 004017CD
                                                  • Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Ottomans Setup,NSIS Error), ref: 0040603F
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                  • Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                  • Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp$C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal$ExecToStack
                                                • API String ID: 1941528284-1976044234
                                                • Opcode ID: f68a6b2c34e2433bc227599e278aafb616f0a180d0c639fbdfc3b46ee5da03b6
                                                • Instruction ID: 9699be85dc7bc18e029f6e3bff89e0f5bb762e6a6aa9adbfdaf5ed0cd7dffae0
                                                • Opcode Fuzzy Hash: f68a6b2c34e2433bc227599e278aafb616f0a180d0c639fbdfc3b46ee5da03b6
                                                • Instruction Fuzzy Hash: A341D571940515BBCF10BBB5CC46DAF3679EF06369B20823BF122B10E1DB3C8A519A6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 938 4025e5-4025fa call 402ba2 941 402600-402607 938->941 942 402a4c-402a4f 938->942 943 402609 941->943 944 40260c-40260f 941->944 945 402a55-402a5b 942->945 943->944 947 402773-40277b 944->947 948 402615-402624 call 405f92 944->948 947->942 948->947 951 40262a 948->951 952 402630-402634 951->952 953 4026c9-4026cc 952->953 954 40263a-402655 ReadFile 952->954 955 4026e4-4026f4 call 405c8a 953->955 956 4026ce-4026d1 953->956 954->947 957 40265b-402660 954->957 955->947 965 4026f6 955->965 956->955 958 4026d3-4026de call 405ce8 956->958 957->947 960 402666-402674 957->960 958->947 958->955 961 40267a-40268c MultiByteToWideChar 960->961 962 40272f-40273b call 405f79 960->962 961->965 966 40268e-402691 961->966 962->945 971 4026f9-4026fc 965->971 969 402693-40269e 966->969 969->971 972 4026a0-4026c5 SetFilePointer MultiByteToWideChar 969->972 971->962 973 4026fe-402703 971->973 972->969 976 4026c7 972->976 974 402740-402744 973->974 975 402705-40270a 973->975 978 402761-40276d SetFilePointer 974->978 979 402746-40274a 974->979 975->974 977 40270c-40271f 975->977 976->965 977->947 980 402721-402727 977->980 978->947 981 402752-40275f 979->981 982 40274c-402750 979->982 980->952 983 40272d 980->983 981->947 982->978 982->981 983->947
                                                C-Code - Quality: 83%
                                                			E004025E5(intOrPtr __ebx, void* __esi) {
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t73;
				void* _t76;

				 *((intOrPtr*)(_t73 - 0xc)) = __ebx;
				_t64 = 2;
				 *((intOrPtr*)(_t73 - 0x3c)) = _t64;
				_t65 = E00402BA2(_t64);
				_t76 = _t65 - 1;
				 *((intOrPtr*)(_t73 - 0x48)) = _t65;
				if(_t76 < 0) {
					L36:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t73 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x48) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0x10);
						__eax =  *(__ebp - 0xc);
						 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __bx;
						if(_t76 == 0) {
							 *(_t73 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 8) = __ebx;
						 *(__ebp - 0x14) = E00405F92(__ecx, __esi);
						if( *(__ebp - 0x48) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x30)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x20)) != __ebx ||  *(__ebp - 0xc) != __ebx || E00405CE8( *(__ebp - 0x14), __ebx) >= 0) {
										__eax = __ebp - 0x40;
										if(E00405C8A( *(__ebp - 0x14), __ebp - 0x40, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x14), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x3c) = __ecx;
											 *(__ebp - 0x40) = __eax;
											if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00405F79( *(__ebp - 0x10), __ax & 0x0000ffff);
											} else {
												__ebp - 0x40 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x40, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x40);
												} else {
													__esi =  *(__ebp - 0x3c);
													__esi =  ~( *(__ebp - 0x3c));
													while(1) {
														_t21 = __ebp - 0x38;
														 *_t21 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x40) = 0xfffd;
														if( *_t21 == 0) {
															goto L22;
														}
														 *(__ebp - 0x3c) =  *(__ebp - 0x3c) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x14), __esi, __ebx, 1); // executed
														__ebp - 0x40 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x40, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 8) == 0xd ||  *(__ebp - 8) == 0xa) {
														if( *(__ebp - 8) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x3c) =  ~( *(__ebp - 0x3c));
															__eax = SetFilePointer( *(__ebp - 0x14),  ~( *(__ebp - 0x3c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
															 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
														 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														 *(__ebp - 8) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 0xc);
							} while ( *(__ebp - 0xc) <  *(__ebp - 0x48));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}







                                                0x004025e7
                                                0x004025ea
                                                0x004025ec
                                                0x004025ef
                                                0x004025f4
                                                0x004025f7
                                                0x004025fa
                                                0x00402a4c
                                                0x00402a4f
                                                0x00402600
                                                0x00402600
                                                0x00402607
                                                0x00402609
                                                0x00402609
                                                0x0040260f
                                                0x00402773
                                                0x00402773
                                                0x00402776
                                                0x0040277b
                                                0x004015ae
                                                0x0040281e
                                                0x0040281e
                                                0x00000000
                                                0x00402615
                                                0x00402616
                                                0x00402621
                                                0x00402624
                                                0x00402630
                                                0x00402634
                                                0x004026cc
                                                0x004026e4
                                                0x004026f4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040263a
                                                0x0040263a
                                                0x0040263d
                                                0x0040263e
                                                0x00402641
                                                0x00402646
                                                0x0040264d
                                                0x00402655
                                                0x00000000
                                                0x0040265b
                                                0x0040265b
                                                0x00402660
                                                0x00000000
                                                0x00402666
                                                0x00402666
                                                0x0040266e
                                                0x00402671
                                                0x00402674
                                                0x0040272f
                                                0x00402736
                                                0x0040267a
                                                0x00402680
                                                0x0040268c
                                                0x004026f6
                                                0x004026f6
                                                0x0040268e
                                                0x0040268e
                                                0x00402691
                                                0x00402693
                                                0x00402693
                                                0x00402693
                                                0x00402696
                                                0x0040269b
                                                0x0040269e
                                                0x00000000
                                                0x00000000
                                                0x004026a0
                                                0x004026a3
                                                0x004026ab
                                                0x004026b7
                                                0x004026c5
                                                0x00000000
                                                0x004026c7
                                                0x00000000
                                                0x004026c7
                                                0x00000000
                                                0x004026c5
                                                0x00402693
                                                0x004026f9
                                                0x004026fc
                                                0x00000000
                                                0x004026fe
                                                0x00402703
                                                0x00402744
                                                0x00402766
                                                0x0040276d
                                                0x00402752
                                                0x00402752
                                                0x00402758
                                                0x0040275b
                                                0x0040275b
                                                0x00000000
                                                0x0040270c
                                                0x0040270c
                                                0x00402712
                                                0x00402718
                                                0x0040271c
                                                0x0040271f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040271f
                                                0x00402703
                                                0x004026fc
                                                0x00402674
                                                0x00402660
                                                0x00402655
                                                0x00000000
                                                0x00402721
                                                0x00402721
                                                0x00402724
                                                0x0040272d
                                                0x00000000
                                                0x00402624
                                                0x0040260f
                                                0x00402a55
                                                0x00402a5b

                                                APIs
                                                • ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                  • Part of subcall function 00405CE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,004025CA,00000000,00000000,?,00000000,00000011), ref: 00405CFE
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                • String ID: 9
                                                • API String ID: 163830602-2366072709
                                                • Opcode ID: 1d16e4b4e9071ee1365a26ee0af684b72516ff45d02c382df6d476000192f948
                                                • Instruction ID: ba8ec8e77c4dae38fecb7239611b9da649e1c788ef9a4e56db7abbfefa36dde0
                                                • Opcode Fuzzy Hash: 1d16e4b4e9071ee1365a26ee0af684b72516ff45d02c382df6d476000192f948
                                                • Instruction Fuzzy Hash: A1512874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72D0DBB999429B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405191 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 984 405191-4051a6 985 4051ac-4051bd 984->985 986 40525d-405261 984->986 987 4051c8-4051d4 lstrlenW 985->987 988 4051bf-4051c3 call 406054 985->988 990 4051f1-4051f5 987->990 991 4051d6-4051e6 lstrlenW 987->991 988->987 993 405204-405208 990->993 994 4051f7-4051fe SetWindowTextW 990->994 991->986 992 4051e8-4051ec lstrcatW 991->992 992->990 995 40520a-40524c SendMessageW * 3 993->995 996 40524e-405250 993->996 994->993 995->996 996->986 997 405252-405255 996->997 997->986
                                                C-Code - Quality: 100%
                                                			E00405191(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a24; // 0x103d4
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8af4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406054(_t38, 0, 0x7a0f20, 0x7a0f20, _a4);
					}
					_t27 = lstrlenW(0x7a0f20);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a08, 0x7a0f20); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f20;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f20[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f20, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                                                0x00405197
                                                0x004051a1
                                                0x004051a6
                                                0x004051ac
                                                0x004051b7
                                                0x004051ba
                                                0x004051bd
                                                0x004051c3
                                                0x004051c3
                                                0x004051c9
                                                0x004051d1
                                                0x004051d4
                                                0x004051f1
                                                0x004051f5
                                                0x004051fe
                                                0x004051fe
                                                0x00405208
                                                0x00405211
                                                0x0040521d
                                                0x00405224
                                                0x00405228
                                                0x0040522b
                                                0x0040523e
                                                0x0040524c
                                                0x0040524c
                                                0x00405250
                                                0x00405252
                                                0x00405255
                                                0x00000000
                                                0x00405255
                                                0x004051d6
                                                0x004051de
                                                0x004051e6
                                                0x004051ec
                                                0x00000000
                                                0x004051ec
                                                0x004051e6
                                                0x004051d4
                                                0x00405261

                                                APIs
                                                • lstrlenW.KERNEL32(007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                • lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                • lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                • SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID:
                                                • API String ID: 2531174081-0
                                                • Opcode ID: 1195aa0cb1608473c7f4939b13196918cf4c2ab7f0875985e493b2af82bd967e
                                                • Instruction ID: 239aa3d806fe655a10670de66778763bf8aa2df942fa5917c93f0fd796d6fb5a
                                                • Opcode Fuzzy Hash: 1195aa0cb1608473c7f4939b13196918cf4c2ab7f0875985e493b2af82bd967e
                                                • Instruction Fuzzy Hash: 6E21A171900518BACF119FA5DD849CFBFB9EF85354F10806AF904B6291D7794A50CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 998 401d56-401dd7 GetDC GetDeviceCaps call 402ba2 MulDiv ReleaseDC call 402ba2 call 406054 CreateFontIndirectW 1005 402531 998->1005 1006 402532 1005->1006 1006->1006
                                                C-Code - Quality: 71%
                                                			E00401D56() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 0xc));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40cdd0->lfHeight =  ~(MulDiv(E00402BA2(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 0xc), _t26);
				 *0x40cde0 = E00402BA2(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x1c));
				 *0x40cde7 = 1;
				 *0x40cde4 = _t13 & 0x00000001;
				 *0x40cde5 = _t13 & 0x00000002;
				 *0x40cde6 = _t13 & 0x00000004;
				E00406054(_t20, _t26, _t28, "Tahoma",  *((intOrPtr*)(_t30 - 0x28)));
				_t16 = CreateFontIndirectW(0x40cdd0); // executed
				_push(_t16);
				_push(_t28);
				E00405F79();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                0x00401d5f
                                                0x00401d66
                                                0x00401d81
                                                0x00401d86
                                                0x00401d93
                                                0x00401d98
                                                0x00401da3
                                                0x00401daa
                                                0x00401dbc
                                                0x00401dc2
                                                0x00401dc7
                                                0x00401dd1
                                                0x00402531
                                                0x00401565
                                                0x004029f2
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • GetDC.USER32(?), ref: 00401D59
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                • ReleaseDC.USER32 ref: 00401D86
                                                • CreateFontIndirectW.GDI32(0040CDD0), ref: 00401DD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID: Tahoma
                                                • API String ID: 3808545654-3580928618
                                                • Opcode ID: 500d07c7ab604488b997273f6a95938f3c1fb7337d52538531d648fcc8621206
                                                • Instruction ID: 622cf3373c7b4650c41a942921d5e593d98aece64efbd6d354285906af2a4305
                                                • Opcode Fuzzy Hash: 500d07c7ab604488b997273f6a95938f3c1fb7337d52538531d648fcc8621206
                                                • Instruction Fuzzy Hash: 09014F31944640EFE701ABB0AF4ABDA3F74AB66305F104579E641B61E2DA7800059B2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1007 403027-40303e 1008 403040 1007->1008 1009 403047-403050 1007->1009 1008->1009 1010 403052 1009->1010 1011 403059-40305e 1009->1011 1010->1011 1012 403060-403069 call 403235 1011->1012 1013 40306e-40307b call 40321f 1011->1013 1012->1013 1017 403081-403085 1013->1017 1018 40320d 1013->1018 1019 4031b8-4031ba 1017->1019 1020 40308b-4030b1 GetTickCount 1017->1020 1021 40320f-403210 1018->1021 1022 4031fa-4031fd 1019->1022 1023 4031bc-4031bf 1019->1023 1024 403215 1020->1024 1025 4030b7-4030bf 1020->1025 1026 403218-40321c 1021->1026 1030 403202-40320b call 40321f 1022->1030 1031 4031ff 1022->1031 1023->1024 1027 4031c1 1023->1027 1024->1026 1028 4030c1 1025->1028 1029 4030c4-4030d2 call 40321f 1025->1029 1033 4031c4-4031ca 1027->1033 1028->1029 1029->1018 1041 4030d8-4030e1 1029->1041 1030->1018 1039 403212 1030->1039 1031->1030 1036 4031cc 1033->1036 1037 4031ce-4031dc call 40321f 1033->1037 1036->1037 1037->1018 1044 4031de-4031ea call 405cb9 1037->1044 1039->1024 1043 4030e7-403107 call 406527 1041->1043 1049 4031b0-4031b2 1043->1049 1050 40310d-403120 GetTickCount 1043->1050 1051 4031b4-4031b6 1044->1051 1052 4031ec-4031f6 1044->1052 1049->1021 1053 403122-40312a 1050->1053 1054 40316b-40316d 1050->1054 1051->1021 1052->1033 1059 4031f8 1052->1059 1055 403132-403168 MulDiv wsprintfW call 405191 1053->1055 1056 40312c-403130 1053->1056 1057 4031a4-4031a8 1054->1057 1058 40316f-403173 1054->1058 1055->1054 1056->1054 1056->1055 1057->1025 1063 4031ae 1057->1063 1061 403175-40317c call 405cb9 1058->1061 1062 40318a-403195 1058->1062 1059->1024 1067 403181-403183 1061->1067 1066 403198-40319c 1062->1066 1063->1024 1066->1043 1068 4031a2 1066->1068 1067->1051 1069 403185-403188 1067->1069 1068->1024 1069->1066
                                                C-Code - Quality: 95%
                                                			E00403027(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78f6f8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403235( *0x7a8a98 + _t62);
				}
				if(E0040321F( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E0040321F(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E0040321F(0x78b6f8, _t97) == 0) {
								goto L41;
							}
							if(E00405CB9(_a8, 0x78b6f8, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce58 =  *0x40ce58 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce40 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E0040321F(0x78b6f8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce30 = 0x78b6f8;
						 *0x40ce34 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce38 = _t94;
							 *0x40ce3c = _v12;
							_t74 = E00406527(0x40ce30);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce38; // 0x7924f8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8af4 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E00405191(0,  &_v152);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce38; // 0x7924f8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405CB9(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

























                                                0x00403032
                                                0x00403036
                                                0x00403039
                                                0x0040303e
                                                0x00403040
                                                0x00403040
                                                0x00403047
                                                0x0040304b
                                                0x00403050
                                                0x00403052
                                                0x00403052
                                                0x00403059
                                                0x0040305e
                                                0x00403069
                                                0x00403069
                                                0x0040307b
                                                0x0040320d
                                                0x0040320d
                                                0x00000000
                                                0x00403081
                                                0x00403085
                                                0x004031ba
                                                0x004031fd
                                                0x004031ff
                                                0x004031ff
                                                0x0040320b
                                                0x00403212
                                                0x00403215
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040320b
                                                0x004031bf
                                                0x00000000
                                                0x00000000
                                                0x004031c1
                                                0x004031c4
                                                0x004031c7
                                                0x004031ca
                                                0x004031cc
                                                0x004031cc
                                                0x004031dc
                                                0x00000000
                                                0x00000000
                                                0x004031ea
                                                0x004031b4
                                                0x004031b4
                                                0x0040320f
                                                0x0040320f
                                                0x00000000
                                                0x0040320f
                                                0x004031ec
                                                0x004031ef
                                                0x004031f6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004031f8
                                                0x00000000
                                                0x004031c4
                                                0x00403091
                                                0x00403093
                                                0x0040309a
                                                0x0040309a
                                                0x004030a1
                                                0x004030a7
                                                0x004030ae
                                                0x004030b1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004030b7
                                                0x004030b7
                                                0x004030b7
                                                0x004030bf
                                                0x004030c1
                                                0x004030c1
                                                0x004030d2
                                                0x00000000
                                                0x00000000
                                                0x004030d8
                                                0x004030db
                                                0x004030e1
                                                0x004030e7
                                                0x004030e7
                                                0x004030f2
                                                0x004030f8
                                                0x004030fd
                                                0x00403104
                                                0x00403107
                                                0x00000000
                                                0x00000000
                                                0x0040310d
                                                0x00403113
                                                0x00403115
                                                0x0040311e
                                                0x00403120
                                                0x00403151
                                                0x00403157
                                                0x00403163
                                                0x00403168
                                                0x00403168
                                                0x0040316d
                                                0x004031a8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040316f
                                                0x00403173
                                                0x0040318a
                                                0x0040318f
                                                0x00403192
                                                0x00403195
                                                0x00403198
                                                0x0040319c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004031a2
                                                0x0040317c
                                                0x00403183
                                                0x00000000
                                                0x00000000
                                                0x00403185
                                                0x00000000
                                                0x00403185
                                                0x0040316d
                                                0x004031b0
                                                0x00000000
                                                0x004031b0
                                                0x00000000
                                                0x004030b7

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CountTick$wsprintf
                                                • String ID: ... %d%%
                                                • API String ID: 551687249-2449383134
                                                • Opcode ID: f3ce815b3ce23d87c6a937b6e6d87f9e0afd4b1277b2b64b34a5536ec2ef900c
                                                • Instruction ID: c5c4fbc020d382a06f3b5c516385cf2f0b989405556926c34d029951a3a1b574
                                                • Opcode Fuzzy Hash: f3ce815b3ce23d87c6a937b6e6d87f9e0afd4b1277b2b64b34a5536ec2ef900c
                                                • Instruction Fuzzy Hash: EC519B31801209EBCB10CFA5DA44B9F7BB8AF55726F1441BBE914B72C1C7789E008BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1070 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 1077 4023c7-4023cf 1070->1077 1078 402a4c-402a5b 1070->1078 1080 4023d1-4023de call 402bbf lstrlenW 1077->1080 1081 4023e2-4023e5 1077->1081 1080->1081 1084 4023f5-4023f8 1081->1084 1085 4023e7-4023f4 call 402ba2 1081->1085 1086 402409-40241d RegSetValueExW 1084->1086 1087 4023fa-402404 call 403027 1084->1087 1085->1084 1092 402422-4024fc RegCloseKey 1086->1092 1093 40241f 1086->1093 1087->1086 1092->1078 1095 40281e-402825 1092->1095 1093->1092 1095->1078
                                                C-Code - Quality: 85%
                                                			E0040237B(void* __eax) {
				void* _t17;
				short* _t20;
				int _t21;
				long _t24;
				char _t26;
				int _t29;
				intOrPtr _t37;
				void* _t39;

				_t17 = E00402CB4(__eax);
				_t37 =  *((intOrPtr*)(_t39 - 0x1c));
				 *(_t39 - 0x34) =  *(_t39 - 0x18);
				 *(_t39 - 8) = E00402BBF(2);
				_t20 = E00402BBF(0x11);
				 *(_t39 - 4) = 1;
				_t21 = RegCreateKeyExW(_t17, _t20, _t29, _t29, _t29,  *0x7a8af0 | 0x00000002, _t29, _t39 + 8, _t29); // executed
				if(_t21 == 0) {
					if(_t37 == 1) {
						E00402BBF(0x23);
						_t21 = lstrlenW(0x40b5c8) + _t28 + 2;
					}
					if(_t37 == 4) {
						_t26 = E00402BA2(3);
						 *0x40b5c8 = _t26;
						_t21 = _t37;
					}
					if(_t37 == 3) {
						_t21 = E00403027( *((intOrPtr*)(_t39 - 0x20)), _t29, 0x40b5c8, 0x1800); // executed
					}
					_t24 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 8), _t29,  *(_t39 - 0x34), 0x40b5c8, _t21); // executed
					if(_t24 == 0) {
						 *(_t39 - 4) = _t29;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
				return 0;
			}











                                                0x0040237c
                                                0x00402381
                                                0x0040238b
                                                0x00402395
                                                0x00402398
                                                0x004023b2
                                                0x004023b9
                                                0x004023c1
                                                0x004023cf
                                                0x004023d3
                                                0x004023de
                                                0x004023de
                                                0x004023e5
                                                0x004023e9
                                                0x004023ef
                                                0x004023f4
                                                0x004023f4
                                                0x004023f8
                                                0x00402404
                                                0x00402404
                                                0x00402415
                                                0x0040241d
                                                0x0040241f
                                                0x0040241f
                                                0x00402422
                                                0x004024f6
                                                0x004024f6
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp
                                                • API String ID: 1356686001-416103064
                                                • Opcode ID: c8d2024ca6914caa20ff415175f9df726a7bf297326ec571d110e4b150377c25
                                                • Instruction ID: eb15040666a4b84098e37ffbf96cc219ad532b268eb93921d51e5d7316b4335f
                                                • Opcode Fuzzy Hash: c8d2024ca6914caa20ff415175f9df726a7bf297326ec571d110e4b150377c25
                                                • Instruction Fuzzy Hash: 9B119D71A00108BEEB11AFA4DE89DAE76BDEB44358F11403AF904B21D1DAB89E409668
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1096 405660-4056ab CreateDirectoryW 1097 4056b1-4056be GetLastError 1096->1097 1098 4056ad-4056af 1096->1098 1099 4056d8-4056da 1097->1099 1100 4056c0-4056d4 SetFileSecurityW 1097->1100 1098->1099 1100->1098 1101 4056d6 GetLastError 1100->1101 1101->1099
                                                C-Code - Quality: 100%
                                                			E00405660(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083b0;
				_v36.Group = 0x4083b0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083a0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                0x0040566b
                                                0x0040566f
                                                0x00405672
                                                0x00405678
                                                0x0040567c
                                                0x00405680
                                                0x00405688
                                                0x0040568f
                                                0x00405695
                                                0x0040569c
                                                0x004056a3
                                                0x004056ab
                                                0x004056ad
                                                0x00000000
                                                0x004056ad
                                                0x004056b7
                                                0x004056be
                                                0x004056d4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004056d6
                                                0x004056da

                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056A3
                                                • GetLastError.KERNEL32 ref: 004056B7
                                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056CC
                                                • GetLastError.KERNEL32 ref: 004056D6
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405686
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 3449924974-823278215
                                                • Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
                                                • Instruction ID: a656050947ebfef5167fdf4c2b21dc35e266e59b00d64b4b83911e60c27c7584
                                                • Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
                                                • Instruction Fuzzy Hash: 94010871D00619EBEF019FA0C9087EFBBB8EB14314F10443AD549B6280E77996148FA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E00402BFF(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x7a8af0 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402BFF(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406408(3);
					if(_t27 == 0) {
						if( *0x7a8af0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x7a8af0, 0);
				}
				return _t18;
			}








                                                0x00402c20
                                                0x00402c28
                                                0x00402c50
                                                0x00402c3a
                                                0x00402c8a
                                                0x00402c90
                                                0x00000000
                                                0x00402c92
                                                0x00402c4e
                                                0x00000000
                                                0x00000000
                                                0x00402c4e
                                                0x00402c65
                                                0x00402c6d
                                                0x00402c74
                                                0x00402ca0
                                                0x00000000
                                                0x00000000
                                                0x00402ca8
                                                0x00402cb0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402cb0
                                                0x00000000
                                                0x00402c83
                                                0x00402c97

                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 38507b3aef3ee9abc9b8276ad5151edb672a95bd9cb7be4891eb61a897a54be5
                                                • Instruction ID: 96ecc02dbfbaaadde43e4edb48da855e10ebdec385bf1e19a14d4c4ac13e51f4
                                                • Opcode Fuzzy Hash: 38507b3aef3ee9abc9b8276ad5151edb672a95bd9cb7be4891eb61a897a54be5
                                                • Instruction Fuzzy Hash: 4E116A72904119BFEF109F90DF8CEAE3B79FB54384B10403AF906A10A0D7B48E55AA69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A9(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A9(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A9(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000246C(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B5F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100028A4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002645(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

















                                                0x10001759
                                                0x10001759
                                                0x10001759
                                                0x10001763
                                                0x1000176b
                                                0x10001778
                                                0x10001786
                                                0x10001789
                                                0x1000178b
                                                0x10001790
                                                0x10001795
                                                0x100018a8
                                                0x100018a8
                                                0x1000179b
                                                0x1000179f
                                                0x100017a2
                                                0x100017a7
                                                0x100017a8
                                                0x100017a9
                                                0x100017af
                                                0x100017b5
                                                0x100017e5
                                                0x100017ec
                                                0x10001810
                                                0x1000184f
                                                0x10001812
                                                0x10001812
                                                0x10001813
                                                0x10001816
                                                0x1000181c
                                                0x10001820
                                                0x10001823
                                                0x10001828
                                                0x10001828
                                                0x1000182f
                                                0x10001835
                                                0x1000183b
                                                0x10001847
                                                0x10001848
                                                0x1000184b
                                                0x100017ee
                                                0x100017ef
                                                0x10001804
                                                0x10001804
                                                0x10001859
                                                0x1000185c
                                                0x10001869
                                                0x10001870
                                                0x10001878
                                                0x1000187b
                                                0x1000187b
                                                0x10001878
                                                0x10001888
                                                0x10001890
                                                0x10001895
                                                0x10001888
                                                0x1000189d
                                                0x00000000
                                                0x1000189f
                                                0x00000000
                                                0x100018a0
                                                0x1000189d
                                                0x100017b9
                                                0x100017bc
                                                0x100017da
                                                0x00000000
                                                0x00000000
                                                0x100017dd
                                                0x100017e2
                                                0x100017e2
                                                0x100017e4
                                                0x00000000
                                                0x100017e4
                                                0x100017be
                                                0x100017bf
                                                0x100017c7
                                                0x100017c8
                                                0x00000000
                                                0x100017c8
                                                0x100017c1
                                                0x100017c2
                                                0x100017d0
                                                0x00000000
                                                0x100017d0
                                                0x100017c5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x100017c5

                                                APIs
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32 ref: 10001D83
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32 ref: 10001D88
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32 ref: 10001D8D
                                                • GlobalFree.KERNEL32 ref: 10001804
                                                • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                • GlobalFree.KERNEL32 ref: 100018A0
                                                  • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                  • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                  • Part of subcall function 100015B4: lstrcpyW.KERNEL32 ref: 100015CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc$Librarylstrcpy
                                                • String ID:
                                                • API String ID: 1791698881-3916222277
                                                • Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                • Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E00401BDF() {
				signed int _t28;
				WCHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x14) = E00402BA2(3);
				 *(_t55 + 8) = E00402BA2(4);
				if(( *(_t55 - 0x18) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x14)) = E00402BBF(0x33);
				}
				__eflags =  *(_t55 - 0x18) & 0x00000002;
				if(( *(_t55 - 0x18) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402BBF(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x30)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402BBF();
					_t28 = E00402BBF();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExW( *(_t55 - 0x14),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E00402BA2();
					_t37 = E00402BA2();
					_t48 =  *(_t55 - 0x18) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x2c)) >= _t42) {
					_push( *(_t55 - 8));
					E00405F79();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                                0x00401be8
                                                0x00401bf4
                                                0x00401bf7
                                                0x00401c00
                                                0x00401c00
                                                0x00401c03
                                                0x00401c07
                                                0x00401c10
                                                0x00401c10
                                                0x00401c13
                                                0x00401c17
                                                0x00401c19
                                                0x00401c66
                                                0x00401c68
                                                0x00401c73
                                                0x00401c7d
                                                0x00401c80
                                                0x00401c80
                                                0x00401c89
                                                0x00000000
                                                0x00401c1b
                                                0x00401c22
                                                0x00401c24
                                                0x00401c2c
                                                0x00401c2f
                                                0x00401c57
                                                0x00401c8f
                                                0x00401c8f
                                                0x00401c31
                                                0x00401c3f
                                                0x00401c47
                                                0x00401c4a
                                                0x00401c4a
                                                0x00401c2f
                                                0x00401c92
                                                0x00401c95
                                                0x00401c9b
                                                0x004029f2
                                                0x004029f2
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SendMessageTimeoutW.USER32 ref: 00401C3F
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: 8319822774fdde759edfcdb62c3affa0c5abdf9aa0933c2ceeb1a99f4013fbda
                                                • Instruction ID: 0a841d9a538a1c78525c7c746850703aa7529d4a1cc505f1b812f839afa95e13
                                                • Opcode Fuzzy Hash: 8319822774fdde759edfcdb62c3affa0c5abdf9aa0933c2ceeb1a99f4013fbda
                                                • Instruction Fuzzy Hash: 4B219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B88A409B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405EFF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00405EFF(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x800;
					_t23 = RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}







                                                0x00405f0f
                                                0x00405f11
                                                0x00405f1e
                                                0x00405f29
                                                0x00405f31
                                                0x00405f36
                                                0x00405f4a
                                                0x00405f52
                                                0x00405f60
                                                0x00405f60
                                                0x00405f66
                                                0x00405f6d
                                                0x00000000
                                                0x00405f6d
                                                0x00405f76

                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,ExecToStack,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405F29
                                                • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405F4A
                                                • RegCloseKey.KERNELBASE(?,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405F6D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: ExecToStack
                                                • API String ID: 3677997916-166031814
                                                • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                • Instruction ID: 550e653c67ea0eb77a08417ddc9dcc7927ab5f79673ec66d03fd3a0aafaa2bf7
                                                • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                • Instruction Fuzzy Hash: AC015A3110020AEACF218F26ED08EDB3BACEF88350F00403AF844D2260D774D964DBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405C36(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a574; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                                                0x00405c3c
                                                0x00405c42
                                                0x00405c43
                                                0x00405c43
                                                0x00405c48
                                                0x00405c49
                                                0x00405c4c
                                                0x00405c51
                                                0x00405c54
                                                0x00405c5e
                                                0x00405c6b
                                                0x00405c6f
                                                0x00405c77
                                                0x00000000
                                                0x00000000
                                                0x00405c7b
                                                0x00000000
                                                0x00405c7d
                                                0x00405c7d
                                                0x00405c7d
                                                0x00405c80
                                                0x00405c83
                                                0x00405c83
                                                0x00405c86
                                                0x00000000

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405C54
                                                • GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040327B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00405C6F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-44229769
                                                • Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
                                                • Instruction ID: 8a35e51ea0d0ee70ea5c20e8edce62ba12a10af59c8f3d63fe044a56b3f339a6
                                                • Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
                                                • Instruction Fuzzy Hash: 99F06276600704BFEB008B55DD05E9F77A8EB91750F10403AED00F7140E6B09A548B58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040639C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040639C(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryW( &_v576); // executed
				return _t17;
			}








                                                0x004063b3
                                                0x004063bc
                                                0x004063be
                                                0x004063be
                                                0x004063c2
                                                0x004063d5
                                                0x004063cf
                                                0x004063cf
                                                0x004063cf
                                                0x004063ee
                                                0x004063fe
                                                0x00406405

                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063B3
                                                • wsprintfW.USER32 ref: 004063EE
                                                • LoadLibraryW.KERNELBASE(?), ref: 004063FE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                • String ID: %s%S.dll
                                                • API String ID: 2200240437-2744773210
                                                • Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
                                                • Instruction ID: 2cc1e6addeffa93896351747fd2b076c866e84041b4f9c80d347ce7491f0a061
                                                • Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
                                                • Instruction Fuzzy Hash: 6CF0BB70510129D7DB14AB64EE0DD9B366CEB00305F11447BA946F10D1FBBCDA69CBE9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E00401E66() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402BBF(_t25);
				E00405191(0xffffffeb, _t14);
				_t16 = E00405712(_t29); // executed
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x24)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406444(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 8);
						if( *((intOrPtr*)(_t32 - 0x28)) < _t25) {
							if( *(_t32 - 8) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E00405F79( *((intOrPtr*)(_t32 - 0x10)),  *(_t32 - 8));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}







                                                0x00401e6c
                                                0x00401e71
                                                0x00401e77
                                                0x00401e7e
                                                0x00401e81
                                                0x0040281e
                                                0x00401e87
                                                0x00401e8a
                                                0x00401e95
                                                0x00401eac
                                                0x00401ea0
                                                0x00401eaa
                                                0x00401eaa
                                                0x00401eb7
                                                0x00401ec0
                                                0x00401ed2
                                                0x00401ed4
                                                0x00401ed4
                                                0x00401ec2
                                                0x00401ec8
                                                0x00401ec8
                                                0x00401ec0
                                                0x00401edb
                                                0x00401ede
                                                0x00401ede
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                  • Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                  • Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                  • Part of subcall function 00405712: CreateProcessW.KERNELBASE ref: 0040573B
                                                  • Part of subcall function 00405712: CloseHandle.KERNEL32(0040A300), ref: 00405748
                                                • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                • GetExitCodeProcess.KERNEL32 ref: 00401EB7
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 3585118688-0
                                                • Opcode ID: 292fba3ef36fd8685870359653941cf5ea216951d9d1ba9b9747b06d0b390f79
                                                • Instruction ID: d208eef208ec2c6f5187e880842865a00525bcfa3f2a05837fac4e2667901554
                                                • Opcode Fuzzy Hash: 292fba3ef36fd8685870359653941cf5ea216951d9d1ba9b9747b06d0b390f79
                                                • Instruction Fuzzy Hash: F911C431A00508EBCF20AF91CD859AE7BB2EF40314F24403BF501B61E1C7798A91DB9D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100028A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(00000000), ref: 10002963
                                                • GetLastError.KERNEL32 ref: 10002A6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CreateErrorFileLast
                                                • String ID: @Mhv
                                                • API String ID: 1214770103-3595611156
                                                • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E004015B9(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402BBF(0xfffffff0);
				_t17 = E00405A91(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405A13(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004056DD( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x24)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x24)) == _t28 || E004056FA(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405660( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x28)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406032(L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Sekstal",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                                                0x004015b9
                                                0x004015c1
                                                0x004015c4
                                                0x004015c9
                                                0x004015cd
                                                0x004015cf
                                                0x004015d7
                                                0x004015d9
                                                0x004015dc
                                                0x004015e2
                                                0x004015fc
                                                0x004015ff
                                                0x004015e4
                                                0x004015e4
                                                0x004015e7
                                                0x00000000
                                                0x004015f2
                                                0x004015f5
                                                0x004015f5
                                                0x004015e7
                                                0x00401606
                                                0x0040160d
                                                0x0040161c
                                                0x0040161c
                                                0x0040160f
                                                0x00401612
                                                0x0040161a
                                                0x00000000
                                                0x00000000
                                                0x0040161a
                                                0x0040160d
                                                0x0040161f
                                                0x00401623
                                                0x00401624
                                                0x004015cf
                                                0x0040162c
                                                0x0040165b
                                                0x004021dc
                                                0x0040162e
                                                0x00401630
                                                0x0040163d
                                                0x00401645
                                                0x0040164d
                                                0x00401653
                                                0x00401653
                                                0x0040164d
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00405A91: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,0040A300,00405B05,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,766DFAA0,?,C:\Users\user\AppData\Local\Temp\,00405843,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 00405A9F
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405AA4
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405ABC
                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                  • Part of subcall function 00405660: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056A3
                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal,?,00000000,000000F0), ref: 00401645
                                                Strings
                                                • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal, xrefs: 00401638
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Sekstal
                                                • API String ID: 1892508949-1167972383
                                                • Opcode ID: 6a1f85d338ebb5bb54d8052e3a08a01253941d961bae5fb58311d3ff7cefe74a
                                                • Instruction ID: 415897e78b6bad03a127c6f6368a694d7e54beaaa1ae65b52f31c6ed2c47f3e3
                                                • Opcode Fuzzy Hash: 6a1f85d338ebb5bb54d8052e3a08a01253941d961bae5fb58311d3ff7cefe74a
                                                • Instruction Fuzzy Hash: 8C11E631504514ABCF20BFA4CD4099E36B1EF44364B24093BEA05B62F1DA3E4E819F5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405712 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405712(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f48->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f48,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                0x0040571b
                                                0x0040573b
                                                0x00405743
                                                0x00405748
                                                0x00000000
                                                0x0040574e
                                                0x00405752

                                                APIs
                                                • CreateProcessW.KERNELBASE ref: 0040573B
                                                • CloseHandle.KERNEL32(0040A300), ref: 00405748
                                                Strings
                                                • Error launching installer, xrefs: 00405725
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: 3637be9cb8c8c178a0f5493f73af728e1da129e746f7561b800f2829df1c9c8b
                                                • Instruction ID: 7a3daaf9c9c1dfce14d3e2680162b4324113c6786a0a66257257a350a584d1d9
                                                • Opcode Fuzzy Hash: 3637be9cb8c8c178a0f5493f73af728e1da129e746f7561b800f2829df1c9c8b
                                                • Instruction Fuzzy Hash: 67E046F4600209BFEB10AB60ED49F7B7BACEB44204F008420BE50F2190DAB8D8108A78
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 60%
                                                			E00401FC3(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8af8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t39 - 8)) = E00402BBF(1);
				if( *((intOrPtr*)(_t39 - 0x1c)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E00406477( *(_t39 + 8),  *((intOrPtr*)(_t39 - 8)));
					if(_t38 == _t32) {
						E00405191(0xfffffff7,  *((intOrPtr*)(_t39 - 8)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x24)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 0xc)), 0x400, _t34, 0x40cdcc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x24)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x20)) == _t32 && E0040381B( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8)); // executed
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                0x00401fc3
                                                0x00401fc3
                                                0x00401fc8
                                                0x00401fcf
                                                0x0040208e
                                                0x004021dc
                                                0x004021dc
                                                0x00402a4c
                                                0x00402a4f
                                                0x00402a5b
                                                0x00402a5b
                                                0x00401fde
                                                0x00401fe8
                                                0x00401feb
                                                0x00401ffb
                                                0x00401fff
                                                0x00402007
                                                0x0040200a
                                                0x00402087
                                                0x00000000
                                                0x00402087
                                                0x0040200c
                                                0x00402017
                                                0x0040201b
                                                0x0040205b
                                                0x0040201d
                                                0x00402020
                                                0x00402023
                                                0x0040204f
                                                0x00402025
                                                0x00402028
                                                0x00402031
                                                0x00402033
                                                0x00402033
                                                0x00402031
                                                0x00402023
                                                0x00402063
                                                0x0040207c
                                                0x0040207c
                                                0x00000000
                                                0x00402063
                                                0x00401fee
                                                0x00401ff6
                                                0x00401ff9
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,766DEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                  • Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                  • Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 334405425-0
                                                • Opcode ID: cb89a4fd28b95848d33a1bfc1764e9066b0be27e0c87ae0b066b9e15343262a0
                                                • Instruction ID: f6a722eb4006bf24fd89555576c47c1226d97d21954259867b0b9a1495a6a6e6
                                                • Opcode Fuzzy Hash: cb89a4fd28b95848d33a1bfc1764e9066b0be27e0c87ae0b066b9e15343262a0
                                                • Instruction Fuzzy Hash: 6F219531900209EBCF20AFA5CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0040249E(int* __ebx, short* __esi) {
				void* _t7;
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				short* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t7 = E00402CC9(_t25, 0x20019); // executed
				_t18 = _t7;
				_t8 = E00402BA2(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x1c)) == __ebx) {
						_t11 = RegEnumValueW(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyW(_t18, _t8, __esi, 0x3ff);
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18);
						RegCloseKey();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}











                                                0x0040249e
                                                0x0040249e
                                                0x004024a3
                                                0x004024aa
                                                0x004024ac
                                                0x004024b3
                                                0x004024b6
                                                0x0040281e
                                                0x0040281e
                                                0x004024bc
                                                0x004024c4
                                                0x004024c7
                                                0x004024e0
                                                0x004024e6
                                                0x004024e8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004024c9
                                                0x004024cd
                                                0x004024ee
                                                0x004024ee
                                                0x004024f5
                                                0x004024f6
                                                0x004024f6
                                                0x004024c7
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1
                                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                • RegEnumValueW.ADVAPI32 ref: 004024E0
                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Enum$CloseOpenValue
                                                • String ID:
                                                • API String ID: 167947723-0
                                                • Opcode ID: 9265ab6f625e07d86975ae9e6924e5a372e872d8d6f540d845591db09282f072
                                                • Instruction ID: b3b69fb6c0ab9d70611345d1cc2aadb4deec7d6fa7b8fc5cea9b38d3f519ee44
                                                • Opcode Fuzzy Hash: 9265ab6f625e07d86975ae9e6924e5a372e872d8d6f540d845591db09282f072
                                                • Instruction Fuzzy Hash: 38F08171A00204ABEB209FA5DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100027C7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}



                                                0x100027d0
                                                0x100027d5
                                                0x100027e5
                                                0x100027ed
                                                0x100027f4
                                                0x100027f9
                                                0x100027fe
                                                0x10002803
                                                0x10002808
                                                0x1000280d
                                                0x10002812
                                                0x10002812
                                                0x1000281a

                                                APIs
                                                • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID: `ghv@Mhv
                                                • API String ID: 544645111-2667177705
                                                • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a70;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a2c =  *0x7a7a2c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a2c, 0x7530,  *0x7a7a14), 0); // executed
					}
				}
				return 0;
			}











                                                0x0040138a
                                                0x004013fa
                                                0x0040139b
                                                0x004013a0
                                                0x00000000
                                                0x00000000
                                                0x004013a2
                                                0x004013a3
                                                0x004013ad
                                                0x00000000
                                                0x00401404
                                                0x004013b0
                                                0x004013b7
                                                0x004013bd
                                                0x004013be
                                                0x004013c0
                                                0x004013c2
                                                0x004013b9
                                                0x004013b9
                                                0x004013ba
                                                0x004013ba
                                                0x004013c9
                                                0x004013cb
                                                0x004013f4
                                                0x004013f4
                                                0x004013c9
                                                0x00000000

                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 564535d36588263e3f9deefe94a200e845c26c7dee2e47344d25cef9fda2a614
                                                • Instruction ID: 4d11fbcb8758acff49efb51301ce17a4c0d3f2729c831b224df7ca8d4f3fd522
                                                • Opcode Fuzzy Hash: 564535d36588263e3f9deefe94a200e845c26c7dee2e47344d25cef9fda2a614
                                                • Instruction Fuzzy Hash: 0D01F432624210ABE7095B389D04B6A3698E755314F10C53FF851F66F1DA78CC02DB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040231F(void* __ebx) {
				short* _t6;
				long _t8;
				void* _t11;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x1c) - __ebx;
				if( *(_t23 - 0x1c) != __ebx) {
					_t6 = E00402BBF(0x22);
					_t18 =  *(_t23 - 0x1c) & 0x00000002;
					__eflags =  *(_t23 - 0x1c) & 0x00000002;
					_t8 = E00402BFF(E00402CB4( *((intOrPtr*)(_t23 - 0x28))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t11 = E00402CC9(_t26, 2); // executed
					_t22 = _t11;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueW(_t22, E00402BBF(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}










                                                0x0040231f
                                                0x0040231f
                                                0x00402322
                                                0x00402351
                                                0x00402359
                                                0x00402359
                                                0x00402367
                                                0x0040236c
                                                0x00000000
                                                0x00402324
                                                0x00402326
                                                0x0040232b
                                                0x0040232f
                                                0x0040281e
                                                0x0040281e
                                                0x00402335
                                                0x00402345
                                                0x00402347
                                                0x0040236e
                                                0x00402370
                                                0x00000000
                                                0x00402376
                                                0x00402370
                                                0x0040232f
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 0040233E
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValue
                                                • String ID:
                                                • API String ID: 849931509-0
                                                • Opcode ID: 77460bd49ef5699d8326dfc913d723684c59f90a6791b38fbb55a59eac76fc56
                                                • Instruction ID: 84b37c2a738164438e1dccf168bab5f9c0075825efa18c6fe23cdbeb1825a049
                                                • Opcode Fuzzy Hash: 77460bd49ef5699d8326dfc913d723684c59f90a6791b38fbb55a59eac76fc56
                                                • Instruction Fuzzy Hash: 03F04F72A04110ABEB11BFF59B4EABE7269AB80314F15803BF501B71D5D9FC99015629
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040156B(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x7a7a10; // 0x0
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x28));
					_t4 =  *(_t16 - 0x2c);
				}
				_t12 =  *0x7a7a24; // 0x103d4
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}








                                                0x0040156b
                                                0x0040156b
                                                0x00401579
                                                0x0040157f
                                                0x00401581
                                                0x00401581
                                                0x00401584
                                                0x0040158c
                                                0x00401594
                                                0x00401594
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • ShowWindow.USER32(00000000,?), ref: 0040157F
                                                • ShowWindow.USER32(000103D4), ref: 00401594
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 02f0ac1b67cb2627b76fb2ddbe3cc81ab2ed57dd30b63018c57652a54df5b954
                                                • Instruction ID: ed417bde94489f19056025a1bce11d2b054895382ff63e29ca54f2f43ae8860f
                                                • Opcode Fuzzy Hash: 02f0ac1b67cb2627b76fb2ddbe3cc81ab2ed57dd30b63018c57652a54df5b954
                                                • Instruction Fuzzy Hash: AFE048727141049BCB14DBA8DD808AE77A6A784310714843BD502B3660C678DD10CF68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406408 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00406408(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a400);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a400));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a404));
				}
				_t5 = E0040639C(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                0x00406410
                                                0x00406413
                                                0x0040641a
                                                0x00406422
                                                0x0040642e
                                                0x00000000
                                                0x00406435
                                                0x00406425
                                                0x0040642c
                                                0x00000000
                                                0x0040643d
                                                0x00000000

                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406435
                                                  • Part of subcall function 0040639C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063B3
                                                  • Part of subcall function 0040639C: wsprintfW.USER32 ref: 004063EE
                                                  • Part of subcall function 0040639C: LoadLibraryW.KERNELBASE(?), ref: 004063FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                • String ID:
                                                • API String ID: 2547128583-0
                                                • Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
                                                • Instruction ID: 1e5dc79a2ed4663847ded95c08da113472191569ceef3ff13fe49cb738333a03
                                                • Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
                                                • Instruction Fuzzy Hash: 67E0863660422056D2105B745E44D3762A89F94700306043EFA42F2041DB789C32AB6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                                • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Window$EnableShow
                                                • String ID:
                                                • API String ID: 1136574915-0
                                                • Opcode ID: a0400a1b9fb92a3480c647e1a3800c271ea7f123647fdd228604a41f3657c97f
                                                • Instruction ID: b4fe0a8816f2230fb6c640b22720df2591e8103d6b5d86596318fd3cb962ccd0
                                                • Opcode Fuzzy Hash: a0400a1b9fb92a3480c647e1a3800c271ea7f123647fdd228604a41f3657c97f
                                                • Instruction Fuzzy Hash: B9E0C2326005009FCB10AFF5AF4999D3375EF90369710407FE402F10E1CABC9C408A2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C07 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E00405C07(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                0x00405c0b
                                                0x00405c18
                                                0x00405c2d
                                                0x00405c33

                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                                                • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405BE2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405BE2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                0x00405be7
                                                0x00405bed
                                                0x00405bf2
                                                0x00405bfb
                                                0x00405bfb
                                                0x00405c04

                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,?,004057E7,?,?,00000000,004059BD,?,?,?,?), ref: 00405BE7
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                • Instruction ID: 2c4e6be97b113ceed9239146329651d13cb313475d1ce615590156906e373da3
                                                • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                • Instruction Fuzzy Hash: 07D01272504520AFC2102738EF0C89BBF55EB543717064B35FAF9A22F0CB314C56DA98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004056DD Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004056DD(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                0x004056e3
                                                0x004056eb
                                                0x00000000
                                                0x004056f1
                                                0x00000000

                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,00000000,00403270,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 004056E3
                                                • GetLastError.KERNEL32 ref: 004056F1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryErrorLast
                                                • String ID:
                                                • API String ID: 1375471231-0
                                                • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                • Instruction ID: 43b8cc017be4ea794887f60b7ff78796ccb4e437ad0dace2cbd4982aac0f1f36
                                                • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                • Instruction Fuzzy Hash: 02C04C30614602DBD6105B20DE08B177950EB54781F518839614AE11A0DA768455FF2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401673 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E00401673() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402BBF(0xffffffd0);
				_t16 = E00402BBF(0xffffffdf);
				E00402BBF(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x24)) == _t13 || E00406375(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00405ED3(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}







                                                0x0040167c
                                                0x00401685
                                                0x00401687
                                                0x0040168e
                                                0x00401696
                                                0x004016a2
                                                0x0040281e
                                                0x004016b6
                                                0x004016b8
                                                0x004016bd
                                                0x00000000
                                                0x004016bd
                                                0x00401698
                                                0x00401698
                                                0x004021dc
                                                0x004021dc
                                                0x004021dc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FileMove
                                                • String ID:
                                                • API String ID: 3562171763-0
                                                • Opcode ID: c3778459728d826bbdac694ea121f0bef50cf8d752e3b99a0464db8e1b3f2e90
                                                • Instruction ID: 39a705c871337a298e289750b84dd0ffd285fe21b7fc35a555db8342d30c8454
                                                • Opcode Fuzzy Hash: c3778459728d826bbdac694ea121f0bef50cf8d752e3b99a0464db8e1b3f2e90
                                                • Instruction Fuzzy Hash: 38F0B431604114A7CB10BBBA4F0DD5F32A59B82338B24467BF911F21D5DAFC8A4186AF
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 34%
                                                			E00402786(void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402BA2(2);
					_t9 = SetFilePointer(E00405F92(_t13, _t15), _t7, _t11,  *(_t17 - 0x20)); // executed
					if( *((intOrPtr*)(_t17 - 0x28)) >= _t11) {
						_push(_t9);
						_push( *((intOrPtr*)(_t17 - 0x10)));
						E00405F79();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                0x00402786
                                                0x00402787
                                                0x00402793
                                                0x004027a0
                                                0x004027a9
                                                0x004029ee
                                                0x004029ef
                                                0x004029f2
                                                0x004029f2
                                                0x004027a9
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                  • Part of subcall function 00405F79: wsprintfW.USER32 ref: 00405F86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FilePointerwsprintf
                                                • String ID:
                                                • API String ID: 327478801-0
                                                • Opcode ID: e6b1ca666dcbd82e8a1de2ea37f9ef81104a41e8613c43d0bfa43493d1c7e0f2
                                                • Instruction ID: 6e13d26e98101992f91f16a3b10818fa49d07bfc2575382a514d36e2453af549
                                                • Opcode Fuzzy Hash: e6b1ca666dcbd82e8a1de2ea37f9ef81104a41e8613c43d0bfa43493d1c7e0f2
                                                • Instruction Fuzzy Hash: 33E04F71701518AFDB41AFA59E4ACBF776AEB40328B14843BF105F00E1CABD8C119A2E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040172D() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402BBF(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}








                                                0x00401741
                                                0x00401747
                                                0x00401749
                                                0x004027ec
                                                0x004027f3
                                                0x004027f3
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: PathSearch
                                                • String ID:
                                                • API String ID: 2203818243-0
                                                • Opcode ID: 6c3bf02cedd953c02cf191020c70236bab39714c6f7018b829d4b0d23e56155e
                                                • Instruction ID: b70941bc7738bb9b0414a64e3b7b2b1df016234940ef209bc10d8c2c44c885ef
                                                • Opcode Fuzzy Hash: 6c3bf02cedd953c02cf191020c70236bab39714c6f7018b829d4b0d23e56155e
                                                • Instruction Fuzzy Hash: 81E08071300100ABD750CFA4DE49AAA776CDF40378F20417BF515E61D1E6B49A41972D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E00402CC9(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402BBF(0x22);
				_t9 =  *0x40cdc8; // 0x3b8fc5c
				_t11 = RegOpenKeyExW(E00402CB4( *((intOrPtr*)(_t9 + 4))), _t8, 0,  *0x7a8af0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}






                                                0x00402cdd
                                                0x00402ce3
                                                0x00402cf1
                                                0x00402cf9
                                                0x00402d01

                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: 9da2ebaaada2ed444504018bdaab7b440fc23c9bd071d66725cd28ab7958d0a8
                                                • Instruction ID: 818ee9457f1dd57358e842bea021a20957f37b1b048482a93cb04bcf3cfa71ad
                                                • Opcode Fuzzy Hash: 9da2ebaaada2ed444504018bdaab7b440fc23c9bd071d66725cd28ab7958d0a8
                                                • Instruction Fuzzy Hash: DBE08676250108BFDB00DFA8DE47FD537ECAB44700F008021BA08D70D1C774E5408768
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C8A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405C8A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                0x00405c8e
                                                0x00405c9e
                                                0x00405ca6
                                                0x00000000
                                                0x00405cad
                                                0x00000000
                                                0x00405caf

                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403232,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405C9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
                                                • Instruction ID: 79895e6dacc008681341a1447f190e2469ffe8152373b8c922f561a90a2bf5e3
                                                • Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
                                                • Instruction Fuzzy Hash: FCE08C3220921AABEF11AF908C00EEB3B6CFF04360F004832F910E7240D230E8218BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405CB9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405CB9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                0x00405cbd
                                                0x00405ccd
                                                0x00405cd5
                                                0x00000000
                                                0x00405cdc
                                                0x00000000
                                                0x00405cde

                                                APIs
                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031E8,00000000,0078B6F8,000000FF,0078B6F8,000000FF,000000FF,00000004,00000000), ref: 00405CCD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                • Instruction ID: 3bcd5730ec7463d7366e74611f21d1d4cfbccb505e455464be6c792c77663440
                                                • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                • Instruction Fuzzy Hash: ABE0EC3225465AABEF109E559C00EEB7B6CFB057A0F044837F915E3150D631E921EBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040159B() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402BBF(0xfffffff0),  *(_t11 - 0x28)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}






                                                0x004015a6
                                                0x004015ac
                                                0x004015ae
                                                0x0040281e
                                                0x0040281e
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 627040d589bdeab8fa2eb58a529c745ef8675100561ec111daf7d71d3d3e8b9e
                                                • Instruction ID: 919d528a87020fadcf7da11d7c25636ac447c6c10cfa6ed71665d8ccb2c3e407
                                                • Opcode Fuzzy Hash: 627040d589bdeab8fa2eb58a529c745ef8675100561ec111daf7d71d3d3e8b9e
                                                • Instruction Fuzzy Hash: 4DD05E73B04100DBCB50DFE8AE08A9D77B5AB80338B24C177E601F25E4DAB8C6509B1E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404142 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404142(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a7a18; // 0x103ce
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}





                                                0x00404142
                                                0x00404149
                                                0x00404154
                                                0x00000000
                                                0x00404154
                                                0x0040415a

                                                APIs
                                                • SendMessageW.USER32(000103CE,00000000,00000000,00000000), ref: 00404154
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 34b1e43e723837e4f12290cd16e63c230a0646a25d15ec9393d9ca5565e974df
                                                • Instruction ID: cc05bc227ed13b811f407cb85d7c2569ddbf91d4c39e4ff41bb473b50526893a
                                                • Opcode Fuzzy Hash: 34b1e43e723837e4f12290cd16e63c230a0646a25d15ec9393d9ca5565e974df
                                                • Instruction Fuzzy Hash: ABC09B71744700BBEA10DF649D49F1777547BA4751F14C8297351F51D0C674D450D71C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040412B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040412B(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a48, 0x28, _a4, 1); // executed
				return _t2;
			}




                                                0x00404139
                                                0x0040413f

                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,00403F57), ref: 00404139
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: bf354d20d261541e0cf475626e5b376324ad062b219537505d1f6290c4af95c4
                                                • Instruction ID: d373e4bc0d40e7382ef1e11b314aa0fa38d31fe2e2f9466a5520a1a67522e00c
                                                • Opcode Fuzzy Hash: bf354d20d261541e0cf475626e5b376324ad062b219537505d1f6290c4af95c4
                                                • Instruction Fuzzy Hash: AFB01235180A00BBDE514B00FE09F457E62F7AC701F00C429B340240F0CEB200B0DB09
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403235 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00403235(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                0x00403243
                                                0x00403249

                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403517,?), ref: 00403243
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                • Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
                                                • Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                • Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404118(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f3c, _a4); // executed
				return _t2;
			}




                                                0x00404122
                                                0x00404128

                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00403EF0), ref: 00404122
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 0ec1fdd4797c0866aaad3ea28fe52db4664cae4b4a58853501ce3901ad29477a
                                                • Instruction ID: 444c84cbde4606a42b11029cb4d9c6b68aea771a74e0ff2f6fd8e0518f780766
                                                • Opcode Fuzzy Hash: 0ec1fdd4797c0866aaad3ea28fe52db4664cae4b4a58853501ce3901ad29477a
                                                • Instruction Fuzzy Hash: ACA0113A000000AFCF028B80EF08C0ABB22ABE0300B20C03AA280800308B320820FB08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004014D7() {
				long _t2;
				void* _t6;
				void* _t10;

				_t2 = E00402BA2(_t6);
				if(_t2 <= 1) {
					_t2 = 1;
				}
				Sleep(_t2); // executed
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t10 - 4));
				return 0;
			}






                                                0x004014d8
                                                0x004014e0
                                                0x004014e4
                                                0x004014e4
                                                0x004014e6
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 3b931aa352be5dff596e25002f88090417078d46ab4e072b71b10e02e080c4ef
                                                • Instruction ID: 9fddfdb3ce08ea3f3c8fe9d319431df7e4e0be4ecd303254129af624b9b4f796
                                                • Opcode Fuzzy Hash: 3b931aa352be5dff596e25002f88090417078d46ab4e072b71b10e02e080c4ef
                                                • Instruction Fuzzy Hash: CBD0C977B141009BD790EFB9AE8986A73A8EB913293248837D902E11A2D97CC811462D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}




                                                0x10001225
                                                0x1000122b

                                                APIs
                                                • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: AllocGlobal
                                                • String ID:
                                                • API String ID: 3761449716-0
                                                • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00404B0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E00404B0D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x7a8a68;
				_t282 = 0;
				_v24 =  *0x7a8a50 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x7a8a59 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404A5B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x7a8a58) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x7a1f24;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x7a1f38;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x7a1f24 = _t282;
								 *0x7a1f38 = _t282;
								 *0x7a8aa0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x7a8a59 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404ADB();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x7a1f38;
									_t195 =  *0x7a8a68;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x7a8a6c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x7a7a1c; // 0xa39294
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404A16(0x3ff, 0xfffffffb, E00404A2E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x7a8a6c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x7a1f38);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x7a8aa0 = _t306;
					 *0x7a1f38 = GlobalAlloc(0x40,  *0x7a8a6c << 2);
					_t252 = LoadBitmapW( *0x7a8a40, 0x6e);
					 *0x7a1f2c =  *0x7a1f2c | 0xffffffff;
					_t313 = _t252;
					 *0x7a1f34 = SetWindowLongW(_v8, 0xfffffffc, E00405105);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f24 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f24);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00406054(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004040F6(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004040F6(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x7a8a6c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x7a1f38 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x7a1f38 + _t316 * 4) = _t276;
									_t284 =  *( *0x7a1f38 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x7a8a6c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040412B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040412B(_v12);
								L91:
								return E0040415D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}





























































                                                0x00404b1c
                                                0x00404b2d
                                                0x00404b32
                                                0x00404b3a
                                                0x00404b40
                                                0x00404b48
                                                0x00404b56
                                                0x00404b59
                                                0x00404d7a
                                                0x00404d81
                                                0x00404d95
                                                0x00404d83
                                                0x00404d85
                                                0x00404d88
                                                0x00404d89
                                                0x00404d90
                                                0x00404d90
                                                0x00404da1
                                                0x00404daf
                                                0x00404db2
                                                0x00404dc8
                                                0x00404e3d
                                                0x00404e40
                                                0x00404e42
                                                0x00404e4c
                                                0x00404e5a
                                                0x00404e5a
                                                0x00404e5c
                                                0x00404e66
                                                0x00404e6c
                                                0x00404e6f
                                                0x00404e72
                                                0x00404e8d
                                                0x00404e74
                                                0x00404e7e
                                                0x00404e7e
                                                0x00404e72
                                                0x00404e66
                                                0x00000000
                                                0x00404e40
                                                0x00404dcd
                                                0x00404dd8
                                                0x00404ddd
                                                0x00404de4
                                                0x00404de9
                                                0x00404ded
                                                0x00404df8
                                                0x00404df8
                                                0x00404dfc
                                                0x00404e00
                                                0x00404e04
                                                0x00404e17
                                                0x00404e06
                                                0x00404e06
                                                0x00404e0d
                                                0x00404e13
                                                0x00404e0f
                                                0x00404e0f
                                                0x00404e0f
                                                0x00404e0d
                                                0x00404e1b
                                                0x00404e1d
                                                0x00404e30
                                                0x00404e33
                                                0x00404e36
                                                0x00404e36
                                                0x00404e00
                                                0x00000000
                                                0x00404ded
                                                0x00404dcf
                                                0x00404dd6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404e90
                                                0x00404e90
                                                0x00404e97
                                                0x00404f08
                                                0x00404f10
                                                0x00404f18
                                                0x00404f18
                                                0x00404f21
                                                0x00404f23
                                                0x00404f2a
                                                0x00404f2d
                                                0x00404f2d
                                                0x00404f33
                                                0x00404f3a
                                                0x00404f3d
                                                0x00404f3d
                                                0x00404f43
                                                0x00404f49
                                                0x00404f4f
                                                0x00404f4f
                                                0x00404f5c
                                                0x004050b2
                                                0x004050b9
                                                0x004050d6
                                                0x004050dc
                                                0x004050ee
                                                0x004050ee
                                                0x00000000
                                                0x00404f62
                                                0x00404f64
                                                0x00404f69
                                                0x00404f6e
                                                0x00404f73
                                                0x00404f75
                                                0x00404f75
                                                0x00404f76
                                                0x00404f77
                                                0x00404f79
                                                0x00404f79
                                                0x00404f81
                                                0x00404fc2
                                                0x00404fc4
                                                0x00404fd4
                                                0x00404fd7
                                                0x00404fdc
                                                0x00404fe3
                                                0x00404fe6
                                                0x00405088
                                                0x0040508e
                                                0x00405094
                                                0x0040509c
                                                0x004050ad
                                                0x004050ad
                                                0x00000000
                                                0x0040509c
                                                0x00404fec
                                                0x00404fef
                                                0x00404ff5
                                                0x00404ffa
                                                0x00404ffc
                                                0x00404ffe
                                                0x00405004
                                                0x0040500b
                                                0x00405010
                                                0x00405017
                                                0x0040501a
                                                0x0040501a
                                                0x00405021
                                                0x0040502d
                                                0x00405031
                                                0x00405033
                                                0x00405033
                                                0x00405023
                                                0x00405025
                                                0x00405025
                                                0x00405053
                                                0x0040505f
                                                0x0040506e
                                                0x0040506e
                                                0x00405070
                                                0x00405073
                                                0x0040507c
                                                0x00000000
                                                0x00404f83
                                                0x00404f8e
                                                0x00404f91
                                                0x00404f96
                                                0x00404f98
                                                0x00404f9c
                                                0x00404fac
                                                0x00404fb6
                                                0x00404fb8
                                                0x00404fbb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404f9e
                                                0x00404f9e
                                                0x00404fa4
                                                0x00404fa6
                                                0x00404fa6
                                                0x00404fa7
                                                0x00404fa8
                                                0x00000000
                                                0x00404f9e
                                                0x00404f81
                                                0x00404f5c
                                                0x00404e9f
                                                0x00000000
                                                0x00404eb5
                                                0x00404ebf
                                                0x00404ec4
                                                0x00000000
                                                0x00000000
                                                0x00404ed6
                                                0x00404edb
                                                0x00404ee7
                                                0x00404ee7
                                                0x00404ee9
                                                0x00404ef8
                                                0x00404efa
                                                0x00404efe
                                                0x00404f01
                                                0x00000000
                                                0x00404f01
                                                0x00404e9f
                                                0x00404b5f
                                                0x00404b64
                                                0x00404b6d
                                                0x00404b74
                                                0x00404b82
                                                0x00404b8d
                                                0x00404b93
                                                0x00404ba1
                                                0x00404bb5
                                                0x00404bba
                                                0x00404bc7
                                                0x00404bcc
                                                0x00404be2
                                                0x00404bf3
                                                0x00404c00
                                                0x00404c00
                                                0x00404c03
                                                0x00404c09
                                                0x00404c0b
                                                0x00404c0e
                                                0x00404c13
                                                0x00404c18
                                                0x00404c1a
                                                0x00404c1a
                                                0x00404c3a
                                                0x00404c3a
                                                0x00404c3c
                                                0x00404c3d
                                                0x00404c42
                                                0x00404c45
                                                0x00404c48
                                                0x00404c4c
                                                0x00404c51
                                                0x00404c56
                                                0x00404c5a
                                                0x00404c5f
                                                0x00404c64
                                                0x00404c66
                                                0x00404c6e
                                                0x00404d39
                                                0x00404d4c
                                                0x00000000
                                                0x00404c74
                                                0x00404c77
                                                0x00404c7a
                                                0x00404c7d
                                                0x00404c7d
                                                0x00404c84
                                                0x00404c8a
                                                0x00404c8d
                                                0x00404c93
                                                0x00404c94
                                                0x00404c99
                                                0x00404ca2
                                                0x00404ca9
                                                0x00404cac
                                                0x00404caf
                                                0x00404cb2
                                                0x00404cee
                                                0x00404d17
                                                0x00404cf0
                                                0x00404cfd
                                                0x00404cfd
                                                0x00404cb4
                                                0x00404cb7
                                                0x00404cc6
                                                0x00404cd0
                                                0x00404cd8
                                                0x00404cdf
                                                0x00404ce7
                                                0x00404ce7
                                                0x00404cb2
                                                0x00404d1d
                                                0x00404d1e
                                                0x00404d2a
                                                0x00404d2a
                                                0x00404d37
                                                0x00404d52
                                                0x00404d56
                                                0x00404d73
                                                0x00404d78
                                                0x00000000
                                                0x00404d58
                                                0x00404d5d
                                                0x00404d66
                                                0x004050f0
                                                0x00405102
                                                0x00405102
                                                0x00404d56
                                                0x00000000
                                                0x00404d37
                                                0x00404c6e

                                                APIs
                                                • GetDlgItem.USER32 ref: 00404B25
                                                • GetDlgItem.USER32 ref: 00404B30
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7A
                                                • LoadBitmapW.USER32(0000006E), ref: 00404B8D
                                                • SetWindowLongW.USER32 ref: 00404BA6
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBA
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCC
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE2
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEE
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C00
                                                • DeleteObject.GDI32(00000000), ref: 00404C03
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2E
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3A
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD0
                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFB
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D0F
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404D3E
                                                • SetWindowLongW.USER32 ref: 00404D4C
                                                • ShowWindow.USER32(?,00000005), ref: 00404D5D
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5A
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EBF
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED4
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF8
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F18
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404F2D
                                                • GlobalFree.KERNEL32 ref: 00404F3D
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB6
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 0040505F
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506E
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040508E
                                                • ShowWindow.USER32(?,00000000), ref: 004050DC
                                                • GetDlgItem.USER32 ref: 004050E7
                                                • ShowWindow.USER32(00000000), ref: 004050EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: 7e0d7925856d8dc2a293aec0a36156ab26fb8fad00dbeb743b55e37ef2f2f0d3
                                                • Instruction ID: d02e9a787b540977323fb19233601523635b60db84404d8275966fa362dc0732
                                                • Opcode Fuzzy Hash: 7e0d7925856d8dc2a293aec0a36156ab26fb8fad00dbeb743b55e37ef2f2f0d3
                                                • Instruction Fuzzy Hash: 81027EB0900209EFEB109F94DD85AAE7BB5FB85314F10813AF610BA2E1CB799D51CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404591 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E00404591(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f18; // 0xa3657c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040575B(0x3fb, _t146);
					E004062C6(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040575B(0x3fb, _t146);
							if(E00405AEE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406032(0x79ff10, _t146);
							_t87 = E00406408(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406032(0x79ff10, _t146);
								_t89 = E00405A91(0x79ff10);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff10,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff10) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff10,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405A32(0x79ff10);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff10) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404A2E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a7a1c; // 0xa39294
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A16(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff00);
									} else {
										E0040494D(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8ae4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404118(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f30 == _t158) {
									E00404526();
								}
								 *0x7a1f30 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f40;
							_v60 = E004048E7;
							_v56 = _t146;
							_v68 = E00406054(_t146, 0x7a1f40, _t167, 0x7a0718, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004059E6(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a50 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a50 + 0x11c)) != 0 && _t146 == L"C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis") {
									E00406054(_t146, 0x7a1f40, _t167, 0, _t125);
									if(lstrcmpiW(0x7a69e0, 0x7a1f40) != 0) {
										lstrcatW(_t146, 0x7a69e0);
									}
								}
								 *0x7a1f30 =  *0x7a1f30 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405A5D(_t146) != 0 && E00405A91(_t146) == 0) {
						E004059E6(_t146);
					}
					 *0x7a7a18 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004040F6(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004040F6(_t167);
					E0040412B(_t166);
					_t138 = E00406408(6);
					if(_t138 == 0) {
						L53:
						return E0040415D(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}














































                                                0x00404591
                                                0x00404597
                                                0x0040459d
                                                0x004045aa
                                                0x004045b8
                                                0x004045bb
                                                0x004045c3
                                                0x004045c9
                                                0x004045c9
                                                0x004045d5
                                                0x004045d8
                                                0x00404646
                                                0x0040464d
                                                0x00404724
                                                0x0040472b
                                                0x0040473a
                                                0x0040473a
                                                0x0040473e
                                                0x00404748
                                                0x00404755
                                                0x00404757
                                                0x00404757
                                                0x00404765
                                                0x0040476c
                                                0x00404773
                                                0x00404776
                                                0x004047b2
                                                0x004047b4
                                                0x004047ba
                                                0x004047bf
                                                0x004047c3
                                                0x004047c5
                                                0x004047c5
                                                0x004047e1
                                                0x00000000
                                                0x004047e3
                                                0x004047e6
                                                0x004047f4
                                                0x004047fa
                                                0x004047fb
                                                0x004047fe
                                                0x00404801
                                                0x00000000
                                                0x00404801
                                                0x00404778
                                                0x0040477a
                                                0x0040477e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404780
                                                0x00404780
                                                0x0040478d
                                                0x00404792
                                                0x00000000
                                                0x00000000
                                                0x00404796
                                                0x00404798
                                                0x00404798
                                                0x004047a1
                                                0x004047a3
                                                0x004047a8
                                                0x004047ab
                                                0x004047b0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004047b0
                                                0x0040480d
                                                0x00404817
                                                0x0040481a
                                                0x0040481d
                                                0x00404824
                                                0x00404824
                                                0x00404826
                                                0x00404826
                                                0x0040482b
                                                0x0040482d
                                                0x00404835
                                                0x0040483c
                                                0x0040483e
                                                0x00404849
                                                0x00404849
                                                0x0040483e
                                                0x00404850
                                                0x00404859
                                                0x00404863
                                                0x0040486b
                                                0x00404886
                                                0x0040486d
                                                0x00404876
                                                0x00404876
                                                0x0040486b
                                                0x0040488b
                                                0x00404890
                                                0x00404895
                                                0x0040489e
                                                0x0040489e
                                                0x004048a7
                                                0x004048a9
                                                0x004048a9
                                                0x004048b5
                                                0x004048bd
                                                0x004048c7
                                                0x004048c7
                                                0x004048cc
                                                0x00000000
                                                0x004048cc
                                                0x00404776
                                                0x0040472d
                                                0x00404734
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404734
                                                0x00404653
                                                0x0040465c
                                                0x00404676
                                                0x0040467b
                                                0x00404685
                                                0x0040468c
                                                0x00404698
                                                0x0040469b
                                                0x0040469e
                                                0x004046a5
                                                0x004046ad
                                                0x004046b0
                                                0x004046b4
                                                0x004046bb
                                                0x004046c3
                                                0x0040471d
                                                0x004046c5
                                                0x004046c6
                                                0x004046cd
                                                0x004046d7
                                                0x004046df
                                                0x004046ec
                                                0x00404700
                                                0x00404704
                                                0x00404704
                                                0x00404700
                                                0x00404709
                                                0x00404716
                                                0x00404716
                                                0x004046c3
                                                0x00000000
                                                0x0040467b
                                                0x00404669
                                                0x00000000
                                                0x00000000
                                                0x0040466f
                                                0x00000000
                                                0x004045da
                                                0x004045e7
                                                0x004045f0
                                                0x004045fd
                                                0x004045fd
                                                0x00404604
                                                0x0040460a
                                                0x00404613
                                                0x00404616
                                                0x00404619
                                                0x00404621
                                                0x00404624
                                                0x00404627
                                                0x0040462d
                                                0x00404634
                                                0x0040463b
                                                0x004048d2
                                                0x004048e4
                                                0x00404641
                                                0x00404644
                                                0x00000000
                                                0x00404644
                                                0x0040463b

                                                APIs
                                                • GetDlgItem.USER32 ref: 004045E0
                                                • SetWindowTextW.USER32(00000000,?), ref: 0040460A
                                                • SHBrowseForFolderW.SHELL32(?), ref: 004046BB
                                                • CoTaskMemFree.OLE32(00000000), ref: 004046C6
                                                • lstrcmpiW.KERNEL32(ExecToStack,007A1F40,00000000,?,?), ref: 004046F8
                                                • lstrcatW.KERNEL32(?,ExecToStack), ref: 00404704
                                                • SetDlgItemTextW.USER32 ref: 00404716
                                                  • Part of subcall function 0040575B: GetDlgItemTextW.USER32(?,?,00000400,0040474D), ref: 0040576E
                                                  • Part of subcall function 004062C6: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,766DFAA0,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406329
                                                  • Part of subcall function 004062C6: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 00406338
                                                  • Part of subcall function 004062C6: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,766DFAA0,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 0040633D
                                                  • Part of subcall function 004062C6: CharPrevW.USER32(0040A300,0040A300,766DFAA0,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406350
                                                • GetDiskFreeSpaceW.KERNEL32(0079FF10,?,?,0000040F,?,0079FF10,0079FF10,?,00000001,0079FF10,?,?,000003FB,?), ref: 004047D9
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047F4
                                                  • Part of subcall function 0040494D: lstrlenW.KERNEL32(007A1F40,007A1F40,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049EE
                                                  • Part of subcall function 0040494D: wsprintfW.USER32 ref: 004049F7
                                                  • Part of subcall function 0040494D: SetDlgItemTextW.USER32 ref: 00404A0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$ExecToStack
                                                • API String ID: 2624150263-246682577
                                                • Opcode ID: 23919bb9406077de8126e392a934b699bf4a802904ea86574e2f4141f427e215
                                                • Instruction ID: 30da9b98090b1fe5a0259897bb92749c5f748b87693770e47a0c546725bed2a9
                                                • Opcode Fuzzy Hash: 23919bb9406077de8126e392a934b699bf4a802904ea86574e2f4141f427e215
                                                • Instruction Fuzzy Hash: 3FA19FB1900208ABDB11EFA5CD81AAFB7B8EF85354F10843BF601B62D1D77C89418B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 39%
                                                			E004027FB(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402BBF(2), _t21 - 0x2b0) != 0xffffffff) {
					E00405F79( *((intOrPtr*)(_t21 - 0x10)), _t8);
					_push(_t21 - 0x284);
					_push(__esi);
					E00406032();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0x10)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                                                0x00402813
                                                0x0040282e
                                                0x00402839
                                                0x0040283a
                                                0x00402970
                                                0x00402815
                                                0x00402818
                                                0x0040281b
                                                0x0040281e
                                                0x0040281e
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 75eab62fdf78de9f4e6b4c6b34eb097f986102a6510b1718f60f797d7a21670f
                                                • Instruction ID: a3d3032162d61e1c1d424b84de3592b50f389daf4c4fdff0a19fa7bc5af75a0d
                                                • Opcode Fuzzy Hash: 75eab62fdf78de9f4e6b4c6b34eb097f986102a6510b1718f60f797d7a21670f
                                                • Instruction Fuzzy Hash: 2BF05E716001149BC701EBA4DE49AAEB378FF04324F10457BE115E31D1D6B88A409B29
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404293 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E00404293(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79ff0c =  *0x79ff0c + 1;
								__eflags =  *0x79ff0c;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040415D(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a69e0;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_t44 =  &_v8; // 0x7a69e0
									ShellExecuteW(_a4, L"open",  *_t44, 0, 0, 1);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a48, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a48, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79ff0c; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0f18; // 0xa3657c
					_t29 = _t69 + 0x14; // 0xa36590
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404118(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404526();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t111 =  *0x7a7a1c; // 0xa39294
						_t75 =  *(_t111 - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a78 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E00404244;
					if(_t110 != 2) {
						_v8 = E0040420A;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E004040F6(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E004040F6(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404118( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E0040412B(_t118);
					SendMessageW(_t118, 0x45b, 1, 0);
					_t92 =  *( *0x7a8a50 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79ff0c = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79ff0c = 0;
					return 0;
				}
			}





















                                                0x004042a5
                                                0x004043c5
                                                0x004043d2
                                                0x0040442f
                                                0x0040442f
                                                0x00404433
                                                0x00404501
                                                0x00404508
                                                0x0040450a
                                                0x0040450a
                                                0x0040450a
                                                0x00404510
                                                0x00404510
                                                0x00404513
                                                0x00000000
                                                0x0040451a
                                                0x00404441
                                                0x00404447
                                                0x0040444a
                                                0x00404451
                                                0x00404453
                                                0x0040445a
                                                0x0040445c
                                                0x0040445f
                                                0x00404462
                                                0x00404467
                                                0x0040446d
                                                0x00404470
                                                0x00404477
                                                0x00404484
                                                0x00404495
                                                0x0040449f
                                                0x004044aa
                                                0x004044b9
                                                0x004044bf
                                                0x004044bf
                                                0x00404477
                                                0x0040445a
                                                0x004044c2
                                                0x004044c9
                                                0x00000000
                                                0x004044cb
                                                0x004044cb
                                                0x004044d2
                                                0x00000000
                                                0x00000000
                                                0x004044d4
                                                0x004044d8
                                                0x004044e8
                                                0x004044e8
                                                0x004044ea
                                                0x004044ee
                                                0x004044fa
                                                0x004044fa
                                                0x00000000
                                                0x004044fe
                                                0x004044c9
                                                0x004043da
                                                0x004043dd
                                                0x00000000
                                                0x00000000
                                                0x004043e3
                                                0x004043e9
                                                0x00000000
                                                0x00000000
                                                0x004043ef
                                                0x004043f4
                                                0x004043f4
                                                0x004043f7
                                                0x004043fa
                                                0x00000000
                                                0x00000000
                                                0x00404421
                                                0x00404421
                                                0x00404423
                                                0x00404425
                                                0x0040442a
                                                0x00000000
                                                0x004042ab
                                                0x004042ab
                                                0x004042ae
                                                0x004042b3
                                                0x004042b5
                                                0x004042c4
                                                0x004042c4
                                                0x004042cc
                                                0x004042cf
                                                0x004042d3
                                                0x004042d6
                                                0x004042da
                                                0x004042dd
                                                0x004042e0
                                                0x004042e3
                                                0x004042ea
                                                0x004042ec
                                                0x004042ec
                                                0x004042f6
                                                0x00404303
                                                0x0040430d
                                                0x00404312
                                                0x00404315
                                                0x0040431a
                                                0x00404331
                                                0x00404338
                                                0x0040434b
                                                0x0040434e
                                                0x00404362
                                                0x00404369
                                                0x0040436e
                                                0x00404373
                                                0x00404373
                                                0x00404381
                                                0x0040438f
                                                0x004043a1
                                                0x004043a6
                                                0x004043b6
                                                0x004043b8
                                                0x00000000
                                                0x004043be

                                                APIs
                                                • CheckDlgButton.USER32 ref: 00404331
                                                • GetDlgItem.USER32 ref: 00404345
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404362
                                                • GetSysColor.USER32(?), ref: 00404373
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404381
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
                                                • lstrlenW.KERNEL32(?), ref: 00404394
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043B6
                                                • GetDlgItem.USER32 ref: 0040440F
                                                • SendMessageW.USER32(00000000), ref: 00404416
                                                • GetDlgItem.USER32 ref: 00404441
                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404484
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00404492
                                                • SetCursor.USER32(00000000), ref: 00404495
                                                • ShellExecuteW.SHELL32(0000070B,open,iz,00000000,00000000,00000001), ref: 004044AA
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004044B6
                                                • SetCursor.USER32(00000000), ref: 004044B9
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044E8
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: N$open$iz
                                                • API String ID: 3615053054-3184408566
                                                • Opcode ID: 01da6d32b2a417ec90abe3a2877bb8b4f20cf3725a55cc12a2a61828b7308d80
                                                • Instruction ID: f5fa6e7357a1776686f67c5c85bccc632f1e4afc8f648020f62b4c2f23f21bc2
                                                • Opcode Fuzzy Hash: 01da6d32b2a417ec90abe3a2877bb8b4f20cf3725a55cc12a2a61828b7308d80
                                                • Instruction Fuzzy Hash: CA7181B1900609BFDB109F60DD85E6A7B79FB84744F04853AF705B61E0CB789951CFA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405D61 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 131stringmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405D61(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				WCHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyW(0x7a55e0, L"NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t2 = _t53 + 0x1c; // 0x7a5de0
					_t13 = GetShortPathNameW( *_t2, 0x7a5de0, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x7a51e0, "%ls=%ls\r\n", 0x7a55e0, 0x7a5de0);
						_t54 = _t53 + 0x10;
						E00406054(_t38, 0x400, 0x7a5de0, 0x7a5de0,  *((intOrPtr*)( *0x7a8a50 + 0x128)));
						_t13 = E00405C07(0x7a5de0, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405C8A(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405B6C(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405B6C(_t39, _t22 + 0xa, "\n[");
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405BC2(_t25 + _t47, 0x7a51e0, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405CB9(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C07(_t45, 0, 1));
					_t13 = GetShortPathNameW(_t45, 0x7a55e0, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}



















                                                0x00405d61
                                                0x00405d70
                                                0x00405d76
                                                0x00405d87
                                                0x00405daf
                                                0x00405db6
                                                0x00405dba
                                                0x00405dbe
                                                0x00405dde
                                                0x00405de5
                                                0x00405def
                                                0x00405dfc
                                                0x00405e01
                                                0x00405e06
                                                0x00405e0a
                                                0x00405e19
                                                0x00405e1b
                                                0x00405e28
                                                0x00405e2c
                                                0x00405ec7
                                                0x00000000
                                                0x00405e42
                                                0x00405e4f
                                                0x00405e73
                                                0x00405e77
                                                0x00405e96
                                                0x00405e9a
                                                0x00405e9a
                                                0x00405e9c
                                                0x00405ea5
                                                0x00405eb0
                                                0x00405ebb
                                                0x00405ec1
                                                0x00000000
                                                0x00405ec1
                                                0x00405e79
                                                0x00405e7c
                                                0x00405e87
                                                0x00405e83
                                                0x00405e85
                                                0x00405e86
                                                0x00405e86
                                                0x00405e8e
                                                0x00405e90
                                                0x00000000
                                                0x00405e90
                                                0x00405e5a
                                                0x00405e60
                                                0x00000000
                                                0x00405e60
                                                0x00405e2c
                                                0x00405e0a
                                                0x00405d89
                                                0x00405d94
                                                0x00405d9d
                                                0x00405da1
                                                0x00000000
                                                0x00000000
                                                0x00405da1
                                                0x00405ed2

                                                APIs
                                                • lstrcpyW.KERNEL32 ref: 00405D70
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405EF4,?,?), ref: 00405D94
                                                • GetShortPathNameW.KERNEL32 ref: 00405D9D
                                                  • Part of subcall function 00405B6C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B7C
                                                  • Part of subcall function 00405B6C: lstrlenA.KERNEL32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BAE
                                                • GetShortPathNameW.KERNEL32 ref: 00405DBA
                                                • wsprintfA.USER32 ref: 00405DD8
                                                • GetFileSize.KERNEL32(00000000,00000000,007A5DE0,C0000000,00000004,007A5DE0,?), ref: 00405E13
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405E22
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405E5A
                                                • SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,007A51E0,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB0
                                                • GlobalFree.KERNEL32 ref: 00405EC1
                                                • CloseHandle.KERNEL32(00000000), ref: 00405EC8
                                                  • Part of subcall function 00405C07: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
                                                  • Part of subcall function 00405C07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                • String ID: %ls=%ls$NUL$[Rename]$Uz$]z$]z
                                                • API String ID: 222337774-2882615421
                                                • Opcode ID: 96167ce44ddedef176c8bff3fbbd2245610190e2ff8f9a1c8bc4a62397111b78
                                                • Instruction ID: 75cee4360bd3bcd07888cd864a4516e3a0162a31efabfd5f0f4b5e85420b189e
                                                • Opcode Fuzzy Hash: 96167ce44ddedef176c8bff3fbbd2245610190e2ff8f9a1c8bc4a62397111b78
                                                • Instruction Fuzzy Hash: 6C31F370600B14BBD2216B219D49F6B3E6CDF45755F14043AFA81F62D2DA3CEA018EAD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a50;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, "Ottomans Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a48;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                                                0x0040100a
                                                0x00401039
                                                0x00401047
                                                0x0040104d
                                                0x00401051
                                                0x0040105b
                                                0x00401061
                                                0x00401064
                                                0x004010f3
                                                0x00401089
                                                0x0040108c
                                                0x004010a6
                                                0x004010bd
                                                0x004010cc
                                                0x004010cf
                                                0x004010d5
                                                0x004010d9
                                                0x004010e4
                                                0x004010ed
                                                0x004010ef
                                                0x004010ef
                                                0x00401100
                                                0x00401105
                                                0x0040110d
                                                0x00401110
                                                0x00401112
                                                0x00401118
                                                0x0040111f
                                                0x00401126
                                                0x00401130
                                                0x00401142
                                                0x00401156
                                                0x00401160
                                                0x00401165
                                                0x00401165
                                                0x00401110
                                                0x0040116e
                                                0x00000000
                                                0x00401178
                                                0x00401010
                                                0x00401013
                                                0x00401015
                                                0x0040101f
                                                0x0040101f
                                                0x00000000

                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32 ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32 ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextW.USER32(00000000,Ottomans Setup,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F$Ottomans Setup
                                                • API String ID: 941294808-1214245841
                                                • Opcode ID: ce6bfb0b893aacce883330537bc8e63ee4883ce97208896732d7138368f4d8d8
                                                • Instruction ID: de39ae593db74bf8e739f7026f96e360392c145d264594217dd326fc860e90c0
                                                • Opcode Fuzzy Hash: ce6bfb0b893aacce883330537bc8e63ee4883ce97208896732d7138368f4d8d8
                                                • Instruction Fuzzy Hash: E2418C71800209AFCF058F95DE459AFBBB9FF45310F00842EF991AA1A0CB38DA54DFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B194F Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 83processstringsynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 89%
                                                			E008B194F() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v2138;
				short _v2140;
				WCHAR* _t24;
				WCHAR* _t25;
				int _t26;
				signed int _t34;
				short _t36;
				short _t37;
				void* _t43;

				_t34 = 0x10;
				memset( &(_v92.lpReserved), 0, _t34 << 2);
				_v24.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v92.cb = 0x44;
				_t43 = 0x20;
				lstrcpynW( &_v2140, GetCommandLineW(), 0x400);
				_t24 =  &_v2140;
				if(_v2140 == 0x22) {
					_t24 =  &_v2138;
					_t43 = 0x22;
				}
				while(1) {
					_t36 =  *_t24;
					if(_t36 == 0) {
						break;
					}
					if(_t36 == _t43) {
						break;
					}
					_t24 = CharNextW(_t24);
				}
				_t25 = CharNextW(_t24);
				while(1) {
					_t37 =  *_t25;
					if(_t37 == 0) {
						break;
					}
					if(_t37 != 0x20) {
						break;
					}
					_t25 =  &(_t25[1]);
				}
				_t26 = CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v24);
				_v8 = _t26;
				if(_t26 == 0) {
					ExitProcess(0xc000001d);
				}
				WaitForSingleObject(_v24.hProcess, 0xffffffff);
				GetExitCodeProcess(_v24.hProcess,  &_v8);
				CloseHandle(_v24);
				CloseHandle(_v24.hThread);
				ExitProcess(_v8);
			}















                                                0x008b195d
                                                0x008b1965
                                                0x008b196a
                                                0x008b196d
                                                0x008b196e
                                                0x008b196f
                                                0x008b1972
                                                0x008b1979
                                                0x008b198d
                                                0x008b199b
                                                0x008b19a1
                                                0x008b19a5
                                                0x008b19ab
                                                0x008b19ab
                                                0x008b19bc
                                                0x008b19bc
                                                0x008b19c2
                                                0x00000000
                                                0x00000000
                                                0x008b19b7
                                                0x00000000
                                                0x00000000
                                                0x008b19ba
                                                0x008b19ba
                                                0x008b19c5
                                                0x008b19d1
                                                0x008b19d1
                                                0x008b19d7
                                                0x00000000
                                                0x00000000
                                                0x008b19cd
                                                0x00000000
                                                0x00000000
                                                0x008b19d0
                                                0x008b19d0
                                                0x008b19ea
                                                0x008b19f2
                                                0x008b19f5
                                                0x008b1a2d
                                                0x008b1a2d
                                                0x008b19fc
                                                0x008b1a09
                                                0x008b1a18
                                                0x008b1a1d
                                                0x008b1a22

                                                APIs
                                                • GetCommandLineW.KERNEL32(00000400), ref: 008B197F
                                                • lstrcpynW.KERNEL32(?,00000000), ref: 008B198D
                                                • CharNextW.USER32(00000022), ref: 008B19BA
                                                • CharNextW.USER32(00000022), ref: 008B19C5
                                                • CreateProcessW.KERNEL32 ref: 008B19EA
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008B19FC
                                                • GetExitCodeProcess.KERNEL32 ref: 008B1A09
                                                • CloseHandle.KERNEL32(?), ref: 008B1A18
                                                • CloseHandle.KERNEL32(?), ref: 008B1A1D
                                                • ExitProcess.KERNEL32 ref: 008B1A22
                                                • ExitProcess.KERNEL32 ref: 008B1A2D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.567614093.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008B0000, based on PE: true
                                                • Associated: 00000000.00000002.567601921.00000000008B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567622930.00000000008B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567691044.00000000008B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567805328.00000000008B4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_8b0000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                                • String ID: "$D
                                                • API String ID: 3771911414-1154559923
                                                • Opcode ID: 150348961a6db69cb952a5bce5cc10ad6604797c3509605a600d66d0b1357189
                                                • Instruction ID: 3ccf07a13d4f38453484497801b59e2e45be5114984c78a7d5a24b4dc840f777
                                                • Opcode Fuzzy Hash: 150348961a6db69cb952a5bce5cc10ad6604797c3509605a600d66d0b1357189
                                                • Instruction Fuzzy Hash: 01213D7180055DEADF20AB94DC68AEFBB7DFB04305F904566F202A61A0DA701E49DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100022D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 136memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E100022D0(void* __edx) {
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t42;
				signed int* _t43;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t42 = 0x1a;
					if(_t52 == _t42) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t42;
							goto L12;
						} else {
							_t38 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t38 = E10001243();
						L11:
						_t52 = _t38;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t43 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t39 =  *_t51;
						_t51[7] = _t51[7] & 0x00000000;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t40;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M1000244C))) {
								case 0:
									 *_t43 =  *_t43 & 0x00000000;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if(lstrlenW(__ebp) > 0) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E1000122C(0x10004044);
					goto L10;
				}
			}











                                                0x100022e4
                                                0x100022e8
                                                0x100022f3
                                                0x100022f3
                                                0x100022fa
                                                0x100022ff
                                                0x00000000
                                                0x00000000
                                                0x10002303
                                                0x10002306
                                                0x00000000
                                                0x00000000
                                                0x1000230b
                                                0x10002316
                                                0x10002326
                                                0x00000000
                                                0x1000231d
                                                0x1000231f
                                                0x10002335
                                                0x00000000
                                                0x10002335
                                                0x1000230d
                                                0x1000230d
                                                0x10002336
                                                0x10002336
                                                0x10002338
                                                0x1000233c
                                                0x1000233c
                                                0x1000233f
                                                0x1000233f
                                                0x10002347
                                                0x10002349
                                                0x10002350
                                                0x10002415
                                                0x10002416
                                                0x10002421
                                                0x1000244b
                                                0x1000244b
                                                0x10002431
                                                0x1000243d
                                                0x10002433
                                                0x10002433
                                                0x10002433
                                                0x00000000
                                                0x10002356
                                                0x10002356
                                                0x00000000
                                                0x1000235d
                                                0x00000000
                                                0x00000000
                                                0x10002366
                                                0x00000000
                                                0x00000000
                                                0x10002374
                                                0x10002376
                                                0x00000000
                                                0x00000000
                                                0x10002397
                                                0x1000239d
                                                0x100023a0
                                                0x100023a2
                                                0x100023b2
                                                0x00000000
                                                0x00000000
                                                0x1000237f
                                                0x10002384
                                                0x10002387
                                                0x10002388
                                                0x00000000
                                                0x00000000
                                                0x100023be
                                                0x100023c4
                                                0x100023c5
                                                0x100023c8
                                                0x100023c9
                                                0x100023cb
                                                0x00000000
                                                0x00000000
                                                0x100023dc
                                                0x100023df
                                                0x100023eb
                                                0x100023ed
                                                0x00000000
                                                0x00000000
                                                0x100023f9
                                                0x10002405
                                                0x10002408
                                                0x1000240a
                                                0x1000240d
                                                0x00000000
                                                0x00000000
                                                0x10002356
                                                0x10002350
                                                0x1000232b
                                                0x10002330
                                                0x00000000
                                                0x10002330

                                                APIs
                                                • GlobalFree.KERNEL32 ref: 10002416
                                                  • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                • String ID: @hhv$@uv
                                                • API String ID: 4216380887-1609614287
                                                • Opcode ID: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                • Opcode Fuzzy Hash: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100024A9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E100024A9(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B9))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}











                                                0x100024b3
                                                0x100024b5
                                                0x100024c4
                                                0x100024ca
                                                0x100024d7
                                                0x100024d9
                                                0x100024dd
                                                0x100024dd
                                                0x100024e5
                                                0x100024eb
                                                0x100024ed
                                                0x00000000
                                                0x100024f4
                                                0x00000000
                                                0x00000000
                                                0x100024fa
                                                0x00000000
                                                0x00000000
                                                0x10002504
                                                0x00000000
                                                0x00000000
                                                0x1000250b
                                                0x10002511
                                                0x1000251d
                                                0x10002523
                                                0x10002528
                                                0x00000000
                                                0x00000000
                                                0x1000254a
                                                0x00000000
                                                0x00000000
                                                0x10002530
                                                0x10002536
                                                0x10002537
                                                0x10002539
                                                0x00000000
                                                0x00000000
                                                0x10002552
                                                0x10002554
                                                0x10002556
                                                0x10002558
                                                0x10002558
                                                0x00000000
                                                0x00000000
                                                0x100024ed
                                                0x1000255b
                                                0x1000255b
                                                0x10002560
                                                0x10002572
                                                0x10002572
                                                0x10002578
                                                0x1000257d
                                                0x10002582
                                                0x1000258e
                                                0x10002593
                                                0x00000000
                                                0x10002598
                                                0x10002584
                                                0x10002585
                                                0x10002599
                                                0x10002599
                                                0x10002582
                                                0x1000259a
                                                0x1000259e
                                                0x100025a1
                                                0x100025b8

                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalFree.KERNEL32 ref: 10002572
                                                • GlobalFree.KERNEL32 ref: 100025AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID: {v@uv
                                                • API String ID: 1780285237-3152101019
                                                • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004062C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E004062C6(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405A5D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405A13(L"*?|<>/\":", _t5))) == 0) {
							E00405BC2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                0x004062c8
                                                0x004062d1
                                                0x004062e8
                                                0x004062e8
                                                0x004062ef
                                                0x004062fb
                                                0x004062fb
                                                0x004062fe
                                                0x00406301
                                                0x00406306
                                                0x00406308
                                                0x00406311
                                                0x00406315
                                                0x00406332
                                                0x0040633a
                                                0x0040633a
                                                0x0040633f
                                                0x00406341
                                                0x00406344
                                                0x00406349
                                                0x0040634a
                                                0x0040634e
                                                0x0040634e
                                                0x0040634f
                                                0x00406356
                                                0x00406358
                                                0x0040635f
                                                0x00000000
                                                0x00000000
                                                0x00406367
                                                0x0040636d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040636d
                                                0x00406372

                                                APIs
                                                • CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,766DFAA0,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406329
                                                • CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 00406338
                                                • CharNextW.USER32(0040A300,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ,766DFAA0,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 0040633D
                                                • CharPrevW.USER32(0040A300,0040A300,766DFAA0,C:\Users\user\AppData\Local\Temp\,00000000,00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 00406350
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004062C7
                                                • "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" , xrefs: 0040630A
                                                • *?|<>/":, xrefs: 00406318
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-44070242
                                                • Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
                                                • Instruction ID: d4b317f752b3f13875bb624486170839a033bb9266efc580798c69349bd43794
                                                • Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
                                                • Instruction Fuzzy Hash: 4611041580061295DB307B148D40AB7A2B8FF95754F42803FED86732C0E77C9CA286ED
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040415D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040415D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                0x0040416f
                                                0x00404203
                                                0x00000000
                                                0x00404203
                                                0x00404180
                                                0x00404184
                                                0x00000000
                                                0x00000000
                                                0x0040418a
                                                0x00404193
                                                0x00404196
                                                0x00404196
                                                0x0040419c
                                                0x004041a2
                                                0x004041a2
                                                0x004041ae
                                                0x004041b4
                                                0x004041bb
                                                0x004041be
                                                0x004041c1
                                                0x004041c3
                                                0x004041c3
                                                0x004041cb
                                                0x004041d1
                                                0x004041d1
                                                0x004041db
                                                0x004041e0
                                                0x004041e3
                                                0x004041e8
                                                0x004041eb
                                                0x004041eb
                                                0x004041fb
                                                0x004041fb
                                                0x00000000

                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040417A
                                                • GetSysColor.USER32(00000000), ref: 00404196
                                                • SetTextColor.GDI32(?,00000000), ref: 004041A2
                                                • SetBkMode.GDI32(?,?), ref: 004041AE
                                                • GetSysColor.USER32(?), ref: 004041C1
                                                • SetBkColor.GDI32(?,?), ref: 004041D1
                                                • DeleteObject.GDI32(?), ref: 004041EB
                                                • CreateBrushIndirect.GDI32(?), ref: 004041F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
                                                • Instruction ID: 369debbde0f7a754f16ab48c9af260ce6490938065ace01aa15cf7b70dd2699c
                                                • Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
                                                • Instruction Fuzzy Hash: 5F218EB1500704ABCB219F68DE08B5BBBF8AF41710F04892DF996E66A0C734E948CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404A5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404A5B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                0x00404a69
                                                0x00404a76
                                                0x00404a7c
                                                0x00404aba
                                                0x00404aba
                                                0x00404ac9
                                                0x00404ad0
                                                0x00000000
                                                0x00404ad2
                                                0x00404a7e
                                                0x00404a8d
                                                0x00404a95
                                                0x00404a98
                                                0x00404aaa
                                                0x00404ab0
                                                0x00404ab7
                                                0x00000000
                                                0x00404ab7
                                                0x00000000

                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A76
                                                • GetMessagePos.USER32 ref: 00404A7E
                                                • ScreenToClient.USER32 ref: 00404A98
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAA
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
                                                • Instruction ID: c6f788746afe21c260c1d9be26cb74e88d19e7ad1034c01b3b76a28530fb3a8b
                                                • Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
                                                • Instruction Fuzzy Hash: 37019E71A4021CBADB00DB94DD81FFEBBFCAF54B10F10002BBA11B61C0C7B49A418BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B1849 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E008B1849(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				int _v8;
				int _t14;
				WCHAR* _t16;
				WCHAR* _t17;
				int _t18;
				int _t23;
				WCHAR* _t31;

				_t14 = lstrlenW(_a8);
				_t31 = _a4;
				_t23 = _t14;
				_v8 = _t23;
				if(lstrlenW(_t31) < _t23) {
					L5:
					_t16 = 0;
				} else {
					_t17 = _t23 + _t23;
					_a4 = _t17;
					while(1) {
						 *(_t17 + _t31) =  *(_t17 + _t31) & 0x00000000;
						_t18 = lstrcmpiW(_t31, _a8);
						 *((short*)(_a4 + _t31)) =  *(_t17 + _t31);
						if(_t18 == 0) {
							break;
						}
						_t31 = CharNextW(_t31);
						if(lstrlenW(_t31) >= _v8) {
							_t17 = _a4;
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t16 = _t31;
				}
				L6:
				return _t16;
			}










                                                0x008b1859
                                                0x008b185b
                                                0x008b185e
                                                0x008b1861
                                                0x008b1868
                                                0x008b18a4
                                                0x008b18a4
                                                0x008b186a
                                                0x008b186a
                                                0x008b186d
                                                0x008b1875
                                                0x008b187c
                                                0x008b1882
                                                0x008b188d
                                                0x008b1891
                                                0x00000000
                                                0x00000000
                                                0x008b189a
                                                0x008b18a2
                                                0x008b1872
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x008b18a2
                                                0x008b18ab
                                                0x008b18ab
                                                0x008b18a6
                                                0x008b18aa

                                                APIs
                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,008B12F5,00000000,/TIMEOUT=,00000000), ref: 008B1859
                                                • lstrlenW.KERNEL32(?,?,?,008B12F5,00000000,/TIMEOUT=,00000000), ref: 008B1864
                                                • lstrcmpiW.KERNEL32(?,?,?,?,008B12F5,00000000,/TIMEOUT=,00000000), ref: 008B1882
                                                • CharNextW.USER32(?,?,?,008B12F5,00000000,/TIMEOUT=,00000000), ref: 008B1894
                                                • lstrlenW.KERNEL32(00000000,?,?,008B12F5,00000000,/TIMEOUT=,00000000), ref: 008B189D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.567614093.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008B0000, based on PE: true
                                                • Associated: 00000000.00000002.567601921.00000000008B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567622930.00000000008B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567691044.00000000008B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567805328.00000000008B4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_8b0000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID: ihv
                                                • API String ID: 190613189-3526538539
                                                • Opcode ID: 330ccf4f8c97a7f6750d5d0b08ed3168de7f3d70ef5f0f2e0ddd43f769600e97
                                                • Instruction ID: 865e73508333c8ebb5606a52d60067e0a619ec293f3018a0b6c1df0856806d94
                                                • Opcode Fuzzy Hash: 330ccf4f8c97a7f6750d5d0b08ed3168de7f3d70ef5f0f2e0ddd43f769600e97
                                                • Instruction Fuzzy Hash: 3F014631600518AFDB11AFA8CC849EE7BA8FF053907654079ED04DB320EB70EA429B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100015FF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}






                                                0x10001619
                                                0x10001625
                                                0x10001632
                                                0x10001639
                                                0x10001642
                                                0x1000164e

                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                • GlobalFree.KERNEL32 ref: 10001642
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                • String ID: Nhv@hhv
                                                • API String ID: 1148316912-2967376847
                                                • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00402D04(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78b6f4; // 0x22f40
					_t11 =  *0x7976fc; // 0x23628
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                                                0x00402d14
                                                0x00402d22
                                                0x00402d28
                                                0x00402d28
                                                0x00402d36
                                                0x00402d38
                                                0x00402d3e
                                                0x00402d45
                                                0x00402d47
                                                0x00402d47
                                                0x00402d5d
                                                0x00402d6d
                                                0x00402d7f
                                                0x00402d7f
                                                0x00402d87

                                                APIs
                                                Strings
                                                • verifying installer: %d%%, xrefs: 00402D57
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 0571604055d31c6dff79b789c0d870111b8eec90378702650be5945f1294d07a
                                                • Instruction ID: d409429b390960081b576047ff97edc042c2651f1908c05eaab55558fb75af6b
                                                • Opcode Fuzzy Hash: 0571604055d31c6dff79b789c0d870111b8eec90378702650be5945f1294d07a
                                                • Instruction Fuzzy Hash: 1B01447064020DAFEF149F61DD49BEA3B69AF04304F008039FA45A91D0DBB89955CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00402840(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x48)) = 0xfffffd66;
				_t50 = E00402BBF(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405A5D(_t50) == 0) {
					E00402BBF(0xffffffed);
				}
				E00405BE2(_t50);
				_t26 = E00405C07(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a8a54;
					 *(_t56 - 8) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403235(_t45);
						E0040321F(_t49,  *(_t56 - 8));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x24));
						 *(_t56 - 0x34) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x24));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x28)));
							E00403027();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x4c) =  *_t54;
								E00405BC2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x4c);
							}
							GlobalFree( *(_t56 - 0x34));
						}
						E00405CB9( *(_t56 + 8), _t49,  *(_t56 - 8));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x48)) = E00403027();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x48)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                0x00402840
                                                0x00402842
                                                0x0040284e
                                                0x00402851
                                                0x0040285b
                                                0x0040285f
                                                0x0040285f
                                                0x00402865
                                                0x00402872
                                                0x0040287a
                                                0x0040287d
                                                0x00402883
                                                0x00402891
                                                0x00402896
                                                0x0040289a
                                                0x0040289d
                                                0x004028a6
                                                0x004028b2
                                                0x004028b6
                                                0x004028b9
                                                0x004028bb
                                                0x004028be
                                                0x004028bf
                                                0x004028c0
                                                0x004028c3
                                                0x004028e2
                                                0x004028ca
                                                0x004028cf
                                                0x004028d7
                                                0x004028da
                                                0x004028df
                                                0x004028df
                                                0x004028e9
                                                0x004028e9
                                                0x004028f6
                                                0x004028fc
                                                0x00402902
                                                0x00402903
                                                0x00402904
                                                0x00402907
                                                0x0040290e
                                                0x0040290e
                                                0x00402914
                                                0x00402914
                                                0x0040291f
                                                0x00402920
                                                0x00402924
                                                0x00402928
                                                0x0040292e
                                                0x0040292e
                                                0x00402935
                                                0x004021dc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                • GlobalFree.KERNEL32 ref: 004028E9
                                                • GlobalFree.KERNEL32 ref: 004028FC
                                                • CloseHandle.KERNEL32(?), ref: 00402914
                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                • String ID:
                                                • API String ID: 2667972263-0
                                                • Opcode ID: 598869ac1d0c0d8c1f48ea91ef13a2e3ea5b07d01dc90d54694cccaa19b6dd20
                                                • Instruction ID: a3a02304b7bf1fff1c024f37f895186886f0ecb363175dbf1b7b9d1a7e5804fa
                                                • Opcode Fuzzy Hash: 598869ac1d0c0d8c1f48ea91ef13a2e3ea5b07d01dc90d54694cccaa19b6dd20
                                                • Instruction Fuzzy Hash: 3221A072800114BBDF216FA5CE49D9E7E79EF09324F24423AF550762E1CB795E41CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E00402537(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t13;
				int _t16;
				int _t23;
				signed int _t28;
				intOrPtr* _t31;
				void* _t33;
				void* _t34;
				void* _t37;
				signed int _t39;

				_t31 = __esi;
				_t23 = __ebx;
				_t13 =  *(_t34 - 0x24);
				_t37 = __edx - 0x38;
				 *(_t34 - 0x34) = _t13;
				_t26 = 0 | _t37 == 0x00000000;
				_t28 = _t37 == 0;
				if(_t13 == __ebx) {
					if(__edx != 0x38) {
						_t16 = lstrlenW(E00402BBF(0x11)) + _t15;
					} else {
						E00402BBF(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp", 0xffffffff, "C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll", 0x400, __ebx, __ebx);
						_t16 = lstrlenA("C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll");
					}
				} else {
					E00402BA2(1);
					 *0x40adc8 = __ax;
				}
				 *(_t34 + 8) = _t16;
				if( *_t31 == _t23) {
					L13:
					 *((intOrPtr*)(_t34 - 4)) = 1;
				} else {
					_t33 = E00405F92(_t26, _t31);
					if((_t28 |  *(_t34 - 0x34)) != 0 ||  *((intOrPtr*)(_t34 - 0x20)) == _t23 || E00405CE8(_t33, _t33) >= 0) {
						_t13 = E00405CB9(_t33, "C:\Users\alfons\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll",  *(_t34 + 8));
						_t39 = _t13;
						if(_t39 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t34 - 4));
				return 0;
			}












                                                0x00402537
                                                0x00402537
                                                0x00402537
                                                0x0040253c
                                                0x0040253f
                                                0x00402542
                                                0x00402547
                                                0x00402549
                                                0x00402565
                                                0x004025a3
                                                0x00402567
                                                0x00402569
                                                0x00402583
                                                0x0040258e
                                                0x0040258e
                                                0x0040254b
                                                0x0040254d
                                                0x00402552
                                                0x0040255f
                                                0x004025a8
                                                0x004025ab
                                                0x0040281e
                                                0x0040281e
                                                0x004025b1
                                                0x004025ba
                                                0x004025bc
                                                0x004025db
                                                0x004015ac
                                                0x004015ae
                                                0x00000000
                                                0x004015b4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004025bc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll,?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp$C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp\nsExec.dll
                                                • API String ID: 3109718747-82977037
                                                • Opcode ID: 0cfac67b0bc91c88d3b6eabad01ed5c174bf69e0857470ad85ca214ab4ad8ec8
                                                • Instruction ID: a78273f1e820df777bc5fa4653ad4ee3f77bb41165bb33dae94d39b2abea877a
                                                • Opcode Fuzzy Hash: 0cfac67b0bc91c88d3b6eabad01ed5c174bf69e0857470ad85ca214ab4ad8ec8
                                                • Instruction Fuzzy Hash: FC110A72A41304BEDB10AFB18F4AE9E3665AF54355F60803BF501F61C1DAFC8E51466E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B1096 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 43%
                                                			E008B1096(void* __ecx) {
				char _v8;
				intOrPtr _t5;
				intOrPtr* _t11;

				_t11 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t11 == 0) {
					L3:
					_t5 = 0;
				} else {
					_push( &_v8);
					_push(GetCurrentProcess());
					if( *_t11() == 0) {
						goto L3;
					} else {
						_t5 = _v8;
					}
				}
				return _t5;
			}






                                                0x008b10b2
                                                0x008b10b6
                                                0x008b10ce
                                                0x008b10ce
                                                0x008b10b8
                                                0x008b10bb
                                                0x008b10c2
                                                0x008b10c7
                                                0x00000000
                                                0x008b10c9
                                                0x008b10c9
                                                0x008b10c9
                                                0x008b10c7
                                                0x008b10d2

                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,008B113F), ref: 008B10A5
                                                • GetProcAddress.KERNEL32(00000000), ref: 008B10AC
                                                • GetCurrentProcess.KERNEL32(?,?,0000003F,?,008B113F), ref: 008B10BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.567614093.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 008B0000, based on PE: true
                                                • Associated: 00000000.00000002.567601921.00000000008B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567622930.00000000008B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567691044.00000000008B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.567805328.00000000008B4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_8b0000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: AddressCurrentHandleModuleProcProcess
                                                • String ID: IsWow64Process$kernel32
                                                • API String ID: 4190356694-3789238822
                                                • Opcode ID: 4887bab625dafa2495a2af7590f0c9bebe9ece2953671779acbc53fd9cc907d4
                                                • Instruction ID: 23f4ac0616db4e2920458987d79d6e1fed0f56afd703fd1eaba2c3eee2f1c37b
                                                • Opcode Fuzzy Hash: 4887bab625dafa2495a2af7590f0c9bebe9ece2953671779acbc53fd9cc907d4
                                                • Instruction Fuzzy Hash: 05E04672A04A18AB8A20B7A59C1D99B7BACFA047913400621B901D7314EAA4EA069BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E100018A9(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void* _t43;
				signed int _t44;
				signed int _t59;
				void _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t80;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x1000406c = _a8;
				_t59 = 0;
				 *0x10004070 = _a16;
				_v12 = 0;
				_v8 = E10001243();
				_t89 = E10001311(_t41);
				_t86 = _t84;
				_t43 = E10001243();
				_t63 =  *_t43;
				_a8 = _t43;
				if(_t63 != 0x7e && _t63 != 0x21) {
					_a16 = E10001243();
					_t59 = E10001311(_t56);
					_v12 = _t84;
					GlobalFree(_a16);
					_t43 = _a8;
				}
				_t64 =  *_t43 & 0x0000ffff;
				_t100 = _t64 - 0x2f;
				if(_t100 > 0) {
					_t65 = _t64 - 0x3c;
					__eflags = _t65;
					if(_t65 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x3c;
						if( *((short*)(_t43 + 2)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L54:
								_t44 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t89 = _t44;
								L57:
								_t86 = _t84;
								L58:
								E10001470(_t84, _t89, _t86,  &_v76);
								E10001272( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t44 = 1;
								goto L55;
							}
							__eflags = _t89 - _t59;
							if(_t89 < _t59) {
								goto L47;
							}
							goto L54;
						}
						_t84 = _t86;
						_t44 = E10002D90(_t89, _t59, _t84);
						goto L56;
					}
					_t67 = _t65 - 1;
					__eflags = _t67;
					if(_t67 == 0) {
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							goto L54;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L54;
						}
						goto L47;
					}
					_t68 = _t67 - 1;
					__eflags = _t68;
					if(_t68 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x3e;
						if( *((short*)(_t43 + 2)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t89 - _t59;
							if(_t89 <= _t59) {
								goto L54;
							}
							goto L47;
						}
						_t84 = _t86;
						_t44 = E10002DB0(_t89, _t59, _t84);
						goto L56;
					}
					_t70 = _t68 - 0x20;
					__eflags = _t70;
					if(_t70 == 0) {
						_t89 = _t89 ^ _t59;
						_t86 = _t86 ^ _v12;
						goto L58;
					}
					_t71 = _t70 - 0x1e;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x7c;
						if( *((short*)(_t43 + 2)) != 0x7c) {
							_t89 = _t89 | _t59;
							_t86 = _t86 | _v12;
							goto L58;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L47;
						}
						__eflags = _t59 | _v12;
						if((_t59 | _v12) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t71 == 0;
					if(_t71 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L58;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t59 | _v12;
					if((_t59 | _v12) != 0) {
						_v24 = E10002C20(_t89, _t86, _t59, _v12);
						_v20 = _t84;
						_t89 = E10002CD0(_t89, _t86, _t59, _v12);
						_t43 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t84 = _t86;
					}
					__eflags =  *_t43 - 0x2f;
					if( *_t43 != 0x2f) {
						goto L57;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L58;
					}
				}
				_t76 = _t64 - 0x21;
				if(_t76 == 0) {
					_t44 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t77 = _t76 - 4;
				if(_t77 == 0) {
					goto L21;
				}
				_t78 = _t77 - 1;
				if(_t78 == 0) {
					__eflags =  *((short*)(_t43 + 2)) - 0x26;
					if( *((short*)(_t43 + 2)) != 0x26) {
						_t89 = _t89 & _t59;
						_t86 = _t86 & _v12;
						goto L58;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L54;
					}
					__eflags = _t59 | _v12;
					if((_t59 | _v12) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t79 = _t78 - 4;
				if(_t79 == 0) {
					_t44 = E10002BE0(_t89, _t86, _t59, _v12);
					goto L56;
				} else {
					_t80 = _t79 - 1;
					if(_t80 == 0) {
						_t89 = _t89 + _t59;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t80 == 0) {
							_t89 = _t89 - _t59;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L58;
				}
			}



























                                                0x100018a9
                                                0x100018b3
                                                0x100018bc
                                                0x100018bf
                                                0x100018c4
                                                0x100018cd
                                                0x100018d6
                                                0x100018d8
                                                0x100018da
                                                0x100018df
                                                0x100018e2
                                                0x100018e9
                                                0x100018f7
                                                0x10001900
                                                0x10001905
                                                0x10001908
                                                0x1000190e
                                                0x1000190e
                                                0x10001911
                                                0x10001914
                                                0x10001917
                                                0x100019df
                                                0x100019df
                                                0x100019e2
                                                0x10001a4d
                                                0x10001a52
                                                0x10001a61
                                                0x10001a64
                                                0x10001a6c
                                                0x10001a6c
                                                0x10001a6c
                                                0x10001a6e
                                                0x10001a6e
                                                0x10001a6f
                                                0x10001a6f
                                                0x10001a71
                                                0x10001a71
                                                0x10001a73
                                                0x10001a79
                                                0x10001a82
                                                0x10001a93
                                                0x10001a9e
                                                0x10001a9e
                                                0x10001a66
                                                0x10001a48
                                                0x10001a48
                                                0x10001a4a
                                                0x10001a4a
                                                0x00000000
                                                0x10001a4a
                                                0x10001a68
                                                0x10001a6a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a6a
                                                0x10001a56
                                                0x10001a5a
                                                0x00000000
                                                0x10001a5a
                                                0x100019e4
                                                0x100019e4
                                                0x100019e5
                                                0x10001a3f
                                                0x10001a41
                                                0x00000000
                                                0x00000000
                                                0x10001a43
                                                0x10001a46
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a46
                                                0x100019e7
                                                0x100019e7
                                                0x100019e8
                                                0x10001a1e
                                                0x10001a23
                                                0x10001a32
                                                0x10001a35
                                                0x00000000
                                                0x00000000
                                                0x10001a37
                                                0x00000000
                                                0x00000000
                                                0x10001a39
                                                0x10001a3b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a3d
                                                0x10001a27
                                                0x10001a2b
                                                0x00000000
                                                0x10001a2b
                                                0x100019ea
                                                0x100019ea
                                                0x100019ed
                                                0x10001a17
                                                0x10001a19
                                                0x00000000
                                                0x10001a19
                                                0x100019ef
                                                0x100019ef
                                                0x100019f2
                                                0x100019fe
                                                0x10001a03
                                                0x10001a10
                                                0x10001a12
                                                0x00000000
                                                0x10001a12
                                                0x10001a05
                                                0x10001a07
                                                0x00000000
                                                0x00000000
                                                0x10001a09
                                                0x10001a0c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a0e
                                                0x100019f5
                                                0x100019f6
                                                0x100019f8
                                                0x100019fa
                                                0x100019fa
                                                0x00000000
                                                0x100019f6
                                                0x1000191d
                                                0x10001996
                                                0x10001998
                                                0x1000199b
                                                0x100019b7
                                                0x100019ba
                                                0x100019c5
                                                0x100019c7
                                                0x1000199d
                                                0x1000199d
                                                0x100019a1
                                                0x100019a5
                                                0x100019a5
                                                0x100019ca
                                                0x100019ce
                                                0x00000000
                                                0x100019d4
                                                0x100019d4
                                                0x100019d7
                                                0x00000000
                                                0x100019d7
                                                0x100019ce
                                                0x1000191f
                                                0x10001922
                                                0x10001987
                                                0x10001989
                                                0x1000198b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001991
                                                0x10001924
                                                0x10001927
                                                0x00000000
                                                0x00000000
                                                0x10001929
                                                0x1000192a
                                                0x10001960
                                                0x10001965
                                                0x1000197d
                                                0x1000197f
                                                0x00000000
                                                0x1000197f
                                                0x10001967
                                                0x10001969
                                                0x00000000
                                                0x00000000
                                                0x1000196f
                                                0x10001972
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001978
                                                0x1000192c
                                                0x1000192f
                                                0x10001956
                                                0x00000000
                                                0x10001931
                                                0x10001931
                                                0x10001932
                                                0x10001946
                                                0x10001948
                                                0x10001934
                                                0x10001936
                                                0x1000193c
                                                0x1000193e
                                                0x1000193e
                                                0x10001936
                                                0x00000000
                                                0x10001932

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: FreeGlobal
                                                • String ID:
                                                • API String ID: 2979337801-0
                                                • Opcode ID: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                • Opcode Fuzzy Hash: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00401CFA() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0xc),  *(_t27 - 0x28));
				GetClientRect(_t25, _t27 - 0x54);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402BBF(_t22), _t22,  *(_t27 - 0x4c) *  *(_t27 - 0x24),  *(_t27 - 0x48) *  *(_t27 - 0x24), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                0x00401d06
                                                0x00401d0d
                                                0x00401d3c
                                                0x00401d44
                                                0x00401d4b
                                                0x00401d4b
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • GetDlgItem.USER32 ref: 00401D00
                                                • GetClientRect.USER32 ref: 00401D0D
                                                • LoadImageW.USER32 ref: 00401D2E
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 744784328c674175fcbcfcf0e9bbf26443557e854759898e5afcc3989039e9af
                                                • Instruction ID: b0c4edec147008cd01dbb3001b95c609c297ceb5d42f7dfd9ff58b90d4b754cd
                                                • Opcode Fuzzy Hash: 744784328c674175fcbcfcf0e9bbf26443557e854759898e5afcc3989039e9af
                                                • Instruction Fuzzy Hash: D2F0F472500504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040494D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E0040494D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406054(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406054(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406054(_t44, _t50, 0x7a1f40, 0x7a1f40, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f40) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a18, _a4, 0x7a1f40);
			}



















                                                0x00404956
                                                0x0040495b
                                                0x00404963
                                                0x00404964
                                                0x00404971
                                                0x00404979
                                                0x0040497a
                                                0x0040497c
                                                0x0040497e
                                                0x00404980
                                                0x00404983
                                                0x00404983
                                                0x0040498a
                                                0x00404990
                                                0x00404990
                                                0x00404997
                                                0x0040499e
                                                0x004049a1
                                                0x004049a4
                                                0x004049a4
                                                0x004049a8
                                                0x004049b8
                                                0x004049ba
                                                0x004049bd
                                                0x00404966
                                                0x00404966
                                                0x0040496d
                                                0x0040496d
                                                0x004049c5
                                                0x004049d0
                                                0x004049e6
                                                0x004049f7
                                                0x00404a13

                                                APIs
                                                • lstrlenW.KERNEL32(007A1F40,007A1F40,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049EE
                                                • wsprintfW.USER32 ref: 004049F7
                                                • SetDlgItemTextW.USER32 ref: 00404A0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: ce9979b4b01424170f7f3781fe10c2b71c9da1ea9fb3152acdeb899b4a45e53b
                                                • Instruction ID: b64f68613590d753eae0667b1f9c1485f74a5586c4fdc6504f9435c9407cab2f
                                                • Opcode Fuzzy Hash: ce9979b4b01424170f7f3781fe10c2b71c9da1ea9fb3152acdeb899b4a45e53b
                                                • Instruction Fuzzy Hash: EC11D87360412827EB10A66D9C41EDF329C9B82334F150237FA65F21D1EA78C82682E8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405AEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E00405AEE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406032(0x7a4748, _a4);
				_t21 = E00405A91(0x7a4748);
				if(_t21 != 0) {
					E004062C6(_t21);
					if(( *0x7a8a58 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4748 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4748);
							_push(0x7a4748);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406375();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405A32(0x7a4748);
								continue;
							} else {
								goto L1;
							}
						}
						E004059E6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                0x00405afa
                                                0x00405b05
                                                0x00405b09
                                                0x00405b10
                                                0x00405b1c
                                                0x00405b2c
                                                0x00405b2e
                                                0x00405b46
                                                0x00405b47
                                                0x00405b4e
                                                0x00405b4f
                                                0x00000000
                                                0x00000000
                                                0x00405b32
                                                0x00405b39
                                                0x00405b41
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405b39
                                                0x00405b51
                                                0x00000000
                                                0x00405b65
                                                0x00405b1e
                                                0x00405b24
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405b24
                                                0x00405b0b
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Ottomans Setup,NSIS Error), ref: 0040603F
                                                  • Part of subcall function 00405A91: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,0040A300,00405B05,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,766DFAA0,?,C:\Users\user\AppData\Local\Temp\,00405843,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 00405A9F
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405AA4
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405ABC
                                                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,766DFAA0,?,C:\Users\user\AppData\Local\Temp\,00405843,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 00405B47
                                                • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,766DFAA0,?,C:\Users\user\AppData\Local\Temp\,00405843,?,766DFAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405B57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp
                                                • API String ID: 3248276644-262457306
                                                • Opcode ID: 1c109e48d901a23ea14b6098b96b6ff6b364b8c8cfe64631121789c2790142ee
                                                • Instruction ID: 3bddcdf43bb23baaa909825d7db9bcd58a82d3117edc1a0c43d32c447e9df16d
                                                • Opcode Fuzzy Hash: 1c109e48d901a23ea14b6098b96b6ff6b364b8c8cfe64631121789c2790142ee
                                                • Instruction Fuzzy Hash: F4F0F429104D6216C232723A1C49AAF3564CF92364B1A063FBC51B12C1DF3CBD42CCAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405A91(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405A13(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}









                                                0x00405a9a
                                                0x00405aa1
                                                0x00405aa4
                                                0x00405aa6
                                                0x00405aac
                                                0x00405ac4
                                                0x00405ae6
                                                0x00000000
                                                0x00405acc
                                                0x00405ace
                                                0x00405acf
                                                0x00405ad2
                                                0x00405ad3
                                                0x00405adc
                                                0x00000000
                                                0x00000000
                                                0x00405adf
                                                0x00405ae2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405ae2
                                                0x00000000
                                                0x00405acf
                                                0x00405abb
                                                0x00000000
                                                0x00405abc

                                                APIs
                                                • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,0040A300,00405B05,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp,766DFAA0,?,C:\Users\user\AppData\Local\Temp\,00405843,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe" ), ref: 00405A9F
                                                • CharNextW.USER32(00000000), ref: 00405AA4
                                                • CharNextW.USER32(00000000), ref: 00405ABC
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp, xrefs: 00405A92
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CharNext
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsl3A9A.tmp
                                                • API String ID: 3213498283-416103064
                                                • Opcode ID: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
                                                • Instruction ID: 0cb906ce55498ce86d0db88686860b14f8f146b66f9f6c0e4bde91ccc4fe9cfd
                                                • Opcode Fuzzy Hash: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
                                                • Instruction Fuzzy Hash: E2F09611B10F1195DF3176545CC5A7B6AB8EB94354B04863BD602B72C0D7B84D818F99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004059E6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E004059E6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                                                0x004059e7
                                                0x004059f4
                                                0x004059f5
                                                0x00405a00
                                                0x00405a08
                                                0x00405a08
                                                0x00405a10

                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 004059EC
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A9), ref: 004059F6
                                                • lstrcatW.KERNEL32(?,0040A014), ref: 00405A08
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004059E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-823278215
                                                • Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
                                                • Instruction ID: ee04230c76b470484a65779322a078522fef8bc0a4cae86812832761b4080375
                                                • Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
                                                • Instruction Fuzzy Hash: 30D0A7711019306AC121EB449C04DDF629CAF45300341443FF501B30A2C77C5D618BFE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00402D8A(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7976f8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a4c;
						if(_t2 >  *0x7a8a4c) {
							_t3 = CreateDialogParamW( *0x7a8a40, 0x6f, 0, E00402D04, 0);
							 *0x7976f8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406444(0);
					}
				} else {
					_t6 =  *0x7976f8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7976f8 = 0;
					return _t6;
				}
			}






                                                0x00402d91
                                                0x00402dab
                                                0x00402db1
                                                0x00402dbb
                                                0x00402dc1
                                                0x00402dc7
                                                0x00402dd8
                                                0x00402de1
                                                0x00000000
                                                0x00402de6
                                                0x00402ded
                                                0x00402db3
                                                0x00402dba
                                                0x00402dba
                                                0x00402d93
                                                0x00402d93
                                                0x00402d9a
                                                0x00402d9d
                                                0x00402d9d
                                                0x00402da3
                                                0x00402daa
                                                0x00402daa

                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403517,?), ref: 00402D9D
                                                • GetTickCount.KERNEL32 ref: 00402DBB
                                                • CreateDialogParamW.USER32 ref: 00402DD8
                                                • ShowWindow.USER32(00000000,00000005,?,?,00000000,00403517,?), ref: 00402DE6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 1b6a587a400701eabc8229d3e3b69e73e671933e3945777b2463f190b987498e
                                                • Instruction ID: 43aedd9bd01b98b6f78ee00b952d30abd1abf30aba01f835b52ba634ff97d244
                                                • Opcode Fuzzy Hash: 1b6a587a400701eabc8229d3e3b69e73e671933e3945777b2463f190b987498e
                                                • Instruction Fuzzy Hash: 1AF05E30516A22EBC6916B14FF4DE8B7B64AB80B1171684BBF051B11E4CA7C0C82CB9C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403B51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00403B51(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = L"1033";
				_t13 = 0xffff;
				_t6 = E00405F92(__ecx, L"1033");
				while(1) {
					_t26 =  *0x7a8a84;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x7a8a50 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x7a8a80;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x7a7a20 = _t18[1];
					 *0x7a8ae8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x7a7a1c = _t23;
						E00405F79(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextW( *0x7a1f20, E00406054(_t13, _t24, _t26, "Ottomans Setup", 0xfffffffe));
						_t11 =  *0x7a8a6c;
						_t27 =  *0x7a8a68;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00406054(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x818;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                                                0x00403b55
                                                0x00403b5a
                                                0x00403b60
                                                0x00403b65
                                                0x00403b65
                                                0x00403b6d
                                                0x00000000
                                                0x00000000
                                                0x00403b75
                                                0x00403b7d
                                                0x00403b7f
                                                0x00403b85
                                                0x00403b85
                                                0x00403b87
                                                0x00403b93
                                                0x00000000
                                                0x00000000
                                                0x00403b97
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403b99
                                                0x00403b9e
                                                0x00403ba7
                                                0x00403bad
                                                0x00403bb2
                                                0x00403bc6
                                                0x00403bd1
                                                0x00403be9
                                                0x00403bef
                                                0x00403bf4
                                                0x00403bfc
                                                0x00403c1d
                                                0x00403c1d
                                                0x00403c1d
                                                0x00403bfe
                                                0x00403c00
                                                0x00403c00
                                                0x00403c04
                                                0x00403c0b
                                                0x00403c0b
                                                0x00403c10
                                                0x00403c16
                                                0x00403c16
                                                0x00000000
                                                0x00403c00
                                                0x00403bb4
                                                0x00403bb9
                                                0x00403bc2
                                                0x00403bbb
                                                0x00403bbb
                                                0x00403bbb
                                                0x00403bb9

                                                APIs
                                                • SetWindowTextW.USER32(00000000,Ottomans Setup), ref: 00403BE9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID: 1033$Ottomans Setup
                                                • API String ID: 530164218-544923273
                                                • Opcode ID: 73e21ad5ffa932d89d7705433f4a385169624a21009188ee896e041d0e727551
                                                • Instruction ID: e987bbb99f4ce20eb3fe8b814340f1a9c458372fd2df2122c6df2ee7e0325558
                                                • Opcode Fuzzy Hash: 73e21ad5ffa932d89d7705433f4a385169624a21009188ee896e041d0e727551
                                                • Instruction Fuzzy Hash: 1D11D132B046109BC724DF15DC80A7777BCEBC6719728C17BE901A73A2DA3DAE018799
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 89%
                                                			E00405105(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f2c != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f2c = _t16;
							E00404ADB();
						}
						L11:
						return CallWindowProcW( *0x7a1f34, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404A5B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404142(0x413);
				return 0;
			}





                                                0x00405109
                                                0x00405113
                                                0x0040512f
                                                0x00405151
                                                0x00405154
                                                0x0040515a
                                                0x00405164
                                                0x00405165
                                                0x00405167
                                                0x0040516d
                                                0x0040516d
                                                0x00405177
                                                0x00000000
                                                0x00405185
                                                0x0040513c
                                                0x00405174
                                                0x00405174
                                                0x00000000
                                                0x00405174
                                                0x00405148
                                                0x0040514a
                                                0x00000000
                                                0x0040514a
                                                0x00405119
                                                0x00000000
                                                0x00000000
                                                0x00405120
                                                0x00000000

                                                APIs
                                                • IsWindowVisible.USER32 ref: 00405134
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405185
                                                  • Part of subcall function 00404142: SendMessageW.USER32(000103CE,00000000,00000000,00000000), ref: 00404154
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 555dd6184ff58a02eec7ea7395712ea6493033a95aca245b2aa61cc483e9b19e
                                                • Instruction ID: dd95526c2c69af2e2475994b1a4b7019860870cbffabe27cf4c45e442f77114e
                                                • Opcode Fuzzy Hash: 555dd6184ff58a02eec7ea7395712ea6493033a95aca245b2aa61cc483e9b19e
                                                • Instruction Fuzzy Hash: 80015A7190060CAFEF219F25DD80FAB3A26EB85354F108136FA047E2D1C77A8C919E6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004037E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004037E6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79ff04; // 0xa49c40
				_t3 = E004037CB(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79ff04 =  *0x79ff04 & 0x00000000;
				return _t3;
			}







                                                0x004037e7
                                                0x004037ef
                                                0x004037f6
                                                0x004037f9
                                                0x004037f9
                                                0x004037fb
                                                0x00403800
                                                0x00403807
                                                0x0040380d
                                                0x00403811
                                                0x00403812
                                                0x0040381a

                                                APIs
                                                • FreeLibrary.KERNEL32(?,766DFAA0,00000000,C:\Users\user\AppData\Local\Temp\,004037BE,004035D3,?), ref: 00403800
                                                • GlobalFree.KERNEL32 ref: 00403807
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004037E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-823278215
                                                • Opcode ID: cd6be415db01051891a2bbdb2ac2360d1775ad133b1b133e2abe0c5c00c63f81
                                                • Instruction ID: 7b5e820bad8908d6e9c5a6129ef56ed4de620d6e951f9557df5b5d2d3b1225d2
                                                • Opcode Fuzzy Hash: cd6be415db01051891a2bbdb2ac2360d1775ad133b1b133e2abe0c5c00c63f81
                                                • Instruction Fuzzy Hash: 90E08C334115205BC6211F14AA04B2A76BC6F49F22F19802FF880BB2608B781C424AC8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E00405A32(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}





                                                0x00405a33
                                                0x00405a3d
                                                0x00405a40
                                                0x00405a46
                                                0x00405a47
                                                0x00405a48
                                                0x00405a50
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405a50
                                                0x00405a52
                                                0x00405a5a

                                                APIs
                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405A38
                                                • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405A48
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-1246513382
                                                • Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
                                                • Instruction ID: 324b1dc390856c450e544e32c4aad69d139446a74aa4c59c68e3560d72017bd2
                                                • Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
                                                • Instruction Fuzzy Hash: 1FD05EB2400D209AD322A704DC44EAF63A8FF51300786886AF941A61A1D7785C818EA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}





















                                                0x100010e6
                                                0x100010f0
                                                0x100010ff
                                                0x1000110e
                                                0x10001119
                                                0x1000111c
                                                0x1000112b
                                                0x1000112f
                                                0x10001131
                                                0x100011d8
                                                0x100011de
                                                0x10001137
                                                0x10001138
                                                0x10001138
                                                0x1000113d
                                                0x1000113e
                                                0x10001140
                                                0x10001143
                                                0x1000120d
                                                0x10001210
                                                0x100011b0
                                                0x100011b6
                                                0x100011bf
                                                0x100011c4
                                                0x100011c7
                                                0x00000000
                                                0x100011c7
                                                0x10001212
                                                0x10001214
                                                0x10001196
                                                0x1000119d
                                                0x100011a5
                                                0x00000000
                                                0x100011a5
                                                0x10001161
                                                0x10001162
                                                0x1000116a
                                                0x10001177
                                                0x1000117f
                                                0x10001188
                                                0x1000118d
                                                0x1000118d
                                                0x00000000
                                                0x10001162
                                                0x10001149
                                                0x100011df
                                                0x100011df
                                                0x100011e6
                                                0x100011f3
                                                0x100011f8
                                                0x100011fb
                                                0x10001203
                                                0x10001205
                                                0x10001205
                                                0x00000000
                                                0x100011e6
                                                0x1000114f
                                                0x10001152
                                                0x00000000
                                                0x00000000
                                                0x10001158
                                                0x1000115b
                                                0x100011ac
                                                0x00000000
                                                0x100011ac
                                                0x1000115d
                                                0x1000115f
                                                0x10001192
                                                0x00000000
                                                0x10001192
                                                0x00000000
                                                0x100011c9
                                                0x100011c9
                                                0x100011d3
                                                0x00000000
                                                0x100011d7

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.568170336.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.568166890.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568174284.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                • Associated: 00000000.00000002.568181130.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405B6C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405B6C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                0x00405b7c
                                                0x00405b7e
                                                0x00405b81
                                                0x00405bad
                                                0x00405b86
                                                0x00405b8f
                                                0x00405b94
                                                0x00405b9f
                                                0x00405ba2
                                                0x00405bbe
                                                0x00405ba4
                                                0x00405bab
                                                0x00000000
                                                0x00405bab
                                                0x00405bb7
                                                0x00405bbb
                                                0x00405bbb
                                                0x00405bb5
                                                0x00000000

                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B7C
                                                • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B94
                                                • CharNextA.USER32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BA5
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BAE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.565875717.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.565862609.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565899076.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.565911829.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566052957.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566060211.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566071518.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566088781.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566421923.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566455157.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566521940.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.566593234.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567045908.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567261291.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.567468570.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
                                                • Instruction ID: 7563504597b604d9a211119aa68f0a7f164f23f923bb21cff999b965ed3bd4a6
                                                • Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
                                                • Instruction Fuzzy Hash: DCF0C231105818AFD7029FA5DD0099FBBB8EF55250B2540A9E840F7210D674FE019B68
                                                Uniqueness

                                                Uniqueness Score: -1.00%