Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample Name:setup.exe
Analysis ID:831887
MD5:4b1b8d826af29ffedb77d48e34ce9494
SHA1:c90c4aad5975c0be4a2c25240367874af1218c6a
SHA256:9e068da322450ae34e33254c3bd919c1a38c5387f10f99ce4305bc63452acea6
Tags:exeRhadamanthys
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Potential time zone aware malware
Yara detected Keylogger Generic
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • setup.exe (PID: 3152 cmdline: C:\Users\user\Desktop\setup.exe MD5: 4B1B8D826AF29FFEDB77D48E34CE9494)
    • dllhost.exe (PID: 5552 cmdline: C:\Windows\system32\dllhost.exe MD5: 2528137C6745C4EADD87817A1909677E)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
{"C2 url": "http://179.43.154.216/img/favicon.ico"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 13 entries
            SourceRuleDescriptionAuthorStrings
            10.3.dllhost.exe.229cae30000.11.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              No Sigma rule has matched
              Timestamp:192.168.2.3179.43.154.21649697802043202 03/22/23-02:44:55.586805
              SID:2043202
              Source Port:49697
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:179.43.154.216192.168.2.380496972853001 03/22/23-02:44:55.688487
              SID:2853001
              Source Port:80
              Destination Port:49697
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3179.43.154.21649700802853002 03/22/23-02:45:15.346327
              SID:2853002
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: setup.exeVirustotal: Detection: 42%Perma Link
              Source: setup.exeReversingLabs: Detection: 62%
              Source: setup.exeJoe Sandbox ML: detected
              Source: 0.3.setup.exe.840000.0.raw.unpackMalware Configuration Extractor: Rhadamanthys {"C2 url": "http://179.43.154.216/img/favicon.ico"}
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6C06C CryptUnprotectData,10_2_00007DF490E6C06C

              Compliance

              barindex
              Source: C:\Users\user\Desktop\setup.exeUnpacked PE file: 0.2.setup.exe.400000.0.unpack
              Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: Binary string: netutils.pdbUGP source: dllhost.exe, 0000000A.00000003.338383043.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb source: dllhost.exe, 0000000A.00000003.319605704.00000229CAEE0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.319293046.00000229CADB8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: dllhost.exe, 0000000A.00000003.315959802.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\huxiwavemejedi kuwususudidix\vemoxu.pdb source: setup.exe
              Source: Binary string: msvcrt.pdb source: dllhost.exe, 0000000A.00000003.319958084.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdbUGP source: dllhost.exe, 0000000A.00000003.319605704.00000229CAEE0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.319293046.00000229CADB8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdbUGP source: dllhost.exe, 0000000A.00000003.319768034.00000229CADE3000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdb source: dllhost.exe, 0000000A.00000003.323423570.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdb source: dllhost.exe, 0000000A.00000003.337709960.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdbUGP source: dllhost.exe, 0000000A.00000003.328492995.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdb source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: crypt32.pdbUGP source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdbUGP source: dllhost.exe, 0000000A.00000003.323886807.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msasn1.pdbUGP source: dllhost.exe, 0000000A.00000003.340759627.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdbUGP source: dllhost.exe, 0000000A.00000003.321319502.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shlwapi.pdb source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shlwapi.pdbUGP source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb source: dllhost.exe, 0000000A.00000003.312902566.00000229CABB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: user32.pdbUGP source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdbUGP source: dllhost.exe, 0000000A.00000003.317709991.00000229CB0F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.316365466.00000229CADBB000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb source: dllhost.exe, 0000000A.00000003.322096367.00000229CB09D000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.321498214.00000229CAF02000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb source: dllhost.exe, 0000000A.00000003.321242005.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdbUGP source: dllhost.exe, 0000000A.00000003.315959802.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdbUGP source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdbGCTL source: dllhost.exe, 0000000A.00000003.337709960.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: imm32.pdb source: dllhost.exe, 0000000A.00000003.323185450.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdbUGP source: dllhost.exe, 0000000A.00000003.322096367.00000229CB09D000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.321498214.00000229CAF02000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdbUGP source: dllhost.exe, 0000000A.00000003.312902566.00000229CABB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: profapi.pdb source: dllhost.exe, 0000000A.00000003.337601120.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb source: dllhost.exe, 0000000A.00000003.321319502.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdb source: dllhost.exe, 0000000A.00000003.323264632.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shcore.pdbUGP source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: sechost.pdb source: dllhost.exe, 0000000A.00000003.323662985.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: dllhost.exe, 0000000A.00000003.311996027.00000229CADA0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.310400293.00000229CABB9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.311204740.00000229CABB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ole32.pdbUGP source: dllhost.exe, 0000000A.00000003.338000747.00000229CAF10000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.337738921.00000229CADBE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdbUGP source: dllhost.exe, 0000000A.00000003.337631080.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdb source: dllhost.exe, 0000000A.00000003.337631080.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cPC:\huxiwavemejedi kuwususudidix\vemoxu.pdb source: setup.exe
              Source: Binary string: ole32.pdb source: dllhost.exe, 0000000A.00000003.338000747.00000229CAF10000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.337738921.00000229CADBE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdbGCTL source: dllhost.exe, 0000000A.00000003.321242005.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdbUGP source: dllhost.exe, 0000000A.00000003.337560536.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: sechost.pdbUGP source: dllhost.exe, 0000000A.00000003.323662985.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: imm32.pdbUGP source: dllhost.exe, 0000000A.00000003.323185450.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: user32.pdb source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdbUGP source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: dllhost.exe, 0000000A.00000003.337560536.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msasn1.pdb source: dllhost.exe, 0000000A.00000003.340759627.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdb source: dllhost.exe, 0000000A.00000003.323886807.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdbUGP source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdbUGP source: dllhost.exe, 0000000A.00000003.323423570.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: netapi32.pdb source: dllhost.exe, 0000000A.00000003.338340488.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: dllhost.exe, 0000000A.00000003.319768034.00000229CADE3000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdbUGP source: dllhost.exe, 0000000A.00000003.338217837.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdb source: dllhost.exe, 0000000A.00000003.328492995.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: dllhost.exe, 0000000A.00000003.311996027.00000229CADA0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.310400293.00000229CABB9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.311204740.00000229CABB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb source: dllhost.exe, 0000000A.00000003.317709991.00000229CB0F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.316365466.00000229CADBB000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: profapi.pdbUGP source: dllhost.exe, 0000000A.00000003.337601120.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: netapi32.pdbUGP source: dllhost.exe, 0000000A.00000003.338340488.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdb source: dllhost.exe, 0000000A.00000003.338217837.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdbUGP source: dllhost.exe, 0000000A.00000003.323264632.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: netutils.pdb source: dllhost.exe, 0000000A.00000003.338383043.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: crypt32.pdb source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6828C FindFirstFileW,FindNextFileW,10_2_00007DF490E6828C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6782C FindFirstFileW,FindNextFileW,FindClose,10_2_00007DF490E6782C
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

              Networking

              barindex
              Source: TrafficSnort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.3:49697 -> 179.43.154.216:80
              Source: TrafficSnort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 179.43.154.216:80 -> 192.168.2.3:49697
              Source: TrafficSnort IDS: 2853002 ETPRO TROJAN Rhadamanthys Stealer - Data Exfil 192.168.2.3:49700 -> 179.43.154.216:80
              Source: Malware configuration extractorURLs: http://179.43.154.216/img/favicon.ico
              Source: dllhost.exe, 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-Agentcurl/5.9Sec-Websocket-KeySec-Webs
              Source: dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:///etc/puk.keyMachineGuidSOFTWARE
              Source: dllhost.exe, 0000000A.00000002.363452486.00000229C9405000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB5DE000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363733987.00000229CB5E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://179.43.154.216/img/favicon.ico
              Source: dllhost.exe, 0000000A.00000003.362475431.00000229CB5DE000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363733987.00000229CB5E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://179.43.154.216/img/favicon.ico;
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlSoftware
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dsquery.dll
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
              Source: dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com
              Source: dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DA
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
              Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com
              Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com-_https://support.google.com
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
              Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346532064.00000229C92E8000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_error
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_errorFix
              Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_errore
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/installer/?product=
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
              Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346532064.00000229C92E8000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
              Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/.
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/Google
              Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/e
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346524117.00000229C92EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
              Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/st_vi
              Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
              Source: dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
              Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
              Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
              Source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
              Source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputData
              Source: Yara matchFile source: 10.3.dllhost.exe.229cae30000.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ?_Mtx_unlock@threads@stdext@@YAXPEAX@Z
              Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
              Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
              Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ

              System Summary

              barindex
              Source: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
              Source: 00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
              Source: 00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040C04C0_2_0040C04C
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004014140_2_00401414
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040B56C0_2_0040B56C
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040D9870_2_0040D987
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004086D40_2_004086D4
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040BADC0_2_0040BADC
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040C7C80_2_0040C7C8
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081893B0_2_0081893B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081C2B30_2_0081C2B3
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081167B0_2_0081167B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081DBEE0_2_0081DBEE
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F429F810_2_00000229C8F429F8
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F4455C10_2_00000229C8F4455C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F4196810_2_00000229C8F41968
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F4255810_2_00000229C8F42558
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F422B310_2_00000229C8F422B3
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F4599410_2_00000229C8F45994
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F4509410_2_00000229C8F45094
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F4541410_2_00000229C8F45414
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E615E410_2_00007DF490E615E4
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6871810_2_00007DF490E68718
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E636A010_2_00007DF490E636A0
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9B0C810_2_00007DF490E9B0C8
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EC809010_2_00007DF490EC8090
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9122410_2_00007DF490E91224
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9A3F410_2_00007DF490E9A3F4
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E503D810_2_00007DF490E503D8
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9D55810_2_00007DF490E9D558
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E5153010_2_00007DF490E51530
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EE84C410_2_00007DF490EE84C4
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E5D60810_2_00007DF490E5D608
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E975A810_2_00007DF490E975A8
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EA375410_2_00007DF490EA3754
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EB673C10_2_00007DF490EB673C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490ED36E810_2_00007DF490ED36E8
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EDA69810_2_00007DF490EDA698
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EBF86410_2_00007DF490EBF864
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6982810_2_00007DF490E69828
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9B77C10_2_00007DF490E9B77C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EF996410_2_00007DF490EF9964
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9190010_2_00007DF490E91900
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EB4A1810_2_00007DF490EB4A18
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E9C9FC10_2_00007DF490E9C9FC
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E699F010_2_00007DF490E699F0
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EF5B3C10_2_00007DF490EF5B3C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E99B3410_2_00007DF490E99B34
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EDEB3410_2_00007DF490EDEB34
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490ED6AA010_2_00007DF490ED6AA0
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E53C6810_2_00007DF490E53C68
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E90C5810_2_00007DF490E90C58
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E91C4C10_2_00007DF490E91C4C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EE9D5810_2_00007DF490EE9D58
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EABC8810_2_00007DF490EABC88
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E76E6010_2_00007DF490E76E60
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E5FE3810_2_00007DF490E5FE38
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490EB0DF010_2_00007DF490EB0DF0
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490F12DE410_2_00007DF490F12DE4
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E90E9810_2_00007DF490E90E98
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490ECAE8810_2_00007DF490ECAE88
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E72834 NtQuerySystemInformation,10_2_00007DF490E72834
              Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: setup.exeVirustotal: Detection: 42%
              Source: setup.exeReversingLabs: Detection: 62%
              Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\setup.exe C:\Users\user\Desktop\setup.exe
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exeJump to behavior
              Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/0@0/0
              Source: C:\Users\user\Desktop\setup.exeMutant created: \Sessions\1\BaseNamedObjects\Random name
              Source: C:\Users\user\Desktop\setup.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
              Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ntdll.dllRtlDllShutdownInProgress_p0h.**.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles(x86)%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FPicturesVideosCommunicationsInternetUsersLibrariesUserFilesDocumentsCompressedFolder@shell32.dll,-34829@shell32.dll,-34830@shell32.dll,-34831@shell32.dll,-34832@shell32.dll,-34824@shell32.dll,-34825@shell32.dll,-34826@shell32.dll,-34827@shell32.dll,-34820@shell32.dll,-34821@shell32.dll,-34822@shell32.dll,-34823OpenSearch@shell32.dll,-34817@shell32.dll,-34818@shell32.dll,-34819@shell32.dll,-34828@shell32.dll,-34837@shell32.dll,-34838@shell32.dll,-34836@shell32.dll,-34839@shell32.dll,-34840@shell32.dll,-34835AppJscriptJavascriptResLDAPFileExplorer.ZipSelectionIerssIehistoryExplorer.BurnSelectionExplorer.AssocProtocol.search-msExplorer.EraseDiscExplorer.CloseSessionExplorer.AssocActionId.CloseSessionExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.ZipSelectionExplorer.AssocActionId.EraseDisc.appref-ms.application.bas.asp.adeWMP11.AssocProtocol.MMS.app.adpwindowsmediacenterappVbscriptwindowsmediacenterwebwindowsmediacentersslStickyNotesrlogintn3270telnet.hta.hpj.isp.ins.grp.gadget.hme.hlp.crt.crds.fxp.csh.cpf.cnt.crd.cpl.maw.mav.mda.mcf.mas.mar.mau.mat.mag.maf.maq.mam.jse.its.mad.ksh.pcd.ops.plg.pl.msh2xml.msh2.mst.mshxml.msh.msc.msh1xml.msh1.mdt.mde.mdz.mdw.rbw.rb.rgu.rdp.pyo.pyc.plsc.pvw.ps2xml.ps2.py.psc2.prg.prf.provxml.printerexport.wsc.ws.xaml.wsh.vsmacros.vbp.webpnp.vsw.tsk.theme.vbe.vb.scr.scf.shs.shb.xip.xdp.xnk`
              Source: dllhost.exeString found in binary or memory: ./?.so;lua/lib/amd64/?.so;lua/lib/amd64/loadall.so
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: netutils.pdbUGP source: dllhost.exe, 0000000A.00000003.338383043.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb source: dllhost.exe, 0000000A.00000003.319605704.00000229CAEE0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.319293046.00000229CADB8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: dllhost.exe, 0000000A.00000003.315959802.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\huxiwavemejedi kuwususudidix\vemoxu.pdb source: setup.exe
              Source: Binary string: msvcrt.pdb source: dllhost.exe, 0000000A.00000003.319958084.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdbUGP source: dllhost.exe, 0000000A.00000003.319605704.00000229CAEE0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.319293046.00000229CADB8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdbUGP source: dllhost.exe, 0000000A.00000003.319768034.00000229CADE3000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdb source: dllhost.exe, 0000000A.00000003.323423570.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdb source: dllhost.exe, 0000000A.00000003.337709960.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdbUGP source: dllhost.exe, 0000000A.00000003.328492995.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdb source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: crypt32.pdbUGP source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdbUGP source: dllhost.exe, 0000000A.00000003.323886807.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msasn1.pdbUGP source: dllhost.exe, 0000000A.00000003.340759627.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdbUGP source: dllhost.exe, 0000000A.00000003.321319502.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shlwapi.pdb source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shlwapi.pdbUGP source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb source: dllhost.exe, 0000000A.00000003.312902566.00000229CABB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: user32.pdbUGP source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdbUGP source: dllhost.exe, 0000000A.00000003.317709991.00000229CB0F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.316365466.00000229CADBB000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb source: dllhost.exe, 0000000A.00000003.322096367.00000229CB09D000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.321498214.00000229CAF02000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb source: dllhost.exe, 0000000A.00000003.321242005.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdbUGP source: dllhost.exe, 0000000A.00000003.315959802.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdbUGP source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdbGCTL source: dllhost.exe, 0000000A.00000003.337709960.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: imm32.pdb source: dllhost.exe, 0000000A.00000003.323185450.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdbUGP source: dllhost.exe, 0000000A.00000003.322096367.00000229CB09D000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.321498214.00000229CAF02000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdbUGP source: dllhost.exe, 0000000A.00000003.312902566.00000229CABB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: profapi.pdb source: dllhost.exe, 0000000A.00000003.337601120.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb source: dllhost.exe, 0000000A.00000003.321319502.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdb source: dllhost.exe, 0000000A.00000003.323264632.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shcore.pdbUGP source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: sechost.pdb source: dllhost.exe, 0000000A.00000003.323662985.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: dllhost.exe, 0000000A.00000003.311996027.00000229CADA0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.310400293.00000229CABB9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.311204740.00000229CABB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ole32.pdbUGP source: dllhost.exe, 0000000A.00000003.338000747.00000229CAF10000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.337738921.00000229CADBE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdbUGP source: dllhost.exe, 0000000A.00000003.337631080.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdb source: dllhost.exe, 0000000A.00000003.337631080.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cPC:\huxiwavemejedi kuwususudidix\vemoxu.pdb source: setup.exe
              Source: Binary string: ole32.pdb source: dllhost.exe, 0000000A.00000003.338000747.00000229CAF10000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.337738921.00000229CADBE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdbGCTL source: dllhost.exe, 0000000A.00000003.321242005.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdbUGP source: dllhost.exe, 0000000A.00000003.337560536.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: sechost.pdbUGP source: dllhost.exe, 0000000A.00000003.323662985.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: imm32.pdbUGP source: dllhost.exe, 0000000A.00000003.323185450.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: user32.pdb source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdbUGP source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: dllhost.exe, 0000000A.00000003.337560536.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msasn1.pdb source: dllhost.exe, 0000000A.00000003.340759627.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdb source: dllhost.exe, 0000000A.00000003.323886807.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdbUGP source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdbUGP source: dllhost.exe, 0000000A.00000003.323423570.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: netapi32.pdb source: dllhost.exe, 0000000A.00000003.338340488.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: dllhost.exe, 0000000A.00000003.319768034.00000229CADE3000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdbUGP source: dllhost.exe, 0000000A.00000003.338217837.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdb source: dllhost.exe, 0000000A.00000003.328492995.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: dllhost.exe, 0000000A.00000003.311996027.00000229CADA0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.310400293.00000229CABB9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.311204740.00000229CABB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb source: dllhost.exe, 0000000A.00000003.317709991.00000229CB0F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.316365466.00000229CADBB000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: profapi.pdbUGP source: dllhost.exe, 0000000A.00000003.337601120.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: netapi32.pdbUGP source: dllhost.exe, 0000000A.00000003.338340488.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdb source: dllhost.exe, 0000000A.00000003.338217837.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdbUGP source: dllhost.exe, 0000000A.00000003.323264632.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: netutils.pdb source: dllhost.exe, 0000000A.00000003.338383043.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: crypt32.pdb source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\setup.exeUnpacked PE file: 0.2.setup.exe.400000.0.unpack
              Source: C:\Users\user\Desktop\setup.exeUnpacked PE file: 0.2.setup.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00408235 push ecx; ret 0_2_00408248
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081849C push ecx; ret 0_2_008184AF
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081CA27 push eax; ret 0_2_0081CA28
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00000229C8F90003 push esp; retf 91AFh10_2_00000229C8F90009
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040AA72 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0040AA72
              Source: initial sampleStatic PE information: section name: .text entropy: 7.756451536968294
              Source: C:\Users\user\Desktop\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\dllhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\dllhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 3152, type: MEMORYSTR
              Source: dllhost.exe, 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PARTIAL RECORD WITHOUT END(1)PARTIAL RECORD WITHOUT END(2)MISSING START OF FRAGMENTED RECORD(1)MISSING START OF FRAGMENTED RECORD(2)ERROR IN MIDDLE OF RECORDUNKNOWN RECORD TYPE %UCHECKSUM MISMATCHBAD RECORD LENGTHKERNEL32.DLLEXITPROCESS/BIN/RUNTIME.EXERTLGETVERSION%08X.LUA/EXTENSION/%08X.LUA/BIN/I386/STUB.DLL/BIN/KEEPASSHAX.DLL/BIN/I386/STUBMOD.BIN/BIN/I386/COREDLL.BIN/ETC/LICENSE.KEYHTTP:///ETC/PUK.KEYGET13CONNECTIONUPGRADEUPGRADEWEBSOCKETUSER-AGENTCURL/5.9SEC-WEBSOCKET-KEYSEC-WEBSOCKET-VERSIONABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZMACHINEGUIDSOFTWARE\MICROSOFT\CRYPTOGRAPHYISWOW64PROCESS\GLOBAL??ASWHOOK.DLLKLKBDFLTRTP_PROCESS_MONITOR360SELFPROTECTIONV1.0.3705GETREQUESTEDRUNTIMEINFOGETCORVERSIONCORBINDTORUNTIMECLRCREATEINSTANCEWKSCORBINDTORUNTIMEEXV4.0.30319V2.0.50727MSCOREE.DLL%PCOMMANDLINECURRENTDIRECTORY"%S" %S"%S"CREATEWIN32_PROCESSROOT\CIMV2RUNAS.EXE.EXEDUMPFINDSTRICMPPRINTTOSTRING?.\;@%SCJSONWINREGMESSAGEPACKPRELOADPACKAGE_GFRAMEWORKLOADEDDECRYPT_UTF8SEND_DATAREG_EXPORTGCREADFILEGET_ARCHPS_GETPATHSET_COMMITADD_FILEADD_STREAMPATH_EXISTFILE_EXISTPARSE_PATHFS_SEARCHNAMEFILENAMEFILESIZEHIGHFILESIZELOW%S\%S...%S\*.*
              Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK.DLL
              Source: dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6EXITPROCESSKERNEL32.DLL/ETC/LICENSE.KEYHTTP:///ETC/PUK.KEYMACHINEGUIDSOFTWARE\MICROSOFT\CRYPTOGRAPHYKLKBDFLTRTP_PROCESS_MONITOR360SELFPROTECTION\GLOBAL??ASWHOOK.DLL/BIN/RUNTIME.EXEGET13CONNECTIONUPGRADEUPGRADEWEBSOCKETUSER-AGENTCURL/5.9SEC-WEBSOCKET-KEYSEC-WEBSOCKET-VERSIONABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZRTLGETVERSION%08X.LUA/EXTENSION/%08X.LUA/BIN/I386/STUB.DLL/BIN/AMD64/STUB.DLL/BIN/KEEPASSHAX.DLL/BIN/I386/STUBMOD.BIN/BIN/I386/COREDLL.BIN/BIN/AMD64/COREDLL.BIN/BIN/AMD64/STUBMOD.BIN
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\setup.exeMemory allocated: 24B0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeMemory allocated: 24B0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeMemory allocated: 24B0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeMemory allocated: 24B0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\dllhost.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeAPI coverage: 6.9 %
              Source: C:\Users\user\Desktop\setup.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004033AD GetSystemInfo,VirtualQuery,IsBadReadPtr,VirtualQuery,0_2_004033AD
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6828C FindFirstFileW,FindNextFileW,10_2_00007DF490E6828C
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6782C FindFirstFileW,FindNextFileW,FindClose,10_2_00007DF490E6782C
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMware
              Source: setup.exe, 00000000.00000002.313022935.0000000000B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLink0c9f}SymbolicLink
              Source: dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
              Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: dllhost.exe, 0000000A.00000002.363318384.00000229C91A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: setup.exe, 00000000.00000002.313022935.0000000000B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinke5d05f0c9f}SymbolicLink
              Source: dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
              Source: setup.exe, 00000000.00000002.313022935.0000000000B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkSymbolicLink
              Source: dllhost.exe, 0000000A.00000002.363318384.00000229C91A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\setup.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\setup.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\setup.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040AA72 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0040AA72
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040AA72 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0040AA72
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040AA72 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0040AA72
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004035ED IsBadStringPtrA,lstrlenA,IsBadCodePtr,IsBadReadPtr,GetProcessHeap,RtlAllocateHeap,IsBadCodePtr,VirtualProtect,GetModuleHandleA,_memmove,HeapAlloc,InterlockedIncrement,_memmove,_memset,GetProcessHeap,HeapAlloc,HeapFree,_memmove,_memmove,0_2_004035ED
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\setup.exeSystem information queried: KernelDebuggerInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0081092B mov eax, dword ptr fs:[00000030h]0_2_0081092B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00810D90 mov eax, dword ptr fs:[00000030h]0_2_00810D90
              Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugFlagsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugObjectHandleJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugObjectHandleJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\setup.exeMemory protected: page execute and read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00408150 SetUnhandledExceptionFilter,0_2_00408150
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00408173 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00408173
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_008183B7 SetUnhandledExceptionFilter,0_2_008183B7
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_008183DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008183DA
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exeJump to behavior
              Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
              Source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WindowOverrideScaleFactorShell_TrayWnd[
              Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ntdll.dllRtlDllShutdownInProgress_p0h.**.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles(x86)%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: InitialExpandWindows.HistoryVaultRestoreWindows.closewindowWindows.menubarWindows.selectModeWindows.invertselectionWindows.selectnoneWindows.selectallWindows.pastelinkWindows.pasteWindows.includeinlibraryWindows.burnWindows.emailWindows.newfolderrenamerenamepastelinkpastelinkpropertiespropertieslinklinkpastepastecopycopycutcutdeletedeletemswindowsvideomswindowsmusicmailtohttpshttpbingmaps.zpl.xvid.WPL.wmv.wma.wm.wdp.wav.TTS.TS.rwl.rw2.raw.raf.png.pef.pdf.orf.nrw.nef.mts.mpv2.mpa.mp4v.mp4.mp3.mrw.mov.mod.mkv.m4v.m4r.m4a.m3u.m2ts.m2t.kdc.jxr.jpeg.jpe.jfif.html.htm.gif.flac.erf.epub.dib.crw.cr2.bmp.avi.arw.amr.adts.adt.aac.3gpp.3gp.3g2shcond://v2#ControlPanelExistsshcond://v1#AreAppDefaultsRestrictedshcond://v1#IsIrDASupportedshcond://v1#IsMobilityCenterEnabledshcond://v1#IsParentalControlsAvailableshcond://v1#IsProximityProviderAvailableshcond://v1#COMConditionshcond://v2#IsRemoteDesktopshcond://v2#IsProjectionAvailableshcond://v1#IsAuxDisplayConnectedAndAutoWakeEnabledshcond://v1#IsMuiEnabledshcond://v1#IsGlassOnshcond://v1#IsConnectedToInternetshcond://v1#IsTouchAvailableshcond://v1#IsPenAvailableshcond://v1#IsTabletPCshcond://v1#IsServershcond://v1#SkuEqualsshcond://v1#IsOfflineFilesEnabledshcond://v1#IsBrightnessAvailableshcond://v1#IsPresentationSettingsEnabledshcond://v1#IsMobilePCshcond://v1#IsAuxDisplayConnectedshcond://v1#IsUserAdminshcond://v1#IsMachineNotOnDomainAndDomainIsAvailshcond://v1#IsMachineOnDomainshcond://v1#RegkeyExistsshcond://v1#RegvalExistsshcond://v1#RegvalEqualsRateChartOverlayWindowAutoplayHandlerChooserOperationStatusWindowMenuSiteBaseBarExplorerBrowserControlExplorerBrowserNavigationDateRangeControlBooleanCheckMarkControlIconListControlmsctls_netaddressSysDragImageThumbnailControlPropertyControlBaseShell Preview Extension Temporary ParentShell Preview Extension Host PreviewerShell Preview Extension Host Background MsgCalendarHostDropDownRatingsControlSHELLDLL_MVPEditControlViewControlClassTrackContextMenuClassSharePointViewUserEventWindowGroupButtonShellFileSearchControlATL Shell EmbeddingDivWindowMSGlobalFolderOptionsStubProgmanStubWindow32cpShowColorcpColorWOACnslFontPreviewWOACnslWinPreview\Sharepoint\Dropbox\Google Drive\Onedrive -\3D Objects\Music\Videos\Pictures\Pictures\Camera Roll\Documents\Downloads\DesktopParse Internet Dont Escape SpacesDon't Parse RelativePendingRedirectionSyncRootsUserSyncRoots
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VerticalScrollBaranimationTileContentsSrcanimationProgressSrcInneranimationProgressDstanimationProgressDstInneranimationTileContentsDstanimationTileContentsSrcInneranimationTileContentsDstInneranimationProgressSrcidOperationTileeltProgressBareltInterruptPaneeltSummaryeltRegularTileHeadereltInterruptDoForAlleltInterruptButtonsContainereltInterruptDescriptioneltItemIconeltInterruptSkipBtneltInterruptCancelBtneltInterruptRetryBtneltInterruptYesBtneltItemNameeltItemPropseltInterruptElevateBtneltInterruptDeleteBtneltInterruptDoForAllLabelidOperationInterruptidTileSubTextshell\shell32\operationstatusmgr.cppeltInterruptOKBtneltInterruptNoBtnConfirmationCheckBoxDoForAllidTileActionIdTileKeepDestIdTileKeepAsWorkIdTileKeepAsPersonalIdTileIgnoreIdTileDecideForEachidItemTileIdTileKeepSourceidTileIconeltConflictInterruptDescriptioneltItemTileContainerKeepSourceTileIconSkipTileIconDecideForEachTileIconCustomCommandIconidConflictInterrupteltInterruptTileHeaderidCustomConflictInterrupteltTimeRemainingeltTile%ueltTileContentseltPauseButtonIdTileDefault%0.2fCHARTVIEWeltRateCharteltCancelButtoneltRegularTileeltScrolleltDetailseltItemsRemainingeltLocationseltConfirmationInterrupteltConflictInterrupteltDisplayModeBtneltDisplayModeBtnFocusHoldereltTileAreaeltProgressBarContainereltDividereltScrollBarFilleridTileHosteltFooterAreaprogmanEnthusiastModeWindows.SystemToast.ExplorerRICHEDIT50WlfItaliclfUnderlinelfStrikeOutlfCharSetSoftware\Microsoft\NotepadlfEscapementlfOrientationlfWeightiPointSizeLucida ConsolelfFaceNamelfOutPrecisionlfClipPrecisionlfQualitylfPitchAndFamily
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Local\SM0:%d:%d:%hsShell_TrayWnd_p0hCLSID\Software\Classes\RtlDllShutdownInProgressEtwEventWriteEtwEventEnabledEtwEventUnregisterEtwEventRegisterntdll.dllWilStaging_02NtQuerySystemInformationSecurity-SPP-Reserved-TBLProductKeyTypeshell32-license-ShowProductNameOnDesktopSoftware\Microsoft\Windows NT\CurrentVersion\WindowsDisplayVersionBasebrdWldpCheckRetailConfiguration\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3BuildLabYOr
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROGMANDDEMLMom%c:\%sExplorerDMGFrameGetWorkingDirGetDescriptionProgmanProgmanGetIconsetupPmFrameSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsFoldersGroupsAppPropertiesBWWFrameccInsDDEBACKSCAPEDDEClientWndClassDDEClientStartUpddeClassInstallCA_DDECLASSMake Program Manager GroupMedia RecorderMediaRecorderSender#32770groups
              Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Program ManagerpszDesktopTitleW
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ConfirmCabinetIDExploreFolderShellFileOpenFindFileViewFolderCreateGroupReplaceItemDeleteItemFindFolderReloadAddItemShowGroupDeleteGroupExitProgman
              Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CountryL1WUSF123r5.inidriverRestartCommandsSoftware\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup/LOADSAVEDWINDOWSNonRudeHWNDDesktopWindowAutoColorizationProgram ManagerpszDesktopTitleWLocal\Microsoft-Windows-DesktopBackground
              Source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
              Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004054DA cpuid 0_2_004054DA
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6B92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,10_2_00007DF490E6B92C
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00407F41 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,0_2_00407F41

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 3152, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR
              Source: dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\Electrum-LTC\config]]),
              Source: dllhost.exe, 0000000A.00000003.309263993.00000229C947B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\ElectronCash\config]]),
              Source: dllhost.exe, 0000000A.00000003.309263993.00000229C92AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\com.liberty.jaxx]]),
              Source: dllhost.exe, 0000000A.00000003.309263993.00000229C92AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\Exodus\exodus.wallet]]),
              Source: dllhost.exe, 0000000A.00000003.309263993.00000229C92AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\Exodus\exodus.wallet]]),
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\System32\dllhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: Yara matchFile source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 3152, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR
              Source: C:\Windows\System32\dllhost.exeCode function: 10_2_00007DF490E6B92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,10_2_00007DF490E6B92C
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts2
              Command and Scripting Interpreter
              Path Interception13
              Process Injection
              13
              Virtualization/Sandbox Evasion
              1
              OS Credential Dumping
              11
              System Time Discovery
              Remote Services21
              Input Capture
              Exfiltration Over Other Network Medium2
              Encrypted Channel
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API
              Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools
              21
              Input Capture
              251
              Security Software Discovery
              Remote Desktop Protocol1
              Archive Collected Data
              Exfiltration Over Bluetooth1
              Application Layer Protocol
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)13
              Process Injection
              Security Account Manager13
              Virtualization/Sandbox Evasion
              SMB/Windows Admin Shares2
              Data from Local System
              Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
              Obfuscated Files or Information
              NTDS2
              Process Discovery
              Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script22
              Software Packing
              LSA Secrets2
              File and Directory Discovery
              SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials23
              System Information Discovery
              VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              setup.exe42%VirustotalBrowse
              setup.exe62%ReversingLabsWin32.Trojan.RedLine
              setup.exe100%Joe Sandbox ML
              No Antivirus matches
              SourceDetectionScannerLabelLinkDownload
              0.2.setup.exe.810e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.3.setup.exe.840000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
              http://www.e-me.lv/repository00%URL Reputationsafe
              http://www.acabogacia.org/doc00%URL Reputationsafe
              http://www.acabogacia.org/doc00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://ocsp.suscerte.gob.ve00%URL Reputationsafe
              http://www.postsignum.cz/crl/psrootqca2.crl020%URL Reputationsafe
              http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
              http://www.suscerte.gob.ve/lcr0#0%URL Reputationsafe
              http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
              http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
              http://postsignum.ttc.cz/crl/psrootqca2.crl00%URL Reputationsafe
              http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
              http://crl1.comsign.co.il/crl/comsignglobalrootca.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
              http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
              http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
              http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
              http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
              http://www.defence.gov.au/pki00%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://policy.camerfirma.com00%URL Reputationsafe
              http://www.ssc.lt/cps030%URL Reputationsafe
              http://ocsp.pki.gva.es00%URL Reputationsafe
              https://discord.com0%URL Reputationsafe
              http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
              http://ca.mtin.es/mtin/ocsp00%URL Reputationsafe
              http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
              http://web.ncdc.gov.sa/crl/nrcacomb1.crl00%URL Reputationsafe
              http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
              https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
              http://www.dnie.es/dpc00%URL Reputationsafe
              http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
              http://ca.mtin.es/mtin/DPCyPoliticas00%URL Reputationsafe
              http://www.globaltrust.info00%URL Reputationsafe
              http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
              http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
              https://www.catcert.net/verarrel0%URL Reputationsafe
              http://www.disig.sk/ca0f0%URL Reputationsafe
              http://www.sk.ee/juur/crl/00%URL Reputationsafe
              http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
              http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
              http://certs.oati.net/repository/OATICA2.crl00%URL Reputationsafe
              http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
              http://www.quovadis.bm00%URL Reputationsafe
              http://crl.ssc.lt/root-a/cacrl.crl00%URL Reputationsafe
              http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
              http://www.trustdst.com/certificates/policy/ACES-index.html00%URL Reputationsafe
              http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
              http://www.accv.es000%URL Reputationsafe
              http://www.pkioverheid.nl/policies/root-policy-G200%URL Reputationsafe
              https://www.netlock.net/docs0%URL Reputationsafe
              http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe
              http://ocsp.ncdc.gov.sa00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
              http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl00%URL Reputationsafe
              http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
              http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;0%URL Reputationsafe
              https://repository.luxtrust.lu00%URL Reputationsafe
              http://www.globaltrust.info0=0%Avira URL Cloudsafe
              http:///etc/puk.keyMachineGuidSOFTWARE0%Avira URL Cloudsafe
              https://support.google.com-_https://support.google.com0%Avira URL Cloudsafe
              No contacted domains info
              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabdllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.certplus.com/CRL/class3.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.e-me.lv/repository0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://duckduckgo.com/ac/?q=dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  http://www.acabogacia.org/doc0dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://crl.chambersign.org/chambersroot.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://ocsp.suscerte.gob.ve0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.postsignum.cz/crl/psrootqca2.crl02dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://support.google.comdllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://crl.dhimyotis.com/certignarootca.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      https://discordapp.comdllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.googledllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346524117.00000229C92EF000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://www.chambersign.org1dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.pkioverheid.nl/policies/root-policy0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://repository.swisssign.com/0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                            high
                            https://support.google.com/chrome?p=update_errorFixdllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://www.suscerte.gob.ve/lcr0#dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://crl.ssc.lt/root-c/cacrl.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://postsignum.ttc.cz/crl/psrootqca2.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://support.google.com/chrome/answer/6315198?product=dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crldllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://ca.disig.sk/ca/crl/ca_disig.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.certplus.com/CRL/class3P.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.google.comdllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://www.suscerte.gob.ve/dpc0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.certeurope.fr/reference/root2.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                    high
                                    http://www.certplus.com/CRL/class2.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.disig.sk/ca/crl/ca_disig.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsdllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                        high
                                        http://www.defence.gov.au/pki0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sk.ee/cps/0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.globaltrust.info0=dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        low
                                        http://www.anf.esdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                          high
                                          http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                            high
                                            https://support.google.com/chrome?p=update_errordllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346532064.00000229C92E8000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://pki.registradores.org/normativa/index.htm0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                high
                                                http://policy.camerfirma.com0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.ssc.lt/cps03dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://www.google.com/intl/en_uk/chrome/Googledllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://ocsp.pki.gva.es0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.anf.es/es/address-direccion.htmldllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.anf.es/address/)1(0&dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      high
                                                      https://discord.comdllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=cdllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http:///etc/puk.keyMachineGuidSOFTWAREdllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        low
                                                        http://ca.mtin.es/mtin/ocsp0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://crl.ssc.lt/root-b/cacrl.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://web.ncdc.gov.sa/crl/nrcacomb1.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.certicamara.com/dpc/0Zdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0Gdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://crl.pki.wellsfargo.com/wsprca.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            high
                                                            https://wwww.certigna.fr/autorites/0mdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.dnie.es/dpc0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://ca.mtin.es/mtin/DPCyPoliticas0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://support.google.com-_https://support.google.comdllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              low
                                                              https://www.anf.es/AC/ANFServerCA.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.globaltrust.info0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://certificates.starfieldtech.com/repository/1604dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://acedicom.edicomgroup.com/doc0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.certplus.com/CRL/class3TS.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://crl.anf.es/AC/ANFServerCA.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://www.google.com/intl/en_uk/chrome/st_vidllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.certeurope.fr/reference/pc-root2.pdf0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://ac.economia.gob.mx/last.crl0Gdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://www.catcert.net/verarreldllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://www.disig.sk/ca0fdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.e-szigno.hu/RootCA.crldllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.sk.ee/juur/crl/0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://crl.chambersign.org/chambersignroot.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://crl.xrampsecurity.com/XGCA.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://certs.oati.net/repository/OATICA2.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://crl.oces.trust2408.com/oces.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://www.quovadis.bm0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://eca.hinet.net/repository0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://crl.ssc.lt/root-a/cacrl.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://certs.oaticerts.com/repository/OATICA2.crldllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.trustdst.com/certificates/policy/ACES-index.html0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://certs.oati.net/repository/OATICA2.crt0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.accv.es00dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.pkioverheid.nl/policies/root-policy-G20dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://www.netlock.net/docsdllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://www.e-trust.be/CPS/QNcertsdllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://ocsp.ncdc.gov.sa0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://fedir.comsign.co.il/crl/ComSignCA.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://web.ncdc.gov.sa/crl/nrcaparta1.crldllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    http://www.datev.de/zertifikat-policy-int0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://repository.luxtrust.lu0dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      No contacted IP infos
                                                                                      Joe Sandbox Version:37.0.0 Beryl
                                                                                      Analysis ID:831887
                                                                                      Start date and time:2023-03-22 02:43:34 +01:00
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 8m 43s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:13
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample file name:setup.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.rans.troj.spyw.evad.winEXE@3/0@0/0
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 46.7% (good quality ratio 42.5%)
                                                                                      • Quality average: 82.1%
                                                                                      • Quality standard deviation: 30.7%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 66%
                                                                                      • Number of executed functions: 38
                                                                                      • Number of non-executed functions: 30
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 179.43.154.216
                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, catalog.s.download.windowsupdate.com, ctldl.windowsupdate.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                      No simulations
                                                                                      No context
                                                                                      No context
                                                                                      No context
                                                                                      No context
                                                                                      No context
                                                                                      No created / dropped files found
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):6.685021149385796
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:setup.exe
                                                                                      File size:391680
                                                                                      MD5:4b1b8d826af29ffedb77d48e34ce9494
                                                                                      SHA1:c90c4aad5975c0be4a2c25240367874af1218c6a
                                                                                      SHA256:9e068da322450ae34e33254c3bd919c1a38c5387f10f99ce4305bc63452acea6
                                                                                      SHA512:2ff97a031bcae8b0f7fa49cc877e9377054928e36420c952767740d8625e3ba92ef5a72af232f56f597c8491ea0030faa7bc42ad5afed958e49a34873ced2a4c
                                                                                      SSDEEP:6144:06fBLWLRZHJ89DSqbbMyA3MQZkqo56vffqzgMcWML0pWYGQ:06fBa9H89DSQbv+MQZkP43qpcGWYV
                                                                                      TLSH:1B84F74382A23D45EA258B739F1FC6FCB60DF2709E497B6532199E6B14B06B3C263711
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................\.......M.......[......`................R.......L.......I.....Rich....................PE..L......b...........
                                                                                      Icon Hash:a4a4a49484aca4e2
                                                                                      Entrypoint:0x40494f
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x62B59A9A [Fri Jun 24 11:06:02 2022 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:0
                                                                                      File Version Major:5
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:a1987c4dfef703391c65547d45eb7acc
                                                                                      Instruction
                                                                                      call 00007F6C5CA56E2Dh
                                                                                      jmp 00007F6C5CA52E6Eh
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      call 00007F6C5CA5302Ch
                                                                                      xchg cl, ch
                                                                                      jmp 00007F6C5CA53014h
                                                                                      call 00007F6C5CA53023h
                                                                                      fxch st(0), st(1)
                                                                                      jmp 00007F6C5CA5300Bh
                                                                                      fabs
                                                                                      fld1
                                                                                      mov ch, cl
                                                                                      xor cl, cl
                                                                                      jmp 00007F6C5CA53001h
                                                                                      mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                      fabs
                                                                                      fxch st(0), st(1)
                                                                                      fabs
                                                                                      fxch st(0), st(1)
                                                                                      fpatan
                                                                                      or cl, cl
                                                                                      je 00007F6C5CA52FF6h
                                                                                      fldpi
                                                                                      fsubrp st(1), st(0)
                                                                                      or ch, ch
                                                                                      je 00007F6C5CA52FF4h
                                                                                      fchs
                                                                                      ret
                                                                                      fabs
                                                                                      fld st(0), st(0)
                                                                                      fld st(0), st(0)
                                                                                      fld1
                                                                                      fsubrp st(1), st(0)
                                                                                      fxch st(0), st(1)
                                                                                      fld1
                                                                                      faddp st(1), st(0)
                                                                                      fmulp st(1), st(0)
                                                                                      ftst
                                                                                      wait
                                                                                      fstsw word ptr [ebp-000000A0h]
                                                                                      wait
                                                                                      test byte ptr [ebp-0000009Fh], 00000001h
                                                                                      jne 00007F6C5CA52FF7h
                                                                                      xor ch, ch
                                                                                      fsqrt
                                                                                      ret
                                                                                      pop eax
                                                                                      jmp 00007F6C5CA56FFFh
                                                                                      fstp st(0)
                                                                                      fld tbyte ptr [0043933Ah]
                                                                                      ret
                                                                                      fstp st(0)
                                                                                      or cl, cl
                                                                                      je 00007F6C5CA52FFDh
                                                                                      fstp st(0)
                                                                                      fldpi
                                                                                      or ch, ch
                                                                                      je 00007F6C5CA52FF4h
                                                                                      fchs
                                                                                      ret
                                                                                      fstp st(0)
                                                                                      fldz
                                                                                      or ch, ch
                                                                                      je 00007F6C5CA52FE9h
                                                                                      fchs
                                                                                      ret
                                                                                      fstp st(0)
                                                                                      jmp 00007F6C5CA56FD5h
                                                                                      fstp st(0)
                                                                                      mov cl, ch
                                                                                      jmp 00007F6C5CA52FF2h
                                                                                      call 00007F6C5CA52FBEh
                                                                                      jmp 00007F6C5CA56FE0h
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      add esp, 0000FD30h
                                                                                      Programming Language:
                                                                                      • [C++] VS2008 build 21022
                                                                                      • [ASM] VS2008 build 21022
                                                                                      • [ C ] VS2008 build 21022
                                                                                      • [IMP] VS2005 build 50727
                                                                                      • [RES] VS2008 build 21022
                                                                                      • [LNK] VS2008 build 21022
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x378300x50.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2fc0000x21f50.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x31e0000xc38.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x11f00x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x30000x40.text
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a0.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x371a60x37200False0.8542818168934241data7.756451536968294IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .data0x390000x2c2df80x2c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x2fc0000x21f500x22000False0.37500718060661764data4.152645454972247IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x31e0000x365a0x3800False0.18819754464285715data2.121027053999131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0x2fc9600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x2fd8080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x2fe0b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x3006580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x3017000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x301bb80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3022800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x3048280x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x304cc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x305b680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3064100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3069780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x308f200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x309fc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x30a9500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x30ae200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x30bcc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x30c5700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x30cc380x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x30d1a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x30f7480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x3107f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x310cc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x311b680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3124100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3129780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x314f200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x315fc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x3169500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x316e200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x317cc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3185700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x318c380x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishMexico
                                                                                      RT_ICON0x3191a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x31b7480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x31c7f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishMexico
                                                                                      RT_ICON0x31d1780x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishMexico
                                                                                      RT_DIALOG0x31d8380x8adata
                                                                                      RT_STRING0x31d8c80x25adata
                                                                                      RT_STRING0x31db280x428data
                                                                                      RT_GROUP_ICON0x316db80x68dataSpanishMexico
                                                                                      RT_GROUP_ICON0x301b680x4cdataSpanishMexico
                                                                                      RT_GROUP_ICON0x310c580x68dataSpanishMexico
                                                                                      RT_GROUP_ICON0x304c900x30dataSpanishMexico
                                                                                      RT_GROUP_ICON0x30adb80x68dataSpanishMexico
                                                                                      RT_GROUP_ICON0x31d5e00x76dataSpanishMexico
                                                                                      RT_VERSION0x31d6580x1dcdata
                                                                                      DLLImport
                                                                                      KERNEL32.dllGetNumaProcessorNode, lstrcpynA, CallNamedPipeA, GetLogicalDriveStringsW, GlobalSize, SetDefaultCommConfigW, WaitForSingleObjectEx, LoadLibraryW, GetConsoleMode, GetWriteWatch, GetFileAttributesW, GetCompressedFileSizeA, GetConsoleAliasesW, GetLastError, ChangeTimerQueueTimer, GetProcAddress, VirtualAlloc, FindVolumeClose, CreateMemoryResourceNotification, WriteConsoleA, LocalAlloc, CreateHardLinkW, BeginUpdateResourceA, FoldStringA, FreeEnvironmentStringsW, GlobalAddAtomW, GetPrivateProfileSectionW, InterlockedPushEntrySList, FlushFileBuffers, CloseHandle, CreateFileA, HeapSize, EnumSystemCodePagesW, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, MultiByteToWideChar, RtlUnwind, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, RaiseException, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
                                                                                      USER32.dllClientToScreen, GetKeyState, LoadMenuA, MessageBoxIndirectA, GetClassNameW, GetListBoxInfo, GetCaretPos, SetScrollInfo
                                                                                      GDI32.dllGetCharWidthI
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      SpanishMexico
                                                                                      Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:02:44:30
                                                                                      Start date:22/03/2023
                                                                                      Path:C:\Users\user\Desktop\setup.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\setup.exe
                                                                                      Imagebase:0x400000
                                                                                      File size:391680 bytes
                                                                                      MD5 hash:4B1B8D826AF29FFEDB77D48E34CE9494
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Target ID:10
                                                                                      Start time:02:44:56
                                                                                      Start date:22/03/2023
                                                                                      Path:C:\Windows\System32\dllhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\dllhost.exe
                                                                                      Imagebase:0x7ff769260000
                                                                                      File size:20888 bytes
                                                                                      MD5 hash:2528137C6745C4EADD87817A1909677E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.5%
                                                                                        Dynamic/Decrypted Code Coverage:16.8%
                                                                                        Signature Coverage:6.6%
                                                                                        Total number of Nodes:996
                                                                                        Total number of Limit Nodes:25
                                                                                        execution_graph 11998 405147 12113 407f41 11998->12113 12000 40514c ___lock_fhandle 12045 4080e3 GetStartupInfoW 12000->12045 12002 40517b 12003 405162 12002->12003 12003->12002 12047 4078c9 GetProcessHeap 12003->12047 12005 4051ba 12006 4051c6 12005->12006 12007 4051be 12005->12007 12048 405a8d 12006->12048 12117 405295 12007->12117 12011 4051cb 12012 4051cf 12011->12012 12015 4051d7 __ioinit0 __RTC_Initialize 12011->12015 12013 405295 _fast_error_exit 68 API calls 12012->12013 12014 4051d6 12013->12014 12014->12015 12016 4051e5 GetCommandLineA 12015->12016 12069 40801d GetEnvironmentStringsW 12016->12069 12020 4051ff 12021 405203 12020->12021 12022 40520b 12020->12022 12136 40740b 12021->12136 12082 407e13 12022->12082 12027 405214 12029 40740b __lock 68 API calls 12027->12029 12028 40521c 12098 407445 12028->12098 12032 40521b 12029->12032 12031 405223 12033 405228 12031->12033 12034 40522f 12031->12034 12032->12028 12035 40740b __lock 68 API calls 12033->12035 12104 408189 12034->12104 12037 40522e 12035->12037 12037->12034 12046 4080f9 12045->12046 12046->12003 12047->12005 12143 4074ea EncodePointer 12048->12143 12053 405a9b 12151 405b03 12053->12151 12056 405aad 12056->12053 12058 405ab8 12056->12058 12161 4090a3 12058->12161 12060 405ac5 12061 405afa 12060->12061 12167 4080d2 FlsSetValue 12060->12167 12063 405b03 __mtterm 71 API calls 12061->12063 12065 405aff 12063->12065 12064 405ad9 12064->12061 12066 405adf 12064->12066 12065->12011 12168 4059e1 12066->12168 12068 405ae7 GetCurrentThreadId 12068->12011 12070 408030 WideCharToMultiByte 12069->12070 12071 4051f5 12069->12071 12073 408063 12070->12073 12074 40809a FreeEnvironmentStringsW 12070->12074 12125 407be6 12071->12125 12075 4090ed __malloc_crt 68 API calls 12073->12075 12074->12071 12076 408069 12075->12076 12076->12074 12077 408070 WideCharToMultiByte 12076->12077 12078 408086 12077->12078 12079 40808f FreeEnvironmentStringsW 12077->12079 12080 40906b _free 68 API calls 12078->12080 12079->12071 12081 40808c 12080->12081 12081->12079 12083 407e1c 12082->12083 12085 407e21 _strlen 12082->12085 12415 405e7b 12083->12415 12086 4090a3 __calloc_crt 68 API calls 12085->12086 12089 405210 12085->12089 12094 407e57 _strlen 12086->12094 12087 407ea9 12088 40906b _free 68 API calls 12087->12088 12088->12089 12089->12027 12089->12028 12090 4090a3 __calloc_crt 68 API calls 12090->12094 12091 407ed0 12092 40906b _free 68 API calls 12091->12092 12092->12089 12094->12087 12094->12089 12094->12090 12094->12091 12095 407ee7 12094->12095 12419 409f24 12094->12419 12096 405427 __invoke_watson 6 API calls 12095->12096 12097 407ef3 12096->12097 12099 407451 __IsNonwritableInCurrentImage 12098->12099 12857 4071fa 12099->12857 12101 40746f __initterm_e 12103 407490 __IsNonwritableInCurrentImage 12101->12103 12860 40a7f6 12101->12860 12103->12031 12105 408195 12104->12105 12108 40819a 12104->12108 12106 405e7b ___initmbctable 94 API calls 12105->12106 12106->12108 12107 405234 12110 402dc0 12107->12110 12108->12107 12925 40ae08 12108->12925 12931 402e10 HeapCreate 12110->12931 12112 402de4 ExitProcess 12114 407f71 GetSystemTimeAsFileTime GetCurrentThreadId GetTickCount64 QueryPerformanceCounter 12113->12114 12115 407f64 12113->12115 12116 407f68 12114->12116 12115->12114 12115->12116 12116->12000 12118 4052a1 12117->12118 12119 4052a6 12117->12119 12120 4076b1 __FF_MSGBANNER 68 API calls 12118->12120 12121 40770e __NMSG_WRITE 68 API calls 12119->12121 12120->12119 12122 4052ae 12121->12122 12123 4073f5 _fast_error_exit 3 API calls 12122->12123 12124 4051c5 12123->12124 12124->12006 12126 407bf4 12125->12126 12127 407bf9 GetModuleFileNameA 12125->12127 12129 405e7b ___initmbctable 94 API calls 12126->12129 12128 407c26 12127->12128 12972 407c97 12128->12972 12129->12127 12131 407c79 12131->12020 12133 4090ed __malloc_crt 68 API calls 12134 407c5f 12133->12134 12134->12131 12135 407c97 _parse_cmdline 78 API calls 12134->12135 12135->12131 12137 4076b1 __FF_MSGBANNER 68 API calls 12136->12137 12138 407413 12137->12138 12139 40770e __NMSG_WRITE 68 API calls 12138->12139 12140 40741b 12139->12140 12978 4074d6 12140->12978 12144 4074fb __init_pointers __initp_misc_winsig 12143->12144 12180 40a579 EncodePointer 12144->12180 12146 405a92 12147 409354 12146->12147 12148 409360 12147->12148 12149 409366 InitializeCriticalSectionAndSpinCount 12148->12149 12150 405a97 12148->12150 12149->12148 12150->12053 12160 4080a8 FlsAlloc 12150->12160 12152 405b0d 12151->12152 12154 405b13 12151->12154 12181 4080b6 FlsFree 12152->12181 12155 40926f DeleteCriticalSection 12154->12155 12156 40928b 12154->12156 12182 40906b 12155->12182 12158 405aa0 12156->12158 12159 409297 DeleteCriticalSection 12156->12159 12158->12011 12159->12156 12160->12056 12163 4090aa 12161->12163 12164 4090e7 12163->12164 12165 4090c8 Sleep 12163->12165 12207 40b4b8 12163->12207 12164->12060 12166 4090df 12165->12166 12166->12163 12166->12164 12167->12064 12169 4059ed ___lock_fhandle 12168->12169 12217 409225 12169->12217 12171 405a23 InterlockedIncrement 12224 405a7b 12171->12224 12174 409225 __lock 67 API calls 12175 405a44 12174->12175 12227 405b2f InterlockedIncrement 12175->12227 12177 405a62 12239 405a84 12177->12239 12179 405a6f ___lock_fhandle 12179->12068 12180->12146 12181->12154 12183 409074 HeapFree 12182->12183 12187 40909d __dosmaperr 12182->12187 12184 409089 12183->12184 12183->12187 12188 405486 12184->12188 12187->12154 12191 405972 GetLastError 12188->12191 12190 40548b GetLastError 12190->12187 12205 4080c4 FlsGetValue 12191->12205 12193 4059d5 SetLastError 12193->12190 12194 405987 12194->12193 12195 4090a3 __calloc_crt 65 API calls 12194->12195 12196 40599a 12195->12196 12196->12193 12206 4080d2 FlsSetValue 12196->12206 12198 4059ae 12199 4059b4 12198->12199 12200 4059cc 12198->12200 12201 4059e1 __initptd 65 API calls 12199->12201 12202 40906b _free 65 API calls 12200->12202 12203 4059bc GetCurrentThreadId 12201->12203 12204 4059d2 12202->12204 12203->12193 12204->12193 12205->12194 12206->12198 12208 40b4c3 12207->12208 12214 40b4de 12207->12214 12209 40b4cf 12208->12209 12208->12214 12210 405486 __get_osfhandle 67 API calls 12209->12210 12213 40b4d4 12210->12213 12211 40b4ee RtlAllocateHeap 12211->12213 12211->12214 12213->12163 12214->12211 12214->12213 12215 40a80b DecodePointer 12214->12215 12216 40a81e 12215->12216 12216->12214 12218 409236 12217->12218 12219 409249 EnterCriticalSection 12217->12219 12242 4092ad 12218->12242 12219->12171 12221 40923c 12221->12219 12222 40740b __lock 67 API calls 12221->12222 12223 409248 12222->12223 12223->12219 12413 409389 LeaveCriticalSection 12224->12413 12226 405a3d 12226->12174 12228 405b47 InterlockedIncrement 12227->12228 12229 405b4c 12227->12229 12228->12229 12230 405b56 InterlockedIncrement 12229->12230 12231 405b59 12229->12231 12230->12231 12232 405b64 12231->12232 12233 405b5f InterlockedIncrement 12231->12233 12234 405b6e InterlockedIncrement 12232->12234 12236 405b71 12232->12236 12233->12232 12234->12236 12235 405b88 InterlockedIncrement 12235->12236 12236->12235 12237 405b9b InterlockedIncrement 12236->12237 12238 405bac InterlockedIncrement 12236->12238 12237->12236 12238->12177 12414 409389 LeaveCriticalSection 12239->12414 12241 405a8b 12241->12179 12243 4092b9 ___lock_fhandle 12242->12243 12257 4092d8 12243->12257 12263 4076b1 12243->12263 12249 4092fa ___lock_fhandle 12249->12221 12250 409304 12254 409225 __lock 67 API calls 12250->12254 12251 4092f5 12253 405486 __get_osfhandle 67 API calls 12251->12253 12252 4092ce 12300 4073f5 12252->12300 12253->12249 12256 40930b 12254->12256 12258 40931a InitializeCriticalSectionAndSpinCount 12256->12258 12259 40932f 12256->12259 12257->12249 12303 4090ed 12257->12303 12260 409335 12258->12260 12261 40906b _free 67 API calls 12259->12261 12308 40934b 12260->12308 12261->12260 12311 407f01 12263->12311 12265 4076b8 12266 407f01 __NMSG_WRITE 68 API calls 12265->12266 12269 4076c5 12265->12269 12266->12269 12267 40770e __NMSG_WRITE 68 API calls 12268 4076dd 12267->12268 12270 40770e __NMSG_WRITE 68 API calls 12268->12270 12269->12267 12271 4076e7 12269->12271 12270->12271 12272 40770e 12271->12272 12273 40772c __NMSG_WRITE 12272->12273 12274 407f01 __NMSG_WRITE 65 API calls 12273->12274 12275 407853 __ld12tod 12273->12275 12276 40773f 12274->12276 12275->12252 12277 407858 GetStdHandle 12276->12277 12278 407f01 __NMSG_WRITE 65 API calls 12276->12278 12277->12275 12281 407866 _strlen 12277->12281 12279 407750 12278->12279 12279->12277 12280 407762 12279->12280 12280->12275 12339 409c62 12280->12339 12281->12275 12283 40789f WriteFile 12281->12283 12283->12275 12285 4078be 12288 405427 __invoke_watson 6 API calls 12285->12288 12286 40778f GetModuleFileNameW 12287 4077af 12286->12287 12292 4077bf __NMSG_WRITE 12286->12292 12289 409c62 __NMSG_WRITE 65 API calls 12287->12289 12290 4078c8 12288->12290 12289->12292 12291 407805 12291->12285 12357 409bf6 12291->12357 12292->12285 12292->12291 12348 409cd7 12292->12348 12296 409bf6 __NMSG_WRITE 65 API calls 12297 40783c 12296->12297 12297->12285 12298 407843 12297->12298 12366 40aa72 EncodePointer 12298->12366 12393 4073c3 GetModuleHandleExW 12300->12393 12305 4090fb 12303->12305 12306 40912f 12305->12306 12307 40910e Sleep 12305->12307 12396 40b37b 12305->12396 12306->12250 12306->12251 12307->12305 12412 409389 LeaveCriticalSection 12308->12412 12310 409352 12310->12249 12312 407f0b 12311->12312 12313 407f15 12312->12313 12314 405486 __get_osfhandle 68 API calls 12312->12314 12313->12265 12315 407f31 12314->12315 12318 405417 12315->12318 12321 4053ec DecodePointer 12318->12321 12322 4053ff 12321->12322 12327 405427 IsProcessorFeaturePresent 12322->12327 12325 4053ec __get_osfhandle 6 API calls 12326 405423 12325->12326 12326->12265 12328 405432 12327->12328 12333 4052bc 12328->12333 12330 405447 12338 40815e GetCurrentProcess TerminateProcess 12330->12338 12332 405416 12332->12325 12334 4052d6 _memset ___raise_securityfailure 12333->12334 12335 4052f6 IsDebuggerPresent 12334->12335 12336 408173 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 12335->12336 12337 4053ba ___raise_securityfailure __ld12tod 12336->12337 12337->12330 12338->12332 12340 409c7b 12339->12340 12341 409c6d 12339->12341 12342 405486 __get_osfhandle 68 API calls 12340->12342 12341->12340 12345 409c94 12341->12345 12347 409c85 12342->12347 12343 405417 __get_osfhandle 7 API calls 12344 407782 12343->12344 12344->12285 12344->12286 12345->12344 12346 405486 __get_osfhandle 68 API calls 12345->12346 12346->12347 12347->12343 12352 409ce5 12348->12352 12349 409ce9 12350 405486 __get_osfhandle 68 API calls 12349->12350 12351 409cee 12349->12351 12356 409d19 12350->12356 12351->12291 12352->12349 12352->12351 12354 409d28 12352->12354 12353 405417 __get_osfhandle 7 API calls 12353->12351 12354->12351 12355 405486 __get_osfhandle 68 API calls 12354->12355 12355->12356 12356->12353 12358 409c02 12357->12358 12359 409c10 12357->12359 12358->12359 12363 409c3c 12358->12363 12360 405486 __get_osfhandle 68 API calls 12359->12360 12365 409c1a 12360->12365 12361 405417 __get_osfhandle 7 API calls 12362 407825 12361->12362 12362->12285 12362->12296 12363->12362 12364 405486 __get_osfhandle 68 API calls 12363->12364 12364->12365 12365->12361 12390 408104 12366->12390 12369 40ab63 IsDebuggerPresent 12373 40ab88 12369->12373 12374 40ab6d 12369->12374 12370 40aab5 LoadLibraryExW 12371 40aaf0 GetProcAddress 12370->12371 12372 40aacc GetLastError 12370->12372 12378 40ab04 7 API calls 12371->12378 12387 40ab80 __ld12tod 12371->12387 12377 40aadb LoadLibraryW 12372->12377 12372->12387 12375 40ab7b 12373->12375 12376 40ab8d DecodePointer 12373->12376 12374->12375 12379 40ab74 OutputDebugStringW 12374->12379 12384 40abb4 DecodePointer DecodePointer 12375->12384 12375->12387 12389 40abcc 12375->12389 12376->12387 12377->12371 12377->12387 12380 40ab60 12378->12380 12381 40ab4c GetProcAddress EncodePointer 12378->12381 12379->12375 12380->12369 12381->12380 12382 40ac04 DecodePointer 12383 40abf0 DecodePointer 12382->12383 12385 40ac0b 12382->12385 12383->12387 12384->12389 12385->12383 12388 40ac1c DecodePointer 12385->12388 12387->12275 12388->12383 12389->12382 12389->12383 12391 408113 GetModuleHandleW GetProcAddress 12390->12391 12392 408133 12390->12392 12391->12392 12392->12369 12392->12370 12394 4073ee ExitProcess 12393->12394 12395 4073dc GetProcAddress 12393->12395 12395->12394 12397 40b3f6 12396->12397 12405 40b387 12396->12405 12398 40a80b __calloc_impl DecodePointer 12397->12398 12399 40b3fc 12398->12399 12401 405486 __get_osfhandle 67 API calls 12399->12401 12400 4076b1 __FF_MSGBANNER 67 API calls 12400->12405 12411 40b3ee 12401->12411 12402 40b3ba HeapAlloc 12402->12405 12402->12411 12403 40770e __NMSG_WRITE 67 API calls 12403->12405 12404 40b3e2 12407 405486 __get_osfhandle 67 API calls 12404->12407 12405->12400 12405->12402 12405->12403 12405->12404 12406 40a80b __calloc_impl DecodePointer 12405->12406 12408 4073f5 _fast_error_exit 3 API calls 12405->12408 12409 40b3e0 12405->12409 12406->12405 12407->12409 12408->12405 12410 405486 __get_osfhandle 67 API calls 12409->12410 12410->12411 12411->12305 12412->12310 12413->12226 12414->12241 12416 405e84 12415->12416 12417 405e8b 12415->12417 12428 4061db 12416->12428 12417->12085 12420 409f2f 12419->12420 12422 409f3d 12419->12422 12420->12422 12426 409f53 12420->12426 12421 405486 __get_osfhandle 68 API calls 12423 409f44 12421->12423 12422->12421 12424 405417 __get_osfhandle 7 API calls 12423->12424 12425 409f4e 12424->12425 12425->12094 12426->12425 12427 405486 __get_osfhandle 68 API calls 12426->12427 12427->12423 12429 4061e7 ___lock_fhandle 12428->12429 12459 40595a 12429->12459 12433 4061f9 12480 405ed3 12433->12480 12436 4090ed __malloc_crt 68 API calls 12437 40621b 12436->12437 12438 40634e ___lock_fhandle 12437->12438 12487 406389 12437->12487 12438->12417 12440 406242 12441 406251 InterlockedDecrement 12440->12441 12442 40635e 12440->12442 12443 406264 12441->12443 12444 406279 InterlockedIncrement 12441->12444 12442->12438 12445 406371 12442->12445 12447 40906b _free 68 API calls 12442->12447 12443->12444 12449 40906b _free 68 API calls 12443->12449 12444->12438 12446 406290 12444->12446 12448 405486 __get_osfhandle 68 API calls 12445->12448 12446->12438 12450 409225 __lock 68 API calls 12446->12450 12447->12445 12448->12438 12451 406275 12449->12451 12452 4062a4 InterlockedDecrement 12450->12452 12451->12444 12454 406322 12452->12454 12455 406335 InterlockedIncrement 12452->12455 12454->12455 12457 40906b _free 68 API calls 12454->12457 12495 406353 12455->12495 12458 406334 12457->12458 12458->12455 12460 405972 __getptd_noexit 68 API calls 12459->12460 12461 405960 12460->12461 12462 40596d 12461->12462 12463 40740b __lock 68 API calls 12461->12463 12464 406136 12462->12464 12463->12462 12465 406142 ___lock_fhandle 12464->12465 12466 40595a _strtok 68 API calls 12465->12466 12467 406147 12466->12467 12468 409225 __lock 68 API calls 12467->12468 12477 40615a 12467->12477 12469 406178 12468->12469 12470 4061c1 12469->12470 12471 4061a9 InterlockedIncrement 12469->12471 12472 40618f InterlockedDecrement 12469->12472 12498 4061d2 12470->12498 12471->12470 12472->12471 12476 40619a 12472->12476 12474 40740b __lock 68 API calls 12475 406168 ___lock_fhandle 12474->12475 12475->12433 12476->12471 12478 40906b _free 68 API calls 12476->12478 12477->12474 12477->12475 12479 4061a8 12478->12479 12479->12471 12502 404599 12480->12502 12483 405ef2 GetOEMCP 12485 405f1b 12483->12485 12484 405f04 12484->12485 12486 405f09 GetACP 12484->12486 12485->12436 12485->12438 12486->12485 12488 405ed3 getSystemCP 80 API calls 12487->12488 12489 4063a6 12488->12489 12490 4063fa IsValidCodePage 12489->12490 12492 4063b0 setSBCS __ld12tod 12489->12492 12494 40641f _memset __setmbcp_nolock 12489->12494 12491 40640c GetCPInfo 12490->12491 12490->12492 12491->12492 12491->12494 12492->12440 12797 405fa8 GetCPInfo 12494->12797 12856 409389 LeaveCriticalSection 12495->12856 12497 40635a 12497->12438 12501 409389 LeaveCriticalSection 12498->12501 12500 4061d9 12500->12477 12501->12500 12503 4045aa 12502->12503 12509 4045f7 12502->12509 12504 40595a _strtok 68 API calls 12503->12504 12505 4045af 12504->12505 12506 4045d8 12505->12506 12510 405db4 12505->12510 12508 406136 _LocaleUpdate::_LocaleUpdate 70 API calls 12506->12508 12506->12509 12508->12509 12509->12483 12509->12484 12511 405dc0 ___lock_fhandle 12510->12511 12512 40595a _strtok 68 API calls 12511->12512 12513 405dc5 12512->12513 12514 405df4 12513->12514 12516 405dd8 12513->12516 12515 409225 __lock 68 API calls 12514->12515 12517 405dfb 12515->12517 12518 40595a _strtok 68 API calls 12516->12518 12525 405e30 12517->12525 12522 405ddd 12518->12522 12523 405deb ___lock_fhandle 12522->12523 12524 40740b __lock 68 API calls 12522->12524 12523->12506 12524->12523 12526 405e0f 12525->12526 12527 405e3b 12525->12527 12533 405e27 12526->12533 12527->12526 12528 405b2f ___addlocaleref 8 API calls 12527->12528 12529 405e51 12528->12529 12529->12526 12536 405d19 12529->12536 12796 409389 LeaveCriticalSection 12533->12796 12535 405e2e 12535->12522 12537 405d28 InterlockedDecrement 12536->12537 12538 405daf 12536->12538 12539 405d39 InterlockedDecrement 12537->12539 12540 405d3e 12537->12540 12538->12526 12550 405bbf 12538->12550 12539->12540 12541 405d48 InterlockedDecrement 12540->12541 12542 405d4b 12540->12542 12541->12542 12543 405d51 InterlockedDecrement 12542->12543 12544 405d56 12542->12544 12543->12544 12545 405d60 InterlockedDecrement 12544->12545 12547 405d63 12544->12547 12545->12547 12546 405d7a InterlockedDecrement 12546->12547 12547->12546 12548 405d9e InterlockedDecrement 12547->12548 12549 405d8d InterlockedDecrement 12547->12549 12548->12538 12549->12547 12551 405c38 12550->12551 12552 405bd4 12550->12552 12553 405c85 12551->12553 12554 40906b _free 68 API calls 12551->12554 12552->12551 12562 405c05 12552->12562 12564 40906b _free 68 API calls 12552->12564 12555 405cae 12553->12555 12620 409501 12553->12620 12556 405c59 12554->12556 12560 405d0d 12555->12560 12575 40906b 68 API calls _free 12555->12575 12558 40906b _free 68 API calls 12556->12558 12561 405c6c 12558->12561 12566 40906b _free 68 API calls 12560->12566 12567 40906b _free 68 API calls 12561->12567 12568 40906b _free 68 API calls 12562->12568 12579 405c23 12562->12579 12563 40906b _free 68 API calls 12569 405c2d 12563->12569 12570 405bfa 12564->12570 12565 40906b _free 68 API calls 12565->12555 12571 405d13 12566->12571 12572 405c7a 12567->12572 12573 405c18 12568->12573 12574 40906b _free 68 API calls 12569->12574 12580 40939e 12570->12580 12571->12526 12577 40906b _free 68 API calls 12572->12577 12608 40949a 12573->12608 12574->12551 12575->12555 12577->12553 12579->12563 12581 4093ad 12580->12581 12607 409496 12580->12607 12582 4093be 12581->12582 12583 40906b _free 68 API calls 12581->12583 12584 4093d0 12582->12584 12585 40906b _free 68 API calls 12582->12585 12583->12582 12586 4093e2 12584->12586 12587 40906b _free 68 API calls 12584->12587 12585->12584 12588 4093f4 12586->12588 12589 40906b _free 68 API calls 12586->12589 12587->12586 12590 40906b _free 68 API calls 12588->12590 12592 409406 12588->12592 12589->12588 12590->12592 12591 409418 12594 40942a 12591->12594 12595 40906b _free 68 API calls 12591->12595 12592->12591 12593 40906b _free 68 API calls 12592->12593 12593->12591 12596 40943c 12594->12596 12597 40906b _free 68 API calls 12594->12597 12595->12594 12598 40944e 12596->12598 12599 40906b _free 68 API calls 12596->12599 12597->12596 12600 409460 12598->12600 12601 40906b _free 68 API calls 12598->12601 12599->12598 12602 409472 12600->12602 12603 40906b _free 68 API calls 12600->12603 12601->12600 12604 409484 12602->12604 12605 40906b _free 68 API calls 12602->12605 12603->12602 12606 40906b _free 68 API calls 12604->12606 12604->12607 12605->12604 12606->12607 12607->12562 12609 4094a5 12608->12609 12619 4094fd 12608->12619 12610 4094b5 12609->12610 12612 40906b _free 68 API calls 12609->12612 12611 4094c7 12610->12611 12613 40906b _free 68 API calls 12610->12613 12614 4094d9 12611->12614 12615 40906b _free 68 API calls 12611->12615 12612->12610 12613->12611 12616 40906b _free 68 API calls 12614->12616 12617 4094eb 12614->12617 12615->12614 12616->12617 12618 40906b _free 68 API calls 12617->12618 12617->12619 12618->12619 12619->12579 12621 409510 12620->12621 12795 405ca3 12620->12795 12622 40906b _free 68 API calls 12621->12622 12623 409518 12622->12623 12624 40906b _free 68 API calls 12623->12624 12625 409520 12624->12625 12626 40906b _free 68 API calls 12625->12626 12627 409528 12626->12627 12628 40906b _free 68 API calls 12627->12628 12629 409530 12628->12629 12630 40906b _free 68 API calls 12629->12630 12631 409538 12630->12631 12632 40906b _free 68 API calls 12631->12632 12633 409540 12632->12633 12634 40906b _free 68 API calls 12633->12634 12635 409547 12634->12635 12636 40906b _free 68 API calls 12635->12636 12637 40954f 12636->12637 12638 40906b _free 68 API calls 12637->12638 12639 409557 12638->12639 12640 40906b _free 68 API calls 12639->12640 12641 40955f 12640->12641 12642 40906b _free 68 API calls 12641->12642 12643 409567 12642->12643 12644 40906b _free 68 API calls 12643->12644 12645 40956f 12644->12645 12646 40906b _free 68 API calls 12645->12646 12647 409577 12646->12647 12648 40906b _free 68 API calls 12647->12648 12649 40957f 12648->12649 12650 40906b _free 68 API calls 12649->12650 12651 409587 12650->12651 12652 40906b _free 68 API calls 12651->12652 12653 40958f 12652->12653 12654 40906b _free 68 API calls 12653->12654 12655 40959a 12654->12655 12656 40906b _free 68 API calls 12655->12656 12657 4095a2 12656->12657 12658 40906b _free 68 API calls 12657->12658 12659 4095aa 12658->12659 12660 40906b _free 68 API calls 12659->12660 12661 4095b2 12660->12661 12662 40906b _free 68 API calls 12661->12662 12663 4095ba 12662->12663 12664 40906b _free 68 API calls 12663->12664 12665 4095c2 12664->12665 12666 40906b _free 68 API calls 12665->12666 12667 4095ca 12666->12667 12668 40906b _free 68 API calls 12667->12668 12669 4095d2 12668->12669 12670 40906b _free 68 API calls 12669->12670 12671 4095da 12670->12671 12672 40906b _free 68 API calls 12671->12672 12673 4095e2 12672->12673 12674 40906b _free 68 API calls 12673->12674 12675 4095ea 12674->12675 12676 40906b _free 68 API calls 12675->12676 12677 4095f2 12676->12677 12678 40906b _free 68 API calls 12677->12678 12679 4095fa 12678->12679 12680 40906b _free 68 API calls 12679->12680 12681 409602 12680->12681 12682 40906b _free 68 API calls 12681->12682 12683 40960a 12682->12683 12684 40906b _free 68 API calls 12683->12684 12685 409612 12684->12685 12686 40906b _free 68 API calls 12685->12686 12687 409620 12686->12687 12688 40906b _free 68 API calls 12687->12688 12689 40962b 12688->12689 12690 40906b _free 68 API calls 12689->12690 12691 409636 12690->12691 12692 40906b _free 68 API calls 12691->12692 12693 409641 12692->12693 12694 40906b _free 68 API calls 12693->12694 12695 40964c 12694->12695 12696 40906b _free 68 API calls 12695->12696 12697 409657 12696->12697 12698 40906b _free 68 API calls 12697->12698 12699 409662 12698->12699 12700 40906b _free 68 API calls 12699->12700 12701 40966d 12700->12701 12702 40906b _free 68 API calls 12701->12702 12703 409678 12702->12703 12704 40906b _free 68 API calls 12703->12704 12705 409683 12704->12705 12706 40906b _free 68 API calls 12705->12706 12707 40968e 12706->12707 12708 40906b _free 68 API calls 12707->12708 12709 409699 12708->12709 12710 40906b _free 68 API calls 12709->12710 12711 4096a4 12710->12711 12712 40906b _free 68 API calls 12711->12712 12713 4096af 12712->12713 12714 40906b _free 68 API calls 12713->12714 12715 4096ba 12714->12715 12716 40906b _free 68 API calls 12715->12716 12717 4096c5 12716->12717 12718 40906b _free 68 API calls 12717->12718 12719 4096d3 12718->12719 12720 40906b _free 68 API calls 12719->12720 12721 4096de 12720->12721 12722 40906b _free 68 API calls 12721->12722 12723 4096e9 12722->12723 12724 40906b _free 68 API calls 12723->12724 12725 4096f4 12724->12725 12726 40906b _free 68 API calls 12725->12726 12727 4096ff 12726->12727 12728 40906b _free 68 API calls 12727->12728 12729 40970a 12728->12729 12730 40906b _free 68 API calls 12729->12730 12731 409715 12730->12731 12732 40906b _free 68 API calls 12731->12732 12733 409720 12732->12733 12734 40906b _free 68 API calls 12733->12734 12735 40972b 12734->12735 12736 40906b _free 68 API calls 12735->12736 12737 409736 12736->12737 12738 40906b _free 68 API calls 12737->12738 12739 409741 12738->12739 12740 40906b _free 68 API calls 12739->12740 12741 40974c 12740->12741 12742 40906b _free 68 API calls 12741->12742 12743 409757 12742->12743 12744 40906b _free 68 API calls 12743->12744 12745 409762 12744->12745 12746 40906b _free 68 API calls 12745->12746 12747 40976d 12746->12747 12748 40906b _free 68 API calls 12747->12748 12749 409778 12748->12749 12750 40906b _free 68 API calls 12749->12750 12751 409786 12750->12751 12752 40906b _free 68 API calls 12751->12752 12753 409791 12752->12753 12754 40906b _free 68 API calls 12753->12754 12755 40979c 12754->12755 12756 40906b _free 68 API calls 12755->12756 12757 4097a7 12756->12757 12758 40906b _free 68 API calls 12757->12758 12759 4097b2 12758->12759 12760 40906b _free 68 API calls 12759->12760 12761 4097bd 12760->12761 12762 40906b _free 68 API calls 12761->12762 12763 4097c8 12762->12763 12764 40906b _free 68 API calls 12763->12764 12765 4097d3 12764->12765 12766 40906b _free 68 API calls 12765->12766 12767 4097de 12766->12767 12768 40906b _free 68 API calls 12767->12768 12769 4097e9 12768->12769 12770 40906b _free 68 API calls 12769->12770 12771 4097f4 12770->12771 12772 40906b _free 68 API calls 12771->12772 12773 4097ff 12772->12773 12774 40906b _free 68 API calls 12773->12774 12775 40980a 12774->12775 12776 40906b _free 68 API calls 12775->12776 12777 409815 12776->12777 12778 40906b _free 68 API calls 12777->12778 12779 409820 12778->12779 12780 40906b _free 68 API calls 12779->12780 12781 40982b 12780->12781 12782 40906b _free 68 API calls 12781->12782 12783 409839 12782->12783 12784 40906b _free 68 API calls 12783->12784 12785 409844 12784->12785 12786 40906b _free 68 API calls 12785->12786 12787 40984f 12786->12787 12788 40906b _free 68 API calls 12787->12788 12789 40985a 12788->12789 12790 40906b _free 68 API calls 12789->12790 12791 409865 12790->12791 12792 40906b _free 68 API calls 12791->12792 12793 409870 12792->12793 12794 40906b _free 68 API calls 12793->12794 12794->12795 12795->12565 12796->12535 12800 405fe0 12797->12800 12804 40608a __ld12tod 12797->12804 12805 409bb8 12800->12805 12803 409a6a ___crtLCMapStringA 82 API calls 12803->12804 12804->12492 12806 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 12805->12806 12807 409bc9 12806->12807 12815 409acc 12807->12815 12809 406041 12810 409a6a 12809->12810 12811 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 12810->12811 12812 409a7b 12811->12812 12830 409881 12812->12830 12814 406062 12814->12803 12816 409af3 MultiByteToWideChar 12815->12816 12817 409ae6 12815->12817 12818 409b1f 12816->12818 12825 409b18 __ld12tod 12816->12825 12817->12816 12819 40b37b _malloc 68 API calls 12818->12819 12823 409b37 _memset __crtLCMapStringA_stat 12818->12823 12819->12823 12820 409b73 MultiByteToWideChar 12821 409b9d 12820->12821 12822 409b8d GetStringTypeW 12820->12822 12826 409aae 12821->12826 12822->12821 12823->12820 12823->12825 12825->12809 12827 409ab8 12826->12827 12828 409ac9 12826->12828 12827->12828 12829 40906b _free 68 API calls 12827->12829 12828->12825 12829->12828 12832 40989a MultiByteToWideChar 12830->12832 12834 409900 12832->12834 12835 4098f9 __ld12tod 12832->12835 12833 409953 MultiByteToWideChar 12836 40996c 12833->12836 12837 4099bb 12833->12837 12838 40b37b _malloc 68 API calls 12834->12838 12842 40991d __crtLCMapStringA_stat 12834->12842 12835->12814 12853 409d95 LCMapStringEx 12836->12853 12840 409aae __freea 68 API calls 12837->12840 12838->12842 12840->12835 12841 409980 12841->12837 12843 409997 12841->12843 12844 4099c3 12841->12844 12842->12833 12842->12835 12843->12837 12854 409d95 LCMapStringEx 12843->12854 12846 40b37b _malloc 68 API calls 12844->12846 12848 4099de __crtLCMapStringA_stat 12844->12848 12846->12848 12848->12837 12855 409d95 LCMapStringEx 12848->12855 12849 409a20 12850 409a48 12849->12850 12852 409a3a WideCharToMultiByte 12849->12852 12851 409aae __freea 68 API calls 12850->12851 12851->12837 12852->12850 12853->12841 12854->12837 12855->12849 12856->12497 12858 4071fd EncodePointer 12857->12858 12858->12858 12859 407217 12858->12859 12859->12101 12863 40a700 12860->12863 12862 40a801 12862->12103 12864 40a70c ___lock_fhandle 12863->12864 12871 40755c 12864->12871 12870 40a72f ___lock_fhandle 12870->12862 12872 409225 __lock 68 API calls 12871->12872 12873 407563 12872->12873 12874 40a740 DecodePointer DecodePointer 12873->12874 12875 40a71d 12874->12875 12876 40a76d 12874->12876 12885 40a73a 12875->12885 12876->12875 12888 40d60f 12876->12888 12878 40a7d0 EncodePointer EncodePointer 12878->12875 12879 40a7a4 12879->12875 12882 409136 __realloc_crt 72 API calls 12879->12882 12883 40a7be EncodePointer 12879->12883 12880 40a77f 12880->12878 12880->12879 12895 409136 12880->12895 12884 40a7b8 12882->12884 12883->12878 12884->12875 12884->12883 12921 407565 12885->12921 12889 40d618 12888->12889 12890 40d62d HeapSize 12888->12890 12891 405486 __get_osfhandle 68 API calls 12889->12891 12890->12880 12892 40d61d 12891->12892 12893 405417 __get_osfhandle 7 API calls 12892->12893 12894 40d628 12893->12894 12894->12880 12899 40913d 12895->12899 12897 40917c 12897->12879 12898 40915d Sleep 12898->12899 12899->12897 12899->12898 12900 40b40d 12899->12900 12901 40b421 12900->12901 12902 40b416 12900->12902 12904 40b429 12901->12904 12912 40b436 12901->12912 12903 40b37b _malloc 68 API calls 12902->12903 12905 40b41e 12903->12905 12906 40906b _free 68 API calls 12904->12906 12905->12899 12920 40b431 __dosmaperr 12906->12920 12907 40b46e 12908 40a80b __calloc_impl DecodePointer 12907->12908 12910 40b474 12908->12910 12909 40b43e HeapReAlloc 12909->12912 12909->12920 12913 405486 __get_osfhandle 68 API calls 12910->12913 12911 40b49e 12915 405486 __get_osfhandle 68 API calls 12911->12915 12912->12907 12912->12909 12912->12911 12914 40a80b __calloc_impl DecodePointer 12912->12914 12917 40b486 12912->12917 12913->12920 12914->12912 12916 40b4a3 GetLastError 12915->12916 12916->12920 12918 405486 __get_osfhandle 68 API calls 12917->12918 12919 40b48b GetLastError 12918->12919 12919->12920 12920->12899 12924 409389 LeaveCriticalSection 12921->12924 12923 40756c 12923->12870 12924->12923 12928 40adb2 12925->12928 12929 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 12928->12929 12930 40adc4 12929->12930 12930->12108 12932 4032f5 12931->12932 12933 402e68 HeapAlloc 12931->12933 12932->12112 12934 402e97 HeapAlloc 12933->12934 12935 4032d9 HeapDestroy 12933->12935 12936 403241 HeapFree 12934->12936 12937 402edf GetProcessHeap RtlAllocateHeap 12934->12937 12935->12932 12936->12935 12940 402f73 _memset 12937->12940 12941 402fbb 12937->12941 12943 402f8f GetProcessHeap RtlFreeHeap 12940->12943 12942 403208 HeapFree 12941->12942 12957 40333c CreateIoCompletionPort GetTickCount 12941->12957 12945 40322a 12942->12945 12943->12941 12945->12936 12946 403277 HeapFree 12945->12946 12946->12945 12947 402fcf 12948 4031ff 12947->12948 12952 403029 12947->12952 12954 4035d2 12948->12954 12950 40304e 12950->12948 12952->12950 12959 401547 GetTickCount 12952->12959 12961 40356b 12952->12961 12955 4035eb 12954->12955 12956 4035db FindCloseChangeNotification 12954->12956 12955->12942 12956->12955 12958 40336d 12957->12958 12958->12947 12960 401557 12959->12960 12960->12952 12962 40357c GetQueuedCompletionStatus 12961->12962 12963 403576 12961->12963 12966 4035a0 12962->12966 12967 4035c6 GetLastError 12962->12967 12968 401cc8 12963->12968 12966->12952 12967->12966 12969 401cd3 12968->12969 12969->12969 12970 401ce2 GetTickCount 12969->12970 12971 401ced 12969->12971 12970->12971 12971->12962 12974 407cb9 12972->12974 12973 40ae08 __wincmdln 78 API calls 12973->12974 12974->12973 12977 407d1d 12974->12977 12975 407c3c 12975->12131 12975->12133 12976 40ae08 __wincmdln 78 API calls 12976->12977 12977->12975 12977->12976 12981 40756e 12978->12981 12980 407426 12982 40757a ___lock_fhandle 12981->12982 12983 409225 __lock 61 API calls 12982->12983 12984 407581 12983->12984 12986 4075af DecodePointer 12984->12986 12989 40763a __initterm 12984->12989 12988 4075c6 DecodePointer 12986->12988 12986->12989 12994 4075d6 12988->12994 13001 407688 12989->13001 12990 407697 ___lock_fhandle 12990->12980 12992 4075e3 EncodePointer 12992->12994 12993 40767f 12995 4073f5 _fast_error_exit 3 API calls 12993->12995 12994->12989 12994->12992 12996 4075f3 DecodePointer EncodePointer 12994->12996 12997 407688 12995->12997 12999 407605 DecodePointer DecodePointer 12996->12999 12998 407695 12997->12998 13006 409389 LeaveCriticalSection 12997->13006 12998->12980 12999->12994 13002 407668 13001->13002 13003 40768e 13001->13003 13002->12990 13005 409389 LeaveCriticalSection 13002->13005 13007 409389 LeaveCriticalSection 13003->13007 13005->12993 13006->12998 13007->13002 11997 810920 TerminateProcess 13008 81092b GetPEB 13009 810972 13008->13009 13029 4035ed 13030 403609 13029->13030 13052 403707 _memset _memmove 13029->13052 13031 403930 13030->13031 13032 403654 13030->13032 13033 40378b IsBadCodePtr 13030->13033 13034 4036ce IsBadCodePtr 13030->13034 13035 4037cf 13030->13035 13042 403723 13030->13042 13043 4038fa 13030->13043 13044 403616 13030->13044 13030->13052 13036 40393b HeapAlloc 13031->13036 13031->13052 13047 40369e IsBadStringPtrA 13032->13047 13032->13052 13037 4037aa 13033->13037 13033->13052 13038 4036ed IsBadReadPtr 13034->13038 13034->13052 13041 4037f5 GetModuleHandleA 13035->13041 13035->13052 13039 40395c InterlockedIncrement 13036->13039 13036->13052 13040 4037b5 VirtualProtect 13037->13040 13037->13052 13038->13052 13039->13052 13040->13052 13041->13052 13048 403756 GetProcessHeap RtlAllocateHeap 13042->13048 13042->13052 13046 403b96 HeapFree 13043->13046 13043->13052 13045 403a3d GetProcessHeap HeapAlloc 13044->13045 13049 40364f 13044->13049 13044->13052 13045->13052 13053 403a5c 13045->13053 13046->13052 13050 4036b6 lstrlenA 13047->13050 13047->13052 13048->13042 13048->13052 13049->13045 13050->13052 13051 403ac1 13051->13052 13053->13051 13055 4010b0 lstrlenA 13053->13055 13056 4010d1 13055->13056 13057 40122c 13055->13057 13056->13057 13058 4010e1 HeapAlloc 13056->13058 13057->13053 13059 4010f8 _memmove 13058->13059 13075 401240 13059->13075 13061 40110a 13061->13057 13083 4044d4 13061->13083 13063 4011f9 HeapFree 13063->13057 13064 401135 lstrlenA 13065 401214 13064->13065 13072 401128 13064->13072 13098 401062 13065->13098 13067 401150 HeapAlloc 13067->13065 13067->13072 13069 40476d 81 API calls 13069->13072 13071 4044d4 _strtok 70 API calls 13071->13072 13072->13063 13072->13064 13072->13065 13072->13067 13072->13069 13072->13071 13074 4011b8 HeapAlloc 13072->13074 13089 4049be 13072->13089 13093 401009 13072->13093 13074->13065 13074->13072 13076 401253 lstrlenA 13075->13076 13079 40133f _memmove 13075->13079 13077 401272 13076->13077 13076->13079 13078 4012d5 13077->13078 13104 404742 13077->13104 13081 40131c lstrlenA 13078->13081 13082 404742 81 API calls 13078->13082 13079->13061 13081->13079 13082->13078 13084 40595a _strtok 68 API calls 13083->13084 13085 4044f1 13084->13085 13088 40450a __ld12tod 13085->13088 13124 405749 13085->13124 13088->13072 13090 4049d5 13089->13090 13139 40479a 13090->13139 13094 401016 13093->13094 13095 40104e 13093->13095 13094->13095 13096 401044 HeapAlloc 13094->13096 13097 401037 HeapReAlloc 13094->13097 13095->13072 13096->13095 13097->13095 13099 4010ab HeapFree 13098->13099 13102 40106e 13098->13102 13099->13057 13100 4010a1 HeapFree 13100->13099 13101 401091 HeapFree 13101->13102 13102->13099 13102->13100 13102->13101 13103 40109e 13102->13103 13103->13100 13105 40474e 13104->13105 13106 40475f 13104->13106 13105->13077 13109 404671 13106->13109 13110 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 13109->13110 13111 404682 13110->13111 13113 404699 13111->13113 13114 40657e 13111->13114 13113->13077 13115 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 13114->13115 13116 406590 13115->13116 13120 40659d 13116->13120 13121 408f8f 13116->13121 13119 409bb8 ___crtGetStringTypeW 81 API calls 13119->13120 13120->13113 13122 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 13121->13122 13123 4065c1 13122->13123 13123->13119 13127 405755 IsProcessorFeaturePresent 13124->13127 13128 405769 13127->13128 13131 405613 IsDebuggerPresent 13128->13131 13132 405628 ___raise_securityfailure 13131->13132 13137 408173 SetUnhandledExceptionFilter UnhandledExceptionFilter 13132->13137 13134 405630 ___raise_securityfailure 13138 40815e GetCurrentProcess TerminateProcess 13134->13138 13136 404598 13137->13134 13138->13136 13140 404599 _LocaleUpdate::_LocaleUpdate 78 API calls 13139->13140 13143 4047ab 13140->13143 13141 4047d2 13142 405486 __get_osfhandle 68 API calls 13141->13142 13144 4047d7 13142->13144 13143->13141 13147 4047e7 13143->13147 13145 405417 __get_osfhandle 7 API calls 13144->13145 13150 4047e2 13145->13150 13146 40657e __isctype_l 81 API calls 13146->13147 13147->13146 13149 40482a 13147->13149 13148 405486 __get_osfhandle 68 API calls 13148->13150 13149->13148 13149->13150 13150->13072 13010 81003c 13011 810049 13010->13011 13023 810e0f SetErrorMode SetErrorMode 13011->13023 13016 810265 13017 8102ce VirtualProtect 13016->13017 13019 81030b 13017->13019 13018 810439 VirtualFree 13022 8104be LoadLibraryA 13018->13022 13019->13018 13021 8108c7 13022->13021 13024 810223 13023->13024 13025 810d90 13024->13025 13026 810dad 13025->13026 13027 810dbb GetPEB 13026->13027 13028 810238 VirtualAlloc 13026->13028 13027->13028 13028->13016 13151 4033ad 13152 4033c3 13151->13152 13158 40348c 13151->13158 13160 401d90 13152->13160 13154 4033f2 13155 403426 GetSystemInfo VirtualQuery 13154->13155 13154->13158 13155->13158 13159 403448 13155->13159 13156 40345d IsBadReadPtr 13157 40346f VirtualQuery 13156->13157 13156->13159 13157->13158 13157->13159 13159->13156 13159->13157 13159->13158 13161 40206f 13160->13161 13164 401da6 13160->13164 13161->13154 13162 402062 13171 401d24 13162->13171 13164->13161 13164->13162 13165 401eb7 HeapAlloc 13164->13165 13165->13162 13167 401edd _memset _memmove 13165->13167 13166 401f20 HeapAlloc 13168 401f4e HeapAlloc 13166->13168 13170 401f7c _memmove 13166->13170 13167->13166 13167->13167 13168->13162 13168->13170 13169 402114 13169->13161 13170->13162 13170->13169 13172 401d30 13171->13172 13173 401d39 13171->13173 13172->13161 13174 401d40 HeapFree 13173->13174 13175 401d55 13173->13175 13174->13175 13176 401d71 13175->13176 13177 401d5c RtlFreeHeap 13175->13177 13176->13172 13178 401d78 HeapFree 13176->13178 13177->13176 13178->13172

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 4035ed-403603 1 403b37-403b3e 0->1 2 403609-40360f 0->2 15 403bd4-403bde 1->15 3 403930-403935 2->3 4 403990-40399c 2->4 5 403723-403729 2->5 6 403654-403659 2->6 7 403616-403623 2->7 8 403816-40381b 2->8 9 40388a-403890 2->9 10 4038fa-403900 2->10 11 4039ea-4039f6 2->11 12 40378b-4037a4 IsBadCodePtr 2->12 13 4036ce-4036e7 IsBadCodePtr 2->13 14 4037cf-4037d4 2->14 18 40393b-403956 HeapAlloc 3->18 19 403a2d-403a30 3->19 4->15 21 4039a2-4039b3 4->21 5->1 16 40372f-40373b 5->16 6->1 26 40365f-403677 6->26 7->15 23 403629-403637 7->23 8->1 24 403821-40383d 8->24 27 403896-4038a0 9->27 28 403ad7-403adf 9->28 10->1 17 403906-403912 10->17 11->15 25 4039fc-403a0d 11->25 12->15 20 4037aa-4037af 12->20 13->15 29 4036ed-403701 IsBadReadPtr 13->29 14->1 22 4037da-4037ef 14->22 16->15 30 403741 16->30 17->15 31 403918 17->31 18->15 33 40395c-40398b InterlockedIncrement 18->33 35 403bd1 19->35 20->15 34 4037b5-4037ca VirtualProtect 20->34 21->35 36 4039b9-4039be 21->36 22->15 37 4037f5-403811 GetModuleHandleA 22->37 38 403a35-403a37 23->38 39 40363d 23->39 24->15 40 403843-403848 24->40 25->35 41 403a13-403a1d call 405040 25->41 26->15 42 40367d-40368d 26->42 43 403b43-403b48 27->43 44 4038a6-4038ae 27->44 28->1 32 403ae1-403aed 28->32 29->15 45 403707-403712 29->45 46 403745-40374b 30->46 47 40391b-40391e 31->47 32->15 48 403af3-403b02 32->48 33->35 34->35 35->15 36->35 50 4039c4-4039cb 36->50 37->15 38->15 55 403a3d-403a56 GetProcessHeap HeapAlloc 38->55 51 40363f-403644 39->51 40->15 52 40384e-403854 40->52 67 403a22-403a28 41->67 42->15 54 403693-403698 42->54 43->15 49 403b4e-403b67 43->49 44->15 56 4038b4-4038b9 44->56 45->15 71 403718-40371e 45->71 58 40374d-403754 46->58 59 40377f-403784 46->59 60 403924-403929 47->60 61 403b96-403bb4 HeapFree 47->61 48->15 62 403b08-403b11 48->62 49->15 63 403b69-403b6e 49->63 50->35 64 4039d1-4039e8 call 403e90 50->64 51->38 65 40364a-40364d 51->65 52->15 66 40385a-403863 52->66 54->15 68 40369e-4036b0 IsBadStringPtrA 54->68 55->1 69 403a5c-403a69 55->69 56->15 70 4038bf-4038ce 56->70 58->59 72 403756-403779 GetProcessHeap RtlAllocateHeap 58->72 59->46 75 403786 59->75 60->47 73 40392b 60->73 78 403bce-403bd0 61->78 62->15 74 403b17-403b32 62->74 63->15 76 403b70-403b76 63->76 64->67 65->51 79 40364f 65->79 66->15 80 403869-403872 66->80 67->35 68->15 81 4036b6-4036c9 lstrlenA 68->81 82 403ac1-403ad2 69->82 83 403a6b-403a70 69->83 70->15 84 4038d4-4038d9 70->84 71->35 72->59 85 403bb6-403bcb call 403e90 72->85 73->15 86 403c0f-403c17 call 403e90 74->86 75->15 76->15 87 403b78-403b7d 76->87 78->35 79->55 89 403875-403878 80->89 90 4038ea-4038f5 call 403e90 81->90 82->15 83->82 91 403a72 83->91 84->15 92 4038df-4038e9 84->92 85->78 86->15 87->15 94 403b7f-403b85 87->94 96 40387e-403883 89->96 97 403bdf-403bf6 89->97 90->15 99 403a74-403a7a 91->99 92->90 101 403b88-403b8b 94->101 96->89 103 403885 96->103 97->86 99->82 105 403a7c-403a85 99->105 107 403bf8-403c0e 101->107 108 403b8d-403b92 101->108 103->15 105->82 106 403a87-403abf call 4010b0 105->106 106->82 106->99 107->86 108->101 110 403b94 108->110 110->15
                                                                                        C-Code - Quality: 72%
                                                                                        			E004035ED() {
                                                                                        				signed int _t193;
                                                                                        				void* _t214;
                                                                                        				signed int* _t217;
                                                                                        				long* _t221;
                                                                                        
                                                                                        				_t217 = _t221[0xa];
                                                                                        				_t193 =  !( *_t217) + 0xc;
                                                                                        				if(_t193 > 0xb) {
                                                                                        					L82:
                                                                                        					 *_t221 = 0;
                                                                                        					L96:
                                                                                        					return  *_t221;
                                                                                        				}
                                                                                        				_t214 =  *(_t221[9]);
                                                                                        				switch( *((intOrPtr*)(_t193 * 4 +  &M0040E3D0))) {
                                                                                        					case 0:
                                                                                        						 *_t221 = 0;
                                                                                        						_t195 = _t217[1];
                                                                                        						if(_t195 > 7) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						 *_t221 = 0;
                                                                                        						_t205 = 0;
                                                                                        						if(_t195 <= 0) {
                                                                                        							L68:
                                                                                        							__eflags = _t205 - _t195;
                                                                                        							if(_t205 != _t195) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							L69:
                                                                                        							_t197 = HeapAlloc(GetProcessHeap(), 8, 0x1c + _t195 * 8);
                                                                                        							if(_t197 == 0) {
                                                                                        								goto L82;
                                                                                        							}
                                                                                        							_t216 = _t197;
                                                                                        							 *_t221 = 0;
                                                                                        							if(_t217[1] <= 0 || _t221[9] == 0) {
                                                                                        								L76:
                                                                                        								_t206 =  *(_t214 + 0x58);
                                                                                        								 *_t216 = _t206;
                                                                                        								 *(_t206 + 4) = _t216;
                                                                                        								 *((intOrPtr*)(_t216 + 4)) = _t214 + 0x58;
                                                                                        								 *(_t214 + 0x58) = _t216;
                                                                                        								goto L96;
                                                                                        							} else {
                                                                                        								_t204 = 0;
                                                                                        								while(1) {
                                                                                        									_t211 =  *(_t217 + 8 + _t204 * 4);
                                                                                        									if( *(_t217 + 8 + _t204 * 4) == 0) {
                                                                                        										goto L76;
                                                                                        									}
                                                                                        									_t200 =  *((intOrPtr*)(_t221[9] + 0x14));
                                                                                        									if( *((intOrPtr*)(_t221[9] + 0x14)) == 0) {
                                                                                        										goto L76;
                                                                                        									}
                                                                                        									 *(_t216 + 0xc) =  *(_t216 + 0xc) | 1 << _t204;
                                                                                        									_t217 = _t221[0xa];
                                                                                        									_t209 =  *(_t216 + 0x10);
                                                                                        									 *(_t216 + 0x10) = _t209 + 1;
                                                                                        									_t140 = _t209 * 8; // 0x14
                                                                                        									E004010B0( *((intOrPtr*)(_t214 + 0xa4)), _t216 + _t140 + 0x14, _t200 + (_t211 &  *(_t221[9] + 0x18)));
                                                                                        									_t221 =  &(_t221[3]);
                                                                                        									_t204 = _t204 + 1;
                                                                                        									if(_t204 < _t217[1]) {
                                                                                        										continue;
                                                                                        									}
                                                                                        									goto L76;
                                                                                        								}
                                                                                        								goto L76;
                                                                                        							}
                                                                                        						}
                                                                                        						_t205 = 0;
                                                                                        						while( *((intOrPtr*)(_t217 + 8 + _t205 * 4)) != 0) {
                                                                                        							_t205 = _t205 + 1;
                                                                                        							if(_t195 != _t205) {
                                                                                        								continue;
                                                                                        							}
                                                                                        							goto L69;
                                                                                        						}
                                                                                        						goto L68;
                                                                                        					case 1:
                                                                                        						__eax = __ebp[8];
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L82;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__esi = __ebp[0xc];
                                                                                        						__ebx =  *(__ebx + 0x18);
                                                                                        						__ecx = __eax + __esi;
                                                                                        						__ecx = __eax + __esi | __eax;
                                                                                        						__edx = __ebx;
                                                                                        						__edx =  !__ebx;
                                                                                        						__eflags = __ecx & __edx;
                                                                                        						if((__ecx & __edx) != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__esp[1] = __esi;
                                                                                        						__edx = __esp[9];
                                                                                        						__edi = __edi[0x94];
                                                                                        						__eflags = __edi;
                                                                                        						if(__edi == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ecx = __ebp[4];
                                                                                        						__eflags = __ecx;
                                                                                        						if(__ecx < 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ebx = __ebx & __eax;
                                                                                        						__ebx = __ebx +  *((intOrPtr*)(__edx + 0x14));
                                                                                        						__edi =  &(__edi[__ecx]);
                                                                                        						__eax = IsBadStringPtrA(__edi, 2);
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__eax = lstrlenA(__edi);
                                                                                        						__esi = __esp[1];
                                                                                        						__eflags = __eax - __esi;
                                                                                        						__esi =  <  ? __eax : __esi;
                                                                                        						_push(__esi);
                                                                                        						_push(__edi);
                                                                                        						_push(__ebx);
                                                                                        						goto L48;
                                                                                        					case 2:
                                                                                        						 *__esp = 0;
                                                                                        						__esi = __edi[0x94];
                                                                                        						__esi = __ebp[4] + __edi[0x94];
                                                                                        						__eax = IsBadCodePtr(__esi);
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ebx = __edi[0x94];
                                                                                        						__ebx = __ebp[8] + __edi[0x94];
                                                                                        						__eax = IsBadReadPtr(__ebx, 0xa);
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						_push(__ebx);
                                                                                        						_push(__edi[0x94]);
                                                                                        						__eax =  *__esi();
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__eax = __eax - __edi[0x94];
                                                                                        						goto L95;
                                                                                        					case 3:
                                                                                        						__ebx =  &(__edi[0x50]);
                                                                                        						__eflags = __ebx - __edi[0x50];
                                                                                        						if(__ebx == __edi[0x50]) {
                                                                                        							goto L82;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__esi = __edi[0x54];
                                                                                        						__eflags = __esi - __ebx;
                                                                                        						if(__esi == __ebx) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__esp[2] = __edi;
                                                                                        						do {
                                                                                        							__eax =  *(__esi + 8);
                                                                                        							__eflags =  *(__esi + 8) - __ebp[4];
                                                                                        							if( *(__esi + 8) != __ebp[4]) {
                                                                                        								goto L24;
                                                                                        							}
                                                                                        							__eflags = __edi[0xa8];
                                                                                        							if(__edi[0xa8] != 0) {
                                                                                        								goto L24;
                                                                                        							}
                                                                                        							__edi = __ebp;
                                                                                        							__ebp =  *(__esi + 0x10);
                                                                                        							__eax = GetProcessHeap();
                                                                                        							__ebp = __edi;
                                                                                        							__edi = __esp[3];
                                                                                        							__eax = RtlAllocateHeap(__eax, 8,  *(__esi + 0x10)); // executed
                                                                                        							__edi[0xa8] = __eax;
                                                                                        							__eflags = __eax;
                                                                                        							if(__eax != 0) {
                                                                                        								__ecx =  *(__esi + 0x10);
                                                                                        								__edi[0xac] =  *(__esi + 0x10);
                                                                                        								__eax = E00403E90(__eax,  *(__esi + 0xc),  *(__esi + 0x10));
                                                                                        								goto L94;
                                                                                        							}
                                                                                        							L24:
                                                                                        							__esi =  *(__esi + 4);
                                                                                        							__eflags = __esi - __ebx;
                                                                                        						} while (__esi != __ebx);
                                                                                        						goto L96;
                                                                                        					case 4:
                                                                                        						 *__esp = 0;
                                                                                        						__edi[0x94] = __ebp[4] + __edi[0x94];
                                                                                        						__eax = IsBadCodePtr(__ebp[4] + __edi[0x94]);
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__eax = __ebp[0xc];
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ebp[8] = __ebp[8] + __edi[0xa8];
                                                                                        						__edx =  &(__esp[3]);
                                                                                        						__eax = VirtualProtect(__ebp[8] + __edi[0xa8], __eax, __ebp[0x10],  &(__esp[3])); // executed
                                                                                        						goto L95;
                                                                                        					case 5:
                                                                                        						__eax = __ebp[4];
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L82;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__ecx =  *(__ebx + 0x18);
                                                                                        						__edx = __eax + 4;
                                                                                        						__edx = __eax + 0x00000004 | __eax;
                                                                                        						__esi = __ecx;
                                                                                        						__esi =  !__ecx;
                                                                                        						__eflags = __edx & __esi;
                                                                                        						if((__edx & __esi) == 0) {
                                                                                        							__ecx = __ecx & __eax;
                                                                                        							__eax = GetModuleHandleA(__ecx);
                                                                                        							__edi[0x94] = __eax;
                                                                                        							__ecx = 0;
                                                                                        							__eflags = __eax;
                                                                                        							__ecx = 0 | __eflags != 0x00000000;
                                                                                        							 *__esp = __eflags != 0;
                                                                                        						}
                                                                                        						goto L96;
                                                                                        					case 6:
                                                                                        						__ebx = __ebp[0xc];
                                                                                        						__eflags = __ebx;
                                                                                        						if(__ebx == 0) {
                                                                                        							goto L82;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__ecx = __ebp[0x10];
                                                                                        						__eax = __esp[9];
                                                                                        						__eax = __esp[9][0x18];
                                                                                        						__edx = __ebx + __ecx;
                                                                                        						__edx = __ebx + __ecx | __ebx;
                                                                                        						__esi = __eax;
                                                                                        						__esi =  !__eax;
                                                                                        						__eflags = __edx & __esi;
                                                                                        						if((__edx & __esi) != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__esi = __ebp[8];
                                                                                        						__eflags = __esi;
                                                                                        						if(__esi < 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__edx =  &(__edi[0x50]);
                                                                                        						__eflags = __edx - __edi[0x50];
                                                                                        						if(__edx == __edi[0x50]) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__esp[1] = __esi;
                                                                                        						__esi = __edi[0x54];
                                                                                        						__eflags = __esi - __edx;
                                                                                        						if(__esi == __edx) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__eax = __eax & __ebx;
                                                                                        						__edi = __esp[9];
                                                                                        						__eax = __eax + __esp[9][0x14];
                                                                                        						__eflags = __eax;
                                                                                        						__edi = __ebp[4];
                                                                                        						while(1) {
                                                                                        							__eflags =  *(__esi + 8) - __edi;
                                                                                        							if( *(__esi + 8) == __edi) {
                                                                                        								break;
                                                                                        							}
                                                                                        							__esi =  *(__esi + 4);
                                                                                        							__eflags = __esi - __edx;
                                                                                        							if(__esi != __edx) {
                                                                                        								continue;
                                                                                        							}
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__edx =  *(__esi + 0x10);
                                                                                        						__edi = __esp[1];
                                                                                        						__edx =  *(__esi + 0x10) - __edi;
                                                                                        						__eflags = __edx - __ecx;
                                                                                        						__edx =  >=  ? __ecx : __edx;
                                                                                        						__edi =  &(__edi[ *(__esi + 0xc)]);
                                                                                        						 *__esp = __edx;
                                                                                        						_push(__edx);
                                                                                        						_push(__eax);
                                                                                        						_push(__edi);
                                                                                        						goto L99;
                                                                                        					case 7:
                                                                                        						__ecx = __ebp[4];
                                                                                        						__eflags = __ecx - 0xfffffffe;
                                                                                        						if(__ecx == 0xfffffffe) {
                                                                                        							__eax = __edi[0x98];
                                                                                        							__eflags = __eax;
                                                                                        							if(__eax == 0) {
                                                                                        								goto L82;
                                                                                        							}
                                                                                        							 *__esp = 0;
                                                                                        							__ecx = __ebp[0xc];
                                                                                        							__eflags = __ecx;
                                                                                        							if(__ecx == 0) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__edx = __ebp[0x10];
                                                                                        							__esi =  *(__ebx + 0x18);
                                                                                        							__ebx =  &(__ecx[__edx]);
                                                                                        							__ebx =  &(__ecx[__edx]) | __ecx;
                                                                                        							__esi =  !__esi;
                                                                                        							__eflags = __ebx & __esi;
                                                                                        							if((__ebx & __esi) != 0) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__esi = __ebp[8];
                                                                                        							__eflags = __esi;
                                                                                        							__ebx = __esp[9];
                                                                                        							if(__esi < 0) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__ecx = __ecx &  *(__ebx + 0x18);
                                                                                        							__ecx =  &(__ecx[ *(__ebx + 0x14)]);
                                                                                        							__edi = __edi[0x9c];
                                                                                        							__edi = __edi - __esi;
                                                                                        							__eflags = __edx - __edi;
                                                                                        							__edi =  <  ? __edx : __edi;
                                                                                        							__eax = __eax + __esi;
                                                                                        							 *__esp = __edi;
                                                                                        							_push(__edi);
                                                                                        							_push(__eax);
                                                                                        							_push(__ecx);
                                                                                        							L99:
                                                                                        							__eax = E00403E90();
                                                                                        							__esp =  &(__esp[3]);
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__eflags = __ecx - 0xffffffff;
                                                                                        						if(__ecx != 0xffffffff) {
                                                                                        							__ebx = __ebp[0xc];
                                                                                        							__eflags = __ebx;
                                                                                        							if(__ebx == 0) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__eax = __esp[9];
                                                                                        							__edx = __esp[9][0x18];
                                                                                        							__eax = __ebp[0x10];
                                                                                        							__esp[1] = __eax;
                                                                                        							__esi = __eax + __ebx;
                                                                                        							__esi = __eax + __ebx | __ebx;
                                                                                        							__eax = __edx;
                                                                                        							__eax =  !__edx;
                                                                                        							__eflags = __esi & __eax;
                                                                                        							if((__esi & __eax) != 0) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__esi = __ebp[8];
                                                                                        							__eflags = __esi;
                                                                                        							if(__esi < 0) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__ebp =  &(__edi[0x50]);
                                                                                        							__eflags = __ebp - __edi[0x50];
                                                                                        							if(__ebp == __edi[0x50]) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__edi = __edi[0x54];
                                                                                        							__eflags = __edi - __ebp;
                                                                                        							if(__edi == __ebp) {
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__edx = __edx & __ebx;
                                                                                        							__eax = __esp[9];
                                                                                        							__edx =  &(__esp[9][0x14][__edx]);
                                                                                        							__eflags = __edx;
                                                                                        							while(1) {
                                                                                        								__eflags = __edi[8] - __ecx;
                                                                                        								if(__edi[8] == __ecx) {
                                                                                        									break;
                                                                                        								}
                                                                                        								__edi = __edi[4];
                                                                                        								__eflags = __edi - __ebp;
                                                                                        								if(__edi != __ebp) {
                                                                                        									continue;
                                                                                        								}
                                                                                        								goto L96;
                                                                                        							}
                                                                                        							__eax = __edi[0x10];
                                                                                        							__eax = __edi[0x10] - __esi;
                                                                                        							__ecx = __esp[1];
                                                                                        							__eflags = __eax - __ecx;
                                                                                        							__eax =  >=  ? __ecx : __eax;
                                                                                        							__esi = __esi + __edi[0xc];
                                                                                        							__eflags = __esi;
                                                                                        							 *__esp = __eax;
                                                                                        							_push(__eax);
                                                                                        							_push(__esi);
                                                                                        							_push(__edx);
                                                                                        							goto L99;
                                                                                        						}
                                                                                        						__eax = __edi[0x94];
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ecx = __ebp[0xc];
                                                                                        						__eflags = __ecx;
                                                                                        						if(__ecx == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__esi = __ebp[0x10];
                                                                                        						__edx =  *(__ebx + 0x18);
                                                                                        						__edi = __esi + __ecx;
                                                                                        						__edi = __esi + __ecx | __ecx;
                                                                                        						__edx =  !( *(__ebx + 0x18));
                                                                                        						__eflags = __edi & __edx;
                                                                                        						if((__edi & __edx) != 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__edx = __ebp[8];
                                                                                        						__eflags = __edx;
                                                                                        						if(__edx < 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ecx = __ecx &  *(__ebx + 0x18);
                                                                                        						__ecx =  &(__ecx[ *(__ebx + 0x14)]);
                                                                                        						__eax = __eax + __edx;
                                                                                        						__eflags = __eax;
                                                                                        						_push(__esi);
                                                                                        						_push(__eax);
                                                                                        						_push(__ecx);
                                                                                        						L48:
                                                                                        						__eax = E00403E90();
                                                                                        						 *__esp = __esi;
                                                                                        						goto L96;
                                                                                        					case 8:
                                                                                        						__ecx =  &(__edi[0x50]);
                                                                                        						__eflags = __ecx - __edi[0x50];
                                                                                        						if(__ecx == __edi[0x50]) {
                                                                                        							goto L82;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__eax = __edi[0x54];
                                                                                        						__eflags = __eax - __ecx;
                                                                                        						if(__eax == __ecx) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__edx = __ebp[4];
                                                                                        						while(1) {
                                                                                        							__eflags =  *((intOrPtr*)(__eax + 8)) - __edx;
                                                                                        							if( *((intOrPtr*)(__eax + 8)) == __edx) {
                                                                                        								break;
                                                                                        							}
                                                                                        							__eax =  *(__eax + 4);
                                                                                        							__eflags = __eax - __ecx;
                                                                                        							if(__eax != __ecx) {
                                                                                        								continue;
                                                                                        							}
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ecx =  *__eax;
                                                                                        						__edx =  *(__eax + 4);
                                                                                        						 *( *(__eax + 4)) =  *__eax;
                                                                                        						__ecx =  *__eax;
                                                                                        						__edx =  *(__eax + 4);
                                                                                        						 *( *__eax + 4) =  *(__eax + 4);
                                                                                        						__eax = HeapFree(__edi[0xa4], 0, __eax);
                                                                                        						L94:
                                                                                        						__eax = 0;
                                                                                        						__eax = 1;
                                                                                        						__eflags = 1;
                                                                                        						goto L95;
                                                                                        					case 9:
                                                                                        						__ebx = __ebp[4];
                                                                                        						__eflags = __ebx;
                                                                                        						if(__ebx <= 0) {
                                                                                        							__eax = 0;
                                                                                        							__eax = 0xffffffffffffffff;
                                                                                        							goto L95;
                                                                                        						}
                                                                                        						 *__esp = 0;
                                                                                        						__eax = __ebx + 0x14;
                                                                                        						__eax = HeapAlloc(__edi[0xa4], 8, __ebx + 0x14);
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__esi = __eax;
                                                                                        						 *(__eax + 0x10) = __ebx;
                                                                                        						 *(__esi + 0xc) = __eax;
                                                                                        						__eax =  &(__edi[0xa0]);
                                                                                        						 *(__esi + 8) = InterlockedIncrement( &(__edi[0xa0]));
                                                                                        						__eax =  &(__edi[0x50]);
                                                                                        						__ecx = __edi[0x50];
                                                                                        						 *__esi = __ecx;
                                                                                        						__ecx[4] = __esi;
                                                                                        						 *(__esi + 4) =  &(__edi[0x50]);
                                                                                        						__edi[0x50] = __esi;
                                                                                        						__eax =  *(__esi + 8);
                                                                                        						goto L95;
                                                                                        					case 0xa:
                                                                                        						 *__esp = 0;
                                                                                        						__eax = __ebp[4];
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ecx = __ebp[0xc];
                                                                                        						__edx =  *(__ebx + 0x18);
                                                                                        						__esi = __eax + __ecx;
                                                                                        						__esi = __eax + __ecx | __eax;
                                                                                        						__edi = __edx;
                                                                                        						__edi =  !__edx;
                                                                                        						__eflags = __esi & __edi;
                                                                                        						if((__esi & __edi) != 0) {
                                                                                        							goto L95;
                                                                                        						}
                                                                                        						__esi = __ebp[8];
                                                                                        						__eflags = __esi;
                                                                                        						if(__esi == 0) {
                                                                                        							goto L95;
                                                                                        						}
                                                                                        						__ebx = __esi + __ecx;
                                                                                        						__ebx = __esi + __ecx | __esi;
                                                                                        						__eflags = __ebx & __edi;
                                                                                        						if((__ebx & __edi) != 0) {
                                                                                        							goto L95;
                                                                                        						}
                                                                                        						__edi = __esp[9];
                                                                                        						__edi = __esp[9][0x14];
                                                                                        						__eax = __eax + __edi;
                                                                                        						__eax = E00403E90(__eax, __esi, __ecx);
                                                                                        						goto L66;
                                                                                        					case 0xb:
                                                                                        						 *__esp = 0;
                                                                                        						__eax = __ebp[4];
                                                                                        						__eflags = __eax;
                                                                                        						if(__eax == 0) {
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__edx = __ebp[0xc];
                                                                                        						__ecx =  *(__ebx + 0x18);
                                                                                        						__esi = __eax + __edx;
                                                                                        						__esi = __eax + __edx | __eax;
                                                                                        						__edi = __ecx;
                                                                                        						__edi =  !__ecx;
                                                                                        						__eflags = __esi & __edi;
                                                                                        						if((__esi & __edi) != 0) {
                                                                                        							L95:
                                                                                        							 *__esp = __eax;
                                                                                        							goto L96;
                                                                                        						}
                                                                                        						__ecx = __ecx & __eax;
                                                                                        						__eflags = __ecx;
                                                                                        						__eax = E00405040(__ecx, __ebp[8], __edx);
                                                                                        						L66:
                                                                                        						__esp =  &(__esp[3]);
                                                                                        						__eax = __ebp[4];
                                                                                        						goto L95;
                                                                                        				}
                                                                                        			}







                                                                                        0x004035f4
                                                                                        0x004035fd
                                                                                        0x00403603
                                                                                        0x00403b37
                                                                                        0x00403b37
                                                                                        0x00403bd4
                                                                                        0x00403bde
                                                                                        0x00403bde
                                                                                        0x0040360d
                                                                                        0x0040360f
                                                                                        0x00000000
                                                                                        0x00403616
                                                                                        0x0040361d
                                                                                        0x00403623
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403629
                                                                                        0x00403630
                                                                                        0x00403637
                                                                                        0x00403a35
                                                                                        0x00403a35
                                                                                        0x00403a37
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403a3d
                                                                                        0x00403a4e
                                                                                        0x00403a56
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403a5c
                                                                                        0x00403a5e
                                                                                        0x00403a69
                                                                                        0x00403ac1
                                                                                        0x00403ac4
                                                                                        0x00403ac7
                                                                                        0x00403ac9
                                                                                        0x00403acc
                                                                                        0x00403acf
                                                                                        0x00000000
                                                                                        0x00403a72
                                                                                        0x00403a72
                                                                                        0x00403a74
                                                                                        0x00403a74
                                                                                        0x00403a7a
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403a80
                                                                                        0x00403a85
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403a97
                                                                                        0x00403a9a
                                                                                        0x00403a9e
                                                                                        0x00403aa4
                                                                                        0x00403aa7
                                                                                        0x00403ab3
                                                                                        0x00403ab8
                                                                                        0x00403abb
                                                                                        0x00403abf
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403abf
                                                                                        0x00000000
                                                                                        0x00403a74
                                                                                        0x00403a69
                                                                                        0x0040363d
                                                                                        0x0040363f
                                                                                        0x0040364a
                                                                                        0x0040364d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040364f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403654
                                                                                        0x00403657
                                                                                        0x00403659
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040365f
                                                                                        0x00403666
                                                                                        0x00403669
                                                                                        0x0040366c
                                                                                        0x0040366f
                                                                                        0x00403671
                                                                                        0x00403673
                                                                                        0x00403675
                                                                                        0x00403677
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040367d
                                                                                        0x00403681
                                                                                        0x00403685
                                                                                        0x0040368b
                                                                                        0x0040368d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403693
                                                                                        0x00403696
                                                                                        0x00403698
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040369e
                                                                                        0x004036a0
                                                                                        0x004036a3
                                                                                        0x004036a8
                                                                                        0x004036ae
                                                                                        0x004036b0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004036b7
                                                                                        0x004036bd
                                                                                        0x004036c1
                                                                                        0x004036c3
                                                                                        0x004036c6
                                                                                        0x004036c7
                                                                                        0x004036c8
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004036ce
                                                                                        0x004036d5
                                                                                        0x004036db
                                                                                        0x004036df
                                                                                        0x004036e5
                                                                                        0x004036e7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004036ed
                                                                                        0x004036f3
                                                                                        0x004036f9
                                                                                        0x004036ff
                                                                                        0x00403701
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403707
                                                                                        0x00403708
                                                                                        0x0040370e
                                                                                        0x00403710
                                                                                        0x00403712
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403718
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403723
                                                                                        0x00403726
                                                                                        0x00403729
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040372f
                                                                                        0x00403736
                                                                                        0x00403739
                                                                                        0x0040373b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403741
                                                                                        0x00403745
                                                                                        0x00403745
                                                                                        0x00403748
                                                                                        0x0040374b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040374d
                                                                                        0x00403754
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403756
                                                                                        0x00403758
                                                                                        0x0040375b
                                                                                        0x00403762
                                                                                        0x00403764
                                                                                        0x0040376b
                                                                                        0x00403771
                                                                                        0x00403777
                                                                                        0x00403779
                                                                                        0x00403bb6
                                                                                        0x00403bb9
                                                                                        0x00403bc6
                                                                                        0x00000000
                                                                                        0x00403bcb
                                                                                        0x0040377f
                                                                                        0x0040377f
                                                                                        0x00403782
                                                                                        0x00403782
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040378b
                                                                                        0x00403798
                                                                                        0x0040379c
                                                                                        0x004037a2
                                                                                        0x004037a4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004037aa
                                                                                        0x004037ad
                                                                                        0x004037af
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004037b8
                                                                                        0x004037be
                                                                                        0x004037c8
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004037cf
                                                                                        0x004037d2
                                                                                        0x004037d4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004037da
                                                                                        0x004037e1
                                                                                        0x004037e4
                                                                                        0x004037e7
                                                                                        0x004037e9
                                                                                        0x004037eb
                                                                                        0x004037ed
                                                                                        0x004037ef
                                                                                        0x004037f5
                                                                                        0x004037fb
                                                                                        0x00403801
                                                                                        0x00403807
                                                                                        0x00403809
                                                                                        0x0040380b
                                                                                        0x0040380e
                                                                                        0x0040380e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403816
                                                                                        0x00403819
                                                                                        0x0040381b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403821
                                                                                        0x00403828
                                                                                        0x0040382b
                                                                                        0x0040382f
                                                                                        0x00403832
                                                                                        0x00403835
                                                                                        0x00403837
                                                                                        0x00403839
                                                                                        0x0040383b
                                                                                        0x0040383d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403843
                                                                                        0x00403846
                                                                                        0x00403848
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040384e
                                                                                        0x00403851
                                                                                        0x00403854
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040385a
                                                                                        0x0040385e
                                                                                        0x00403861
                                                                                        0x00403863
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403869
                                                                                        0x0040386b
                                                                                        0x0040386f
                                                                                        0x0040386f
                                                                                        0x00403872
                                                                                        0x00403875
                                                                                        0x00403875
                                                                                        0x00403878
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040387e
                                                                                        0x00403881
                                                                                        0x00403883
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403885
                                                                                        0x00403bdf
                                                                                        0x00403be2
                                                                                        0x00403be6
                                                                                        0x00403be8
                                                                                        0x00403bea
                                                                                        0x00403bed
                                                                                        0x00403bf0
                                                                                        0x00403bf3
                                                                                        0x00403bf4
                                                                                        0x00403bf5
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040388a
                                                                                        0x0040388d
                                                                                        0x00403890
                                                                                        0x00403ad7
                                                                                        0x00403add
                                                                                        0x00403adf
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403ae1
                                                                                        0x00403ae8
                                                                                        0x00403aeb
                                                                                        0x00403aed
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403af3
                                                                                        0x00403af6
                                                                                        0x00403af9
                                                                                        0x00403afc
                                                                                        0x00403afe
                                                                                        0x00403b00
                                                                                        0x00403b02
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b08
                                                                                        0x00403b0b
                                                                                        0x00403b0d
                                                                                        0x00403b11
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b17
                                                                                        0x00403b1a
                                                                                        0x00403b1d
                                                                                        0x00403b23
                                                                                        0x00403b25
                                                                                        0x00403b27
                                                                                        0x00403b2a
                                                                                        0x00403b2c
                                                                                        0x00403b2f
                                                                                        0x00403b30
                                                                                        0x00403b31
                                                                                        0x00403c0f
                                                                                        0x00403c0f
                                                                                        0x00403c14
                                                                                        0x00000000
                                                                                        0x00403c14
                                                                                        0x00403896
                                                                                        0x0040389d
                                                                                        0x004038a0
                                                                                        0x00403b43
                                                                                        0x00403b46
                                                                                        0x00403b48
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b4e
                                                                                        0x00403b52
                                                                                        0x00403b55
                                                                                        0x00403b58
                                                                                        0x00403b5c
                                                                                        0x00403b5f
                                                                                        0x00403b61
                                                                                        0x00403b63
                                                                                        0x00403b65
                                                                                        0x00403b67
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b69
                                                                                        0x00403b6c
                                                                                        0x00403b6e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b70
                                                                                        0x00403b73
                                                                                        0x00403b76
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b78
                                                                                        0x00403b7b
                                                                                        0x00403b7d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b7f
                                                                                        0x00403b81
                                                                                        0x00403b85
                                                                                        0x00403b85
                                                                                        0x00403b88
                                                                                        0x00403b88
                                                                                        0x00403b8b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b8d
                                                                                        0x00403b90
                                                                                        0x00403b92
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403b94
                                                                                        0x00403bf8
                                                                                        0x00403bfb
                                                                                        0x00403bfd
                                                                                        0x00403c01
                                                                                        0x00403c03
                                                                                        0x00403c06
                                                                                        0x00403c06
                                                                                        0x00403c09
                                                                                        0x00403c0c
                                                                                        0x00403c0d
                                                                                        0x00403c0e
                                                                                        0x00000000
                                                                                        0x00403c0e
                                                                                        0x004038a6
                                                                                        0x004038ac
                                                                                        0x004038ae
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004038b4
                                                                                        0x004038b7
                                                                                        0x004038b9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004038bf
                                                                                        0x004038c2
                                                                                        0x004038c5
                                                                                        0x004038c8
                                                                                        0x004038ca
                                                                                        0x004038cc
                                                                                        0x004038ce
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004038d4
                                                                                        0x004038d7
                                                                                        0x004038d9
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004038df
                                                                                        0x004038e2
                                                                                        0x004038e5
                                                                                        0x004038e5
                                                                                        0x004038e7
                                                                                        0x004038e8
                                                                                        0x004038e9
                                                                                        0x004038ea
                                                                                        0x004038ea
                                                                                        0x004038f2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004038fa
                                                                                        0x004038fd
                                                                                        0x00403900
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403906
                                                                                        0x0040390d
                                                                                        0x00403910
                                                                                        0x00403912
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403918
                                                                                        0x0040391b
                                                                                        0x0040391b
                                                                                        0x0040391e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403924
                                                                                        0x00403927
                                                                                        0x00403929
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040392b
                                                                                        0x00403b96
                                                                                        0x00403b98
                                                                                        0x00403b9b
                                                                                        0x00403b9d
                                                                                        0x00403b9f
                                                                                        0x00403ba2
                                                                                        0x00403bae
                                                                                        0x00403bce
                                                                                        0x00403bce
                                                                                        0x00403bd0
                                                                                        0x00403bd0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403930
                                                                                        0x00403933
                                                                                        0x00403935
                                                                                        0x00403a2d
                                                                                        0x00403a2f
                                                                                        0x00000000
                                                                                        0x00403a2f
                                                                                        0x0040393b
                                                                                        0x00403942
                                                                                        0x0040394e
                                                                                        0x00403954
                                                                                        0x00403956
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040395c
                                                                                        0x0040395e
                                                                                        0x00403964
                                                                                        0x00403967
                                                                                        0x00403974
                                                                                        0x00403977
                                                                                        0x0040397a
                                                                                        0x0040397d
                                                                                        0x0040397f
                                                                                        0x00403982
                                                                                        0x00403985
                                                                                        0x00403988
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403990
                                                                                        0x00403997
                                                                                        0x0040399a
                                                                                        0x0040399c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004039a2
                                                                                        0x004039a5
                                                                                        0x004039a8
                                                                                        0x004039ab
                                                                                        0x004039ad
                                                                                        0x004039af
                                                                                        0x004039b1
                                                                                        0x004039b3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004039b9
                                                                                        0x004039bc
                                                                                        0x004039be
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004039c4
                                                                                        0x004039c7
                                                                                        0x004039c9
                                                                                        0x004039cb
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004039d1
                                                                                        0x004039d5
                                                                                        0x004039da
                                                                                        0x004039e3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004039ea
                                                                                        0x004039f1
                                                                                        0x004039f4
                                                                                        0x004039f6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004039fc
                                                                                        0x004039ff
                                                                                        0x00403a02
                                                                                        0x00403a05
                                                                                        0x00403a07
                                                                                        0x00403a09
                                                                                        0x00403a0b
                                                                                        0x00403a0d
                                                                                        0x00403bd1
                                                                                        0x00403bd1
                                                                                        0x00000000
                                                                                        0x00403bd1
                                                                                        0x00403a13
                                                                                        0x00403a15
                                                                                        0x00403a1d
                                                                                        0x00403a22
                                                                                        0x00403a22
                                                                                        0x00403a25
                                                                                        0x00000000
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • IsBadStringPtrA.KERNEL32 ref: 004036A8
                                                                                        • lstrlenA.KERNEL32(?), ref: 004036B7
                                                                                        • IsBadCodePtr.KERNEL32 ref: 004036DF
                                                                                        • IsBadReadPtr.KERNEL32(00000000,0000000A), ref: 004036F9
                                                                                        • GetProcessHeap.KERNEL32 ref: 0040375B
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 0040376B
                                                                                        • IsBadCodePtr.KERNEL32 ref: 0040379C
                                                                                        • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 004037C8
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 004037FB
                                                                                        • _memmove.LIBCMT ref: 004038EA
                                                                                        • HeapAlloc.KERNEL32(?,00000008,?,?,?,?), ref: 0040394E
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0040396E
                                                                                        • _memmove.LIBCMT ref: 004039E3
                                                                                        • _memset.LIBCMT ref: 00403A1D
                                                                                        • GetProcessHeap.KERNEL32 ref: 00403A44
                                                                                        • HeapAlloc.KERNEL32(00000000,00000008), ref: 00403A4E
                                                                                        • _memmove.LIBCMT ref: 00403C0F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$_memmove$AllocCodeProcess$AllocateHandleIncrementInterlockedModuleProtectReadStringVirtual_memsetlstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 779832632-0
                                                                                        • Opcode ID: 36606eeff70ce2228fa974d0bc36e6d0527d077cfa616246d1dcf083be8e82de
                                                                                        • Instruction ID: 18fe11b212e25e669b99bde115275c2656a4e983ac33546e8f8470c30e468957
                                                                                        • Opcode Fuzzy Hash: 36606eeff70ce2228fa974d0bc36e6d0527d077cfa616246d1dcf083be8e82de
                                                                                        • Instruction Fuzzy Hash: D6028D717046059FDB14CF15C880A6ABBB9BF44709F05852EE889AB381EB38FE51CB95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 282 4033ad-4033bd 283 4033c3-4033f7 call 401d90 282->283 284 403547 282->284 283->284 288 4033fd-40340b call 402136 283->288 286 40354a-40354e 284->286 291 403411-403420 288->291 292 4034f9-40351b call 4015d1 288->292 294 403426-403442 GetSystemInfo VirtualQuery 291->294 295 403529-403544 call 4015d1 291->295 292->286 294->295 298 403448-40344f 294->298 295->284 300 403453-40345b 298->300 301 40345d-40346d IsBadReadPtr 300->301 302 40346f-40348a VirtualQuery 300->302 301->302 303 403491 301->303 302->300 304 40348c-403524 302->304 306 403494-403498 303->306 304->295 306->302 307 40349a-4034a6 306->307 308 4034e7-4034f2 307->308 309 4034a8-4034ad 307->309 311 4034f4-4034f7 308->311 312 40351d-403522 308->312 310 4034b1-4034bb 309->310 313 4034bd-4034d0 call 4013a7 310->313 314 4034df-4034e5 310->314 311->306 312->295 317 4034d2-4034d8 313->317 318 4034db 313->318 314->308 314->310 317->318 318->314
                                                                                        APIs
                                                                                          • Part of subcall function 00401D90: HeapAlloc.KERNEL32(?,00000008,00000005), ref: 00401EC8
                                                                                          • Part of subcall function 00401D90: _memset.LIBCMT ref: 00401EE3
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 0040342B
                                                                                        • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0040343A
                                                                                        • IsBadReadPtr.KERNEL32(?,?), ref: 00403465
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403482
                                                                                        Strings
                                                                                        • NBWEBELCHSCNTYEAIDAU7UNMEKOW8B9AIDCR8ACEL8BGMOX9DNJNFC6G5GGQOMUMIGPVIXSXPYW8FFIM4XFVBMPZT6E884HU5JCXD6SLP4E4ZTBRSI8G5V5JJKCUCJNDTRBCUFQ5OCXUIR684VO5YI4XGPPBE7DMVWEEK7QQDAUUYCKLRFQARAMLJ8DZX6PI48LRZQMD5AKKYATK5JWKB4MLMC9W7GAWS94RW7HIQEXQQBHAKVZRMGXFDLTSVQN98QNE, xrefs: 004033C3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryVirtual$AllocHeapInfoReadSystem_memset
                                                                                        • String ID: NBWEBELCHSCNTYEAIDAU7UNMEKOW8B9AIDCR8ACEL8BGMOX9DNJNFC6G5GGQOMUMIGPVIXSXPYW8FFIM4XFVBMPZT6E884HU5JCXD6SLP4E4ZTBRSI8G5V5JJKCUCJNDTRBCUFQ5OCXUIR684VO5YI4XGPPBE7DMVWEEK7QQDAUUYCKLRFQARAMLJ8DZX6PI48LRZQMD5AKKYATK5JWKB4MLMC9W7GAWS94RW7HIQEXQQBHAKVZRMGXFDLTSVQN98QNE
                                                                                        • API String ID: 1206223359-227829153
                                                                                        • Opcode ID: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
                                                                                        • Instruction ID: 7b70796847b5c35266444012e9009b90b86d0cfec45d5ba9348df9edce5bcf87
                                                                                        • Opcode Fuzzy Hash: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
                                                                                        • Instruction Fuzzy Hash: 7141D631904300ABD301DF15DD85A2BBBE8BF84705F04883EF988B72A1D778EA55CB56
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 328 81092b-810970 GetPEB 329 810972-810978 328->329 330 81097a-81098a call 810d35 329->330 331 81098c-81098e 329->331 330->331 336 810992-810994 330->336 331->329 333 810990 331->333 335 810996-810998 333->335 337 810a3b-810a3e 335->337 336->335 338 81099d-8109d3 336->338 339 8109dc-8109ee call 810d0c 338->339 342 8109f0-810a3a 339->342 343 8109d5-8109d8 339->343 342->337 343->339
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .$GetProcAddress.$l
                                                                                        • API String ID: 0-2784972518
                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction ID: a7102a0f231689fd65fa398c2c22b4531c2a6e7a60fdd3dc0dfb7c8f969c8fff
                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction Fuzzy Hash: DD3118B6900619DFDB10CF99C880AEDBBF9FF48324F25414AD441E7211D7B1AA85CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 112 402e10-402e62 HeapCreate 113 4032f8-4032ff 112->113 114 402e68-402e91 HeapAlloc 112->114 115 402e97-402ed9 HeapAlloc 114->115 116 4032d9-4032f0 HeapDestroy call 401003 114->116 117 40329b-4032a6 115->117 118 402edf-402f71 GetProcessHeap RtlAllocateHeap 115->118 123 4032f5 116->123 120 4032b7-4032d6 HeapFree 117->120 121 4032a8-4032b2 117->121 126 402f73-402fb8 call 405040 GetProcessHeap RtlFreeHeap 118->126 127 402fbb-402fc0 118->127 120->116 121->120 123->113 126->127 129 402fc6 127->129 130 403208-403227 HeapFree 127->130 132 402fca call 40333c 129->132 133 40322a-40323f 130->133 134 402fcf-403023 call 40155f call 4015d1 call 40354f 132->134 135 403241 133->135 136 403243-403299 HeapFree 133->136 144 403029-403032 call 40354f 134->144 145 4031ff-403203 call 4035d2 134->145 135->117 136->133 149 403036-40303d 144->149 145->130 150 40304a-40304c 149->150 151 40303f-403047 149->151 152 403053-40307a call 401547 call 401c01 150->152 153 40304e-4031f0 150->153 151->150 161 4030f6-403105 152->161 162 40307c-403088 152->162 157 4031f2-4031f6 153->157 158 4031fd 153->158 157->158 158->145 163 403185-40318f 161->163 164 403107 161->164 162->161 165 40308a-40308d 162->165 166 403191-40319b 163->166 167 4031c8-4031e3 call 40356b call 40354f 163->167 168 403109-403126 164->168 169 40308f-40309f 165->169 166->167 170 40319d-4031a7 166->170 167->149 171 403128-40312d 168->171 172 40313c-403142 168->172 174 4030e1-4030f0 169->174 175 4030a1-4030b7 169->175 170->167 178 4031a9-4031b3 170->178 184 40317c-403181 171->184 188 40312f-40313a call 40159f 171->188 183 403144-40314a 172->183 172->184 176 4030f2 174->176 177 4030f4 174->177 181 4030b9-4030c9 175->181 182 4030cb-4030d3 175->182 176->169 177->161 178->167 187 4031b5-4031c6 178->187 181->174 182->174 185 4030d5-4030df 182->185 183->184 190 40314c-403175 183->190 184->168 186 403183 184->186 185->174 186->163 187->167 188->184 190->184 191 403177 190->191 191->184
                                                                                        C-Code - Quality: 24%
                                                                                        			E00402E10(intOrPtr __ecx, void* __edx) {
                                                                                        				intOrPtr _v20;
                                                                                        				long _v24;
                                                                                        				intOrPtr _v28;
                                                                                        				intOrPtr _v32;
                                                                                        				char _v36;
                                                                                        				long _v44;
                                                                                        				signed int _v48;
                                                                                        				long _v52;
                                                                                        				intOrPtr _v56;
                                                                                        				signed int _v60;
                                                                                        				void* _v64;
                                                                                        				signed int _v65;
                                                                                        				void* _v68;
                                                                                        				signed int _v72;
                                                                                        				long _v76;
                                                                                        				signed int _v80;
                                                                                        				long _v84;
                                                                                        				long _v88;
                                                                                        				long _v92;
                                                                                        				signed int _v96;
                                                                                        				long _v100;
                                                                                        				void* _t167;
                                                                                        				void* _t171;
                                                                                        				signed int _t174;
                                                                                        				intOrPtr _t175;
                                                                                        				void* _t177;
                                                                                        				void* _t195;
                                                                                        				signed char _t219;
                                                                                        				long* _t225;
                                                                                        				signed int _t226;
                                                                                        				signed int _t227;
                                                                                        				signed char _t228;
                                                                                        				signed int _t237;
                                                                                        				signed int _t248;
                                                                                        				long _t270;
                                                                                        				signed int* _t280;
                                                                                        				intOrPtr* _t281;
                                                                                        				signed int* _t285;
                                                                                        				signed int _t294;
                                                                                        				signed int _t302;
                                                                                        				intOrPtr _t306;
                                                                                        				signed int _t307;
                                                                                        				signed int _t313;
                                                                                        				signed int* _t315;
                                                                                        				signed int* _t316;
                                                                                        				void* _t323;
                                                                                        				void* _t324;
                                                                                        				signed int* _t327;
                                                                                        				signed int* _t328;
                                                                                        
                                                                                        				_v20 = __ecx;
                                                                                        				_v24 = 0;
                                                                                        				_t167 = HeapCreate(0, 0x100000, 0x1000000); // executed
                                                                                        				_t323 =  &_v80 - 0xc;
                                                                                        				_v64 = _t167;
                                                                                        				_v32 = 0x40e260;
                                                                                        				_v36 = 0x42782c;
                                                                                        				if(_v64 == 0) {
                                                                                        					return 0x42782c;
                                                                                        				}
                                                                                        				_t171 = HeapAlloc(_v64, 8, 0xb0);
                                                                                        				_t324 = _t323 - 0xc;
                                                                                        				_v68 = _t171;
                                                                                        				if(_v68 == 0) {
                                                                                        					L57:
                                                                                        					HeapDestroy(_v64); // executed
                                                                                        					_t174 =  &_v36;
                                                                                        					_v96 = _t174;
                                                                                        					L00401003();
                                                                                        					return _t174;
                                                                                        				}
                                                                                        				_v52 = 0;
                                                                                        				_v44 = 0;
                                                                                        				_t175 =  *0x400000; // 0x905a4d
                                                                                        				_v28 = _t175;
                                                                                        				_t177 = HeapAlloc(_v64, 8, 0x40);
                                                                                        				_t327 = _t324 - 0xc;
                                                                                        				_v72 = _t177;
                                                                                        				if(_v72 == 0) {
                                                                                        					L54:
                                                                                        					if( *((intOrPtr*)(_v68 + 0xa8)) != 0) {
                                                                                        						 *0x42c000 =  *((intOrPtr*)(_v68 + 0xa8));
                                                                                        					}
                                                                                        					HeapFree(_v64, 0, _v68);
                                                                                        					_t324 = _t327 - 0xc;
                                                                                        					goto L57;
                                                                                        				}
                                                                                        				 *(_v68 + 0xa0) = 0;
                                                                                        				 *((intOrPtr*)(_v68 + 0xa4)) = _v64;
                                                                                        				 *((intOrPtr*)(_v68 + 4)) = _v68;
                                                                                        				 *((intOrPtr*)(_v68 + 0x50)) = _v68 + 0x50;
                                                                                        				 *((intOrPtr*)(_v68 + 0x54)) = _v68 + 0x50;
                                                                                        				 *((intOrPtr*)(_v68 + 0x58)) = _v68 + 0x58;
                                                                                        				 *((intOrPtr*)(_v68 + 0x5c)) = _v68 + 0x58;
                                                                                        				_v96 = GetProcessHeap();
                                                                                        				_v92 = 0;
                                                                                        				_v88 = 0xbebc200;
                                                                                        				_t195 = RtlAllocateHeap(??, ??, ??); // executed
                                                                                        				_t328 = _t327 - 0xc;
                                                                                        				_v60 = _t195;
                                                                                        				if(_v60 != 0) {
                                                                                        					 *_t328 = _v60;
                                                                                        					_v100 = 0x90;
                                                                                        					_v96 = 0xbebc200;
                                                                                        					E00405040();
                                                                                        					_v52 = 1;
                                                                                        					 *_t328 = GetProcessHeap();
                                                                                        					_v100 = 0;
                                                                                        					_v96 = _v60;
                                                                                        					RtlFreeHeap(??, ??, ??); // executed
                                                                                        					_t328 = _t328 - 0xc;
                                                                                        				}
                                                                                        				if(_v52 == 0) {
                                                                                        					L49:
                                                                                        					 *_t328 = _v72;
                                                                                        					_v100 = 0;
                                                                                        					_v96 = _v80;
                                                                                        					HeapFree(??, ??, ??);
                                                                                        					_t327 = _t328 - 0xc;
                                                                                        					while((((_v76 + 0x00000050 & 0xffffff00 | _v76 + 0x00000050 ==  *(_v76 + 0x50)) ^ 0x000000ff) & 0x00000001) != 0) {
                                                                                        						_v64 =  *((intOrPtr*)(_v76 + 0x54));
                                                                                        						_v48 = _v64;
                                                                                        						 *( *(_v64 + 4)) =  *_v64;
                                                                                        						 *((intOrPtr*)( *_v64 + 4)) =  *((intOrPtr*)(_v64 + 4));
                                                                                        						 *_t327 = _v72;
                                                                                        						_v100 = 0;
                                                                                        						_v96 = _v48;
                                                                                        						HeapFree(??, ??, ??);
                                                                                        						_t327 = _t327 - 0xc;
                                                                                        					}
                                                                                        					goto L54;
                                                                                        				} else {
                                                                                        					E0040333C(_v80);
                                                                                        					 *_t328 = _v80;
                                                                                        					_v100 = _v76;
                                                                                        					E0040155F();
                                                                                        					 *_t328 = _v76;
                                                                                        					_v84 = 0;
                                                                                        					_v88 = 0;
                                                                                        					_v92 = 0;
                                                                                        					_v96 = 0x7d0;
                                                                                        					_v100 = E004033AD;
                                                                                        					E004015D1();
                                                                                        					if(E0040354F(_v80) == 0) {
                                                                                        						L48:
                                                                                        						E004035D2(_v80);
                                                                                        						goto L49;
                                                                                        					}
                                                                                        					_v56 = E0040354F(_v80);
                                                                                        					while(1) {
                                                                                        						_t219 = 0;
                                                                                        						if(_v56 != 0) {
                                                                                        							_t219 = _v80 & 0xffffff00 |  *((intOrPtr*)(_v80 + 0x18)) == 0x00000000;
                                                                                        						}
                                                                                        						if((_t219 & 0x00000001) == 0) {
                                                                                        							break;
                                                                                        						}
                                                                                        						 *_t328 = _v80;
                                                                                        						E00401547();
                                                                                        						 *_t328 = _v80;
                                                                                        						E00401C01();
                                                                                        						_t313 = _v80;
                                                                                        						_t225 = _t313 + 0x28;
                                                                                        						_t270 =  *(_t313 + 0x28);
                                                                                        						if(_t270 == 0) {
                                                                                        							L26:
                                                                                        							_t226 = _v80;
                                                                                        							_t315 = _t226 + 0x2c;
                                                                                        							_t227 =  *(_t226 + 0x2c);
                                                                                        							if(_t227 == 0) {
                                                                                        								L39:
                                                                                        								_t228 = 0;
                                                                                        								if( *((intOrPtr*)(_v80 + 0x28)) == 0) {
                                                                                        									_t228 = 0;
                                                                                        									if( *((intOrPtr*)(_v80 + 0x2c)) == 0) {
                                                                                        										_t228 = 0;
                                                                                        										if( *((intOrPtr*)(_v80 + 0x18)) == 0) {
                                                                                        											_t228 = 1;
                                                                                        											if( *((intOrPtr*)(_v80 + 4)) <= 0) {
                                                                                        												_t228 = (_v80 + 0x00000010 & 0xffffff00 | _v80 + 0x00000010 ==  *(_v80 + 0x10)) ^ 0x000000ff;
                                                                                        											}
                                                                                        										}
                                                                                        									}
                                                                                        								}
                                                                                        								E0040356B(_v80, _t228 & 1);
                                                                                        								_v56 = E0040354F(_v80);
                                                                                        								continue;
                                                                                        							}
                                                                                        							do {
                                                                                        								 *_t315 =  *(_t227 + 0x18);
                                                                                        								_t280 = _t227 + 0x1c;
                                                                                        								_t294 =  *(_t227 + 0x1c);
                                                                                        								 *(_t227 + 0x1c) = _t294 & 0xfffffffb;
                                                                                        								_t306 =  *((intOrPtr*)(_t227 + 0xc));
                                                                                        								if(_t306 == 1) {
                                                                                        									if((_t294 & 0x00000001) != 0 &&  *((intOrPtr*)(_t227 + 0x50)) == 0) {
                                                                                        										 *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x14)))) =  *((intOrPtr*)(_t227 + 0x10));
                                                                                        										 *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x10)) + 4)) =  *((intOrPtr*)(_t227 + 0x14));
                                                                                        										 *((intOrPtr*)( *((intOrPtr*)(_t227 + 8)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t227 + 8)) + 4)) + 0xffffffff;
                                                                                        										 *_t280 =  *_t280 | 0x00000002;
                                                                                        										_t281 =  *_t227;
                                                                                        										if(_t281 != 0) {
                                                                                        											 *_t328 = _t227;
                                                                                        											 *_t281();
                                                                                        										}
                                                                                        									}
                                                                                        								} else {
                                                                                        									if(_t306 == 3) {
                                                                                        										_v100 = _t227;
                                                                                        										E0040159F();
                                                                                        									}
                                                                                        								}
                                                                                        								_t227 =  *_t315;
                                                                                        							} while (_t227 != 0);
                                                                                        							goto L39;
                                                                                        						}
                                                                                        						_t307 =  *(_t270 + 0x28);
                                                                                        						 *_t225 = 0;
                                                                                        						if(_t307 == 0) {
                                                                                        							goto L26;
                                                                                        						}
                                                                                        						_t316 = _t313 + 0x2c;
                                                                                        						_t248 = _t307;
                                                                                        						while(1) {
                                                                                        							_t237 = _t248;
                                                                                        							_t248 =  *(_t237 + 0x28);
                                                                                        							_v65 = _t248 == _t307;
                                                                                        							if( *((intOrPtr*)(_t237 + 4)) == 1) {
                                                                                        								_t237 =  *_t237;
                                                                                        								 *((char*)(_t237 + 0x50)) = 0;
                                                                                        								_t285 = _t237 + 0x1c;
                                                                                        								_t302 =  *(_t237 + 0x1c);
                                                                                        								if((_t302 & 0x00000001) != 0) {
                                                                                        									if((_t302 & 0x00000004) == 0) {
                                                                                        										 *_t285 = _t302 | 0x00000004;
                                                                                        										 *(_t237 + 0x18) =  *_t316;
                                                                                        										 *_t316 = _t237;
                                                                                        									}
                                                                                        								} else {
                                                                                        									 *_t328 = _t237;
                                                                                        									_v100 = 0;
                                                                                        									_t237 =  *((intOrPtr*)(_t237 + 0x4c))();
                                                                                        								}
                                                                                        							}
                                                                                        							if(((_v65 | _t237 & 0xffffff00 | _t248 == 0x00000000) & 0x00000001) != 0) {
                                                                                        								break;
                                                                                        							}
                                                                                        						}
                                                                                        						goto L26;
                                                                                        					}
                                                                                        					if( *((intOrPtr*)(_v80 + 0x18)) != 0) {
                                                                                        						 *(_v80 + 0x18) = 0;
                                                                                        					}
                                                                                        					goto L48;
                                                                                        				}
                                                                                        			}




















































                                                                                        0x00402e17
                                                                                        0x00402e1b
                                                                                        0x00402e3c
                                                                                        0x00402e42
                                                                                        0x00402e45
                                                                                        0x00402e4f
                                                                                        0x00402e59
                                                                                        0x00402e62
                                                                                        0x004032ff
                                                                                        0x004032ff
                                                                                        0x00402e7f
                                                                                        0x00402e85
                                                                                        0x00402e88
                                                                                        0x00402e91
                                                                                        0x004032d9
                                                                                        0x004032e0
                                                                                        0x004032e9
                                                                                        0x004032ed
                                                                                        0x004032f0
                                                                                        0x00000000
                                                                                        0x004032f5
                                                                                        0x00402e97
                                                                                        0x00402e9f
                                                                                        0x00402ea7
                                                                                        0x00402eac
                                                                                        0x00402ec7
                                                                                        0x00402ecd
                                                                                        0x00402ed0
                                                                                        0x00402ed9
                                                                                        0x0040329b
                                                                                        0x004032a6
                                                                                        0x004032b2
                                                                                        0x004032b2
                                                                                        0x004032d0
                                                                                        0x004032d6
                                                                                        0x00000000
                                                                                        0x004032d6
                                                                                        0x00402ee3
                                                                                        0x00402ef5
                                                                                        0x00402f03
                                                                                        0x00402f11
                                                                                        0x00402f1f
                                                                                        0x00402f31
                                                                                        0x00402f3f
                                                                                        0x00402f4c
                                                                                        0x00402f4f
                                                                                        0x00402f57
                                                                                        0x00402f5f
                                                                                        0x00402f65
                                                                                        0x00402f68
                                                                                        0x00402f71
                                                                                        0x00402f77
                                                                                        0x00402f7a
                                                                                        0x00402f82
                                                                                        0x00402f8a
                                                                                        0x00402f8f
                                                                                        0x00402fa3
                                                                                        0x00402fa6
                                                                                        0x00402fae
                                                                                        0x00402fb2
                                                                                        0x00402fb8
                                                                                        0x00402fb8
                                                                                        0x00402fc0
                                                                                        0x00403208
                                                                                        0x00403212
                                                                                        0x00403215
                                                                                        0x0040321d
                                                                                        0x00403221
                                                                                        0x00403227
                                                                                        0x0040322a
                                                                                        0x0040324a
                                                                                        0x00403252
                                                                                        0x00403263
                                                                                        0x00403272
                                                                                        0x00403281
                                                                                        0x00403284
                                                                                        0x0040328c
                                                                                        0x00403290
                                                                                        0x00403296
                                                                                        0x00403296
                                                                                        0x00000000
                                                                                        0x00402fc6
                                                                                        0x00402fca
                                                                                        0x00402fd7
                                                                                        0x00402fda
                                                                                        0x00402fde
                                                                                        0x00402fe7
                                                                                        0x00402fea
                                                                                        0x00402ff2
                                                                                        0x00402ffa
                                                                                        0x00403002
                                                                                        0x0040300a
                                                                                        0x00403012
                                                                                        0x00403023
                                                                                        0x004031ff
                                                                                        0x00403203
                                                                                        0x00000000
                                                                                        0x00403203
                                                                                        0x00403032
                                                                                        0x00403036
                                                                                        0x00403036
                                                                                        0x0040303d
                                                                                        0x00403047
                                                                                        0x00403047
                                                                                        0x0040304c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403057
                                                                                        0x0040305a
                                                                                        0x00403063
                                                                                        0x00403066
                                                                                        0x0040306b
                                                                                        0x00403071
                                                                                        0x00403074
                                                                                        0x0040307a
                                                                                        0x004030f6
                                                                                        0x004030f6
                                                                                        0x004030fc
                                                                                        0x004030ff
                                                                                        0x00403105
                                                                                        0x00403185
                                                                                        0x00403189
                                                                                        0x0040318f
                                                                                        0x00403195
                                                                                        0x0040319b
                                                                                        0x004031a1
                                                                                        0x004031a7
                                                                                        0x004031ad
                                                                                        0x004031b3
                                                                                        0x004031c6
                                                                                        0x004031c6
                                                                                        0x004031b3
                                                                                        0x004031a7
                                                                                        0x0040319b
                                                                                        0x004031d1
                                                                                        0x004031df
                                                                                        0x00000000
                                                                                        0x004031df
                                                                                        0x00403109
                                                                                        0x0040310c
                                                                                        0x00403110
                                                                                        0x00403113
                                                                                        0x0040311b
                                                                                        0x0040311e
                                                                                        0x00403126
                                                                                        0x00403142
                                                                                        0x00403152
                                                                                        0x0040315a
                                                                                        0x00403166
                                                                                        0x0040316e
                                                                                        0x00403170
                                                                                        0x00403175
                                                                                        0x00403177
                                                                                        0x0040317a
                                                                                        0x0040317a
                                                                                        0x00403175
                                                                                        0x00403128
                                                                                        0x0040312d
                                                                                        0x00403131
                                                                                        0x00403135
                                                                                        0x00403135
                                                                                        0x0040312d
                                                                                        0x0040317c
                                                                                        0x0040317e
                                                                                        0x00000000
                                                                                        0x00403183
                                                                                        0x0040307c
                                                                                        0x0040307f
                                                                                        0x00403088
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040308a
                                                                                        0x0040308d
                                                                                        0x0040308f
                                                                                        0x0040308f
                                                                                        0x00403091
                                                                                        0x00403096
                                                                                        0x0040309f
                                                                                        0x004030a1
                                                                                        0x004030a3
                                                                                        0x004030a9
                                                                                        0x004030ac
                                                                                        0x004030b7
                                                                                        0x004030d3
                                                                                        0x004030d8
                                                                                        0x004030dc
                                                                                        0x004030df
                                                                                        0x004030df
                                                                                        0x004030b9
                                                                                        0x004030bb
                                                                                        0x004030be
                                                                                        0x004030c6
                                                                                        0x004030c6
                                                                                        0x004030b7
                                                                                        0x004030f0
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004030f2
                                                                                        0x00000000
                                                                                        0x004030f4
                                                                                        0x004031f0
                                                                                        0x004031f6
                                                                                        0x004031f6
                                                                                        0x00000000
                                                                                        0x004031fd

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$AllocProcess$AllocateCountCreateDestroyTick_memset
                                                                                        • String ID: @
                                                                                        • API String ID: 4248398568-2766056989
                                                                                        • Opcode ID: 225788086ac077eb0789f98910688fef8e81866165107ad6d3efbe899e85fed5
                                                                                        • Instruction ID: c05b7a645e7ad465c47936c3bd6be05441c51df40352e2428c51edaecc661efd
                                                                                        • Opcode Fuzzy Hash: 225788086ac077eb0789f98910688fef8e81866165107ad6d3efbe899e85fed5
                                                                                        • Instruction Fuzzy Hash: 80F119705083019FD304DF28C58871ABFE1BF88359F15896EE4899B3A1D779D98ACF46
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 197 81003c-810047 198 810049 197->198 199 81004c-810263 call 810a3f call 810e0f call 810d90 VirtualAlloc 197->199 198->199 214 810265-810289 call 810a69 199->214 215 81028b-810292 199->215 220 8102ce-8103c2 VirtualProtect call 810cce call 810ce7 214->220 216 8102a1-8102b0 215->216 219 8102b2-8102cc 216->219 216->220 219->216 226 8103d1-8103e0 220->226 227 8103e2-810437 call 810ce7 226->227 228 810439-8104b8 VirtualFree 226->228 227->226 229 8105f4-8105fe 228->229 230 8104be-8104cd 228->230 233 810604-81060d 229->233 234 81077f-810789 229->234 232 8104d3-8104dd 230->232 232->229 236 8104e3-810505 232->236 233->234 239 810613-810637 233->239 237 8107a6-8107b0 234->237 238 81078b-8107a3 234->238 248 810517-810520 236->248 249 810507-810515 236->249 241 8107b6-8107cb 237->241 242 81086e-8108be LoadLibraryA 237->242 238->237 243 81063e-810648 239->243 245 8107d2-8107d5 241->245 247 8108c7-8108f9 242->247 243->234 246 81064e-81065a 243->246 250 810824-810833 245->250 251 8107d7-8107e0 245->251 246->234 252 810660-81066a 246->252 253 810902-81091d 247->253 254 8108fb-810901 247->254 255 810526-810547 248->255 249->255 259 810839-81083c 250->259 256 8107e2 251->256 257 8107e4-810822 251->257 258 81067a-810689 252->258 254->253 260 81054d-810550 255->260 256->250 257->245 261 810750-81077a 258->261 262 81068f-8106b2 258->262 259->242 263 81083e-810847 259->263 265 8105e0-8105ef 260->265 266 810556-81056b 260->266 261->243 267 8106b4-8106ed 262->267 268 8106ef-8106fc 262->268 269 810849 263->269 270 81084b-81086c 263->270 265->232 271 81056d 266->271 272 81056f-81057a 266->272 267->268 273 81074b 268->273 274 8106fe-810748 268->274 269->242 270->259 271->265 277 81059b-8105bb 272->277 278 81057c-810599 272->278 273->258 274->273 281 8105bd-8105db 277->281 278->281 281->260
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0081024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: f6093475901ca60e80cc3f331bc2662dae69c62b94434f60525690b1d0a0d3c1
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: 9F526874A012299FDB64CF58C984BA8BBB5BF09304F1480E9E94DAB251DB70AEC4DF15
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 319 401d24-401d2e 320 401d30-401d37 319->320 321 401d39-401d3e 319->321 324 401d8d-401d8f 320->324 322 401d40-401d52 HeapFree 321->322 323 401d55-401d5a 321->323 322->323 325 401d71-401d76 323->325 326 401d5c-401d6e RtlFreeHeap 323->326 325->324 327 401d78-401d8a HeapFree 325->327 326->325 327->324
                                                                                        C-Code - Quality: 100%
                                                                                        			E00401D24(void* __eax, intOrPtr* _a4) {
                                                                                        				void* _t14;
                                                                                        				void* _t15;
                                                                                        				void* _t16;
                                                                                        				int _t17;
                                                                                        				intOrPtr* _t26;
                                                                                        
                                                                                        				_t26 = _a4;
                                                                                        				if( *((intOrPtr*)(_t26 + 0x24)) != 0) {
                                                                                        					 *((intOrPtr*)(_t26 + 0x30)) = 4;
                                                                                        					return __eax;
                                                                                        				}
                                                                                        				_t14 =  *(_t26 + 0xc);
                                                                                        				if(_t14 != 0) {
                                                                                        					HeapFree( *( *_t26 + 0xa4), 0, _t14);
                                                                                        					 *(_t26 + 0xc) = 0;
                                                                                        				}
                                                                                        				_t15 =  *(_t26 + 0x14);
                                                                                        				if(_t15 != 0) {
                                                                                        					RtlFreeHeap( *( *_t26 + 0xa4), 0, _t15); // executed
                                                                                        					 *(_t26 + 0x14) = 0;
                                                                                        				}
                                                                                        				_t16 =  *(_t26 + 0x20);
                                                                                        				if(_t16 != 0) {
                                                                                        					_t17 = HeapFree( *( *_t26 + 0xa4), 0, _t16);
                                                                                        					 *(_t26 + 0x20) = 0;
                                                                                        					return _t17;
                                                                                        				}
                                                                                        				return _t16;
                                                                                        			}








                                                                                        0x00401d26
                                                                                        0x00401d2e
                                                                                        0x00401d30
                                                                                        0x00000000
                                                                                        0x00401d30
                                                                                        0x00401d39
                                                                                        0x00401d3e
                                                                                        0x00401d4c
                                                                                        0x00401d52
                                                                                        0x00401d52
                                                                                        0x00401d55
                                                                                        0x00401d5a
                                                                                        0x00401d68
                                                                                        0x00401d6e
                                                                                        0x00401d6e
                                                                                        0x00401d71
                                                                                        0x00401d76
                                                                                        0x00401d84
                                                                                        0x00401d8a
                                                                                        0x00000000
                                                                                        0x00401d8a
                                                                                        0x00401d8f

                                                                                        APIs
                                                                                        • HeapFree.KERNEL32(?,00000000,?), ref: 00401D4C
                                                                                        • RtlFreeHeap.NTDLL(?,00000000,?), ref: 00401D68
                                                                                        • HeapFree.KERNEL32(?,00000000,?), ref: 00401D84
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID:
                                                                                        • API String ID: 3298025750-0
                                                                                        • Opcode ID: 8fcf7ed74e1b87765ee9f6bd72872f884c70992ff707c6bc6807c26051d81fb6
                                                                                        • Instruction ID: 12117413f669b41ab4b891788d10b24941a6278ed6d7b4da1c78066b9bf9729a
                                                                                        • Opcode Fuzzy Hash: 8fcf7ed74e1b87765ee9f6bd72872f884c70992ff707c6bc6807c26051d81fb6
                                                                                        • Instruction Fuzzy Hash: B301FF752016009FE7308F27ED48E23BBF9FFC5704B14497EA69A976A0C775A802CB25
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 345 810e0f-810e24 SetErrorMode * 2 346 810e26 345->346 347 810e2b-810e2c 345->347 346->347
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000400,?,?,00810223,?,?), ref: 00810E19
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,00810223,?,?), ref: 00810E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: 38a33d7cf77271eff4fc9badce6bc49676e91161f5414cc284fa2bfc160f7c8c
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: 5AD0123114512877DB002A95DC09BCD7B1CDF05B62F008411FB0DD9080C7B0998046E5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 348 402dc0-402ded call 402e10 ExitProcess
                                                                                        C-Code - Quality: 58%
                                                                                        			E00402DC0(void* _a4, void* _a8, intOrPtr _a12, void* _a16) {
                                                                                        				intOrPtr _v4;
                                                                                        				void* _t14;
                                                                                        				intOrPtr* _t15;
                                                                                        
                                                                                        				_v4 = 0;
                                                                                        				E00402E10(_a12, _t14);
                                                                                        				 *_t15 = 0; // executed
                                                                                        				ExitProcess(??);
                                                                                        			}






                                                                                        0x00402dd3
                                                                                        0x00402ddf
                                                                                        0x00402de6
                                                                                        0x00402ded

                                                                                        APIs
                                                                                          • Part of subcall function 00402E10: HeapCreate.KERNEL32 ref: 00402E3C
                                                                                          • Part of subcall function 00402E10: HeapAlloc.KERNEL32 ref: 00402E7F
                                                                                          • Part of subcall function 00402E10: HeapAlloc.KERNEL32 ref: 00402EC7
                                                                                          • Part of subcall function 00402E10: GetProcessHeap.KERNEL32 ref: 00402F44
                                                                                          • Part of subcall function 00402E10: RtlAllocateHeap.NTDLL ref: 00402F5F
                                                                                          • Part of subcall function 00402E10: _memset.LIBCMT ref: 00402F8A
                                                                                          • Part of subcall function 00402E10: GetProcessHeap.KERNEL32 ref: 00402F9B
                                                                                          • Part of subcall function 00402E10: RtlFreeHeap.NTDLL ref: 00402FB2
                                                                                        • ExitProcess.KERNEL32 ref: 00402DED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$Alloc$AllocateCreateExitFree_memset
                                                                                        • String ID:
                                                                                        • API String ID: 2964914810-0
                                                                                        • Opcode ID: 32de8c49f61589b41c1f49aa65d0db61a0727ec2d96777d69fbfb0dcd33f96eb
                                                                                        • Instruction ID: eec5627ee04d9acc81671ed1c066db47198043e7e1978f33e740ab5e90dd8be2
                                                                                        • Opcode Fuzzy Hash: 32de8c49f61589b41c1f49aa65d0db61a0727ec2d96777d69fbfb0dcd33f96eb
                                                                                        • Instruction Fuzzy Hash: 06D06CB42083028FC340EF18D685B0EBBE0AB88701F004C2DF8D4A3390C7B4E8588B63
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 351 4035d2-4035d9 352 4035eb-4035ec 351->352 353 4035db-4035e4 FindCloseChangeNotification 351->353 353->352
                                                                                        C-Code - Quality: 100%
                                                                                        			E004035D2(void* __ecx) {
                                                                                        				void* _t3;
                                                                                        				int _t4;
                                                                                        				void* _t6;
                                                                                        
                                                                                        				_t3 =  *(__ecx + 0x1c);
                                                                                        				if(_t3 != 0xffffffff) {
                                                                                        					_t6 = __ecx;
                                                                                        					_t4 = FindCloseChangeNotification(_t3); // executed
                                                                                        					 *((intOrPtr*)(_t6 + 0x1c)) = 0xffffffff;
                                                                                        					return _t4;
                                                                                        				}
                                                                                        				return _t3;
                                                                                        			}






                                                                                        0x004035d3
                                                                                        0x004035d9
                                                                                        0x004035db
                                                                                        0x004035de
                                                                                        0x004035e4
                                                                                        0x00000000
                                                                                        0x004035e4
                                                                                        0x004035ec

                                                                                        APIs
                                                                                        • FindCloseChangeNotification.KERNEL32(?,?,00403208), ref: 004035DE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChangeCloseFindNotification
                                                                                        • String ID:
                                                                                        • API String ID: 2591292051-0
                                                                                        • Opcode ID: ca0b2121bcc4b15e5a6c556a80ac75337720196cc70b71ed24dde49f4a00437e
                                                                                        • Instruction ID: 6e1aa0057afca782a479451429e762898b2965b49fd59f5b16cf7e1d0c4450cf
                                                                                        • Opcode Fuzzy Hash: ca0b2121bcc4b15e5a6c556a80ac75337720196cc70b71ed24dde49f4a00437e
                                                                                        • Instruction Fuzzy Hash: 01C08CB0004B204BC6284F2CAC4C4423668AA013313340F5AE031E73E0C7B4DC438B80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 354 810920-810929 TerminateProcess
                                                                                        APIs
                                                                                        • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00810929
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 560597551-0
                                                                                        • Opcode ID: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
                                                                                        • Instruction ID: f1a77b98683cafb1fb7459b4dcf7902f75ab8b99c0f73db378513641b05b932d
                                                                                        • Opcode Fuzzy Hash: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
                                                                                        • Instruction Fuzzy Hash: 1190026038415011D820259C4C02B0510021751634F3047107170B91D4D84496144126
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00815621,?,?,?,0042E3BC), ref: 008183DF
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,0042E3BC), ref: 008183E8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
                                                                                        • Instruction ID: ff498d75d80fdc37cc2eb3243abac809d1af37299bd5b94b69569364edcb6727
                                                                                        • Opcode Fuzzy Hash: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
                                                                                        • Instruction Fuzzy Hash: B1B09231044208ABCB002BA2EE09B58BF68EB09762F004824F64D580628B72A4308A99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 100%
                                                                                        			E00408173(struct _EXCEPTION_POINTERS* _a4) {
                                                                                        
                                                                                        				SetUnhandledExceptionFilter(0);
                                                                                        				return UnhandledExceptionFilter(_a4);
                                                                                        			}



                                                                                        0x00408178
                                                                                        0x00408188

                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,004053BA,?,?,?,00000000), ref: 00408178
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00408181
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
                                                                                        • Instruction ID: ff498d75d80fdc37cc2eb3243abac809d1af37299bd5b94b69569364edcb6727
                                                                                        • Opcode Fuzzy Hash: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
                                                                                        • Instruction Fuzzy Hash: B1B09231044208ABCB002BA2EE09B58BF68EB09762F004824F64D580628B72A4308A99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __getptd_noexit
                                                                                        • String ID:
                                                                                        • API String ID: 3074181302-0
                                                                                        • Opcode ID: f83eac01144a14e9fabaf636d2d7c722066e4f850ca66a16e55a14a35c1fa842
                                                                                        • Instruction ID: 1b63b6afa651f1bffdec27e254b7e96a87482af86aaee28926cbb1df1021c11e
                                                                                        • Opcode Fuzzy Hash: f83eac01144a14e9fabaf636d2d7c722066e4f850ca66a16e55a14a35c1fa842
                                                                                        • Instruction Fuzzy Hash: 89F14876E402598BDB24CFA9C4806EDFBB9FF58314F64812AD859EB384E7349C81CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?,?,008174CB,00407219), ref: 008183BD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
                                                                                        • Instruction ID: 128312d1311c2f82a6a49dad589f4aa67e25fd1615101857f4746837d799de39
                                                                                        • Opcode Fuzzy Hash: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
                                                                                        • Instruction Fuzzy Hash: AAA0113000020CABCB002BA2EE088883FACEA082A0B000820F80C080208B32A8208A88
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 100%
                                                                                        			E00408150(_Unknown_base(*)()* _a4) {
                                                                                        
                                                                                        				return SetUnhandledExceptionFilter(_a4);
                                                                                        			}



                                                                                        0x0040815d

                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?,?,00407264,00407219), ref: 00408156
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
                                                                                        • Instruction ID: 128312d1311c2f82a6a49dad589f4aa67e25fd1615101857f4746837d799de39
                                                                                        • Opcode Fuzzy Hash: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
                                                                                        • Instruction Fuzzy Hash: AAA0113000020CABCB002BA2EE088883FACEA082A0B000820F80C080208B32A8208A88
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
                                                                                        • Instruction ID: 32b2adb4c8af835eca7cb2f91dfb3b3c4af9f5bc3f71f74192eda4de9f35fe3f
                                                                                        • Opcode Fuzzy Hash: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
                                                                                        • Instruction Fuzzy Hash: 9441DA71A056018BD704CE1AC88845BF7E3FFD9204B5BC66CD58D9B7A9D630E846CBC1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 84%
                                                                                        			E00401414(intOrPtr* _a4, char* _a8, signed int* _a12, intOrPtr _a16, signed int* _a20) {
                                                                                        				intOrPtr _v20;
                                                                                        				intOrPtr _v24;
                                                                                        				intOrPtr* _t30;
                                                                                        				signed int _t31;
                                                                                        				unsigned int _t32;
                                                                                        				signed int _t33;
                                                                                        				signed int* _t35;
                                                                                        				signed int _t39;
                                                                                        				intOrPtr _t48;
                                                                                        				char* _t49;
                                                                                        				intOrPtr _t79;
                                                                                        				unsigned int _t88;
                                                                                        				void* _t89;
                                                                                        				signed int* _t90;
                                                                                        				signed int _t91;
                                                                                        				intOrPtr _t92;
                                                                                        				intOrPtr* _t94;
                                                                                        
                                                                                        				_t35 = _a12;
                                                                                        				_t30 = _a4;
                                                                                        				_t88 =  *(_t30 + 0x40);
                                                                                        				_t79 =  *_t30;
                                                                                        				_v20 =  *((intOrPtr*)(_t30 + 4));
                                                                                        				_t48 =  *((intOrPtr*)(_t30 + 8));
                                                                                        				_t92 =  *((intOrPtr*)(_t30 + 0xc));
                                                                                        				_t33 =  *_t35;
                                                                                        				asm("bswap ebx");
                                                                                        				_t31 = _t35[1];
                                                                                        				asm("bswap eax");
                                                                                        				_t39 = (_t88 >> 0x1f) + _t88 >> 1;
                                                                                        				if(_a16 == 0) {
                                                                                        					if(_t88 < 2) {
                                                                                        						L9:
                                                                                        						asm("rol cx, 0x8");
                                                                                        						_t49 = _a8;
                                                                                        						 *((short*)(_t49 + 2)) = _t33;
                                                                                        						 *((char*)(_t49 + 1)) = _t33 >> 0x10;
                                                                                        						 *_t49 = _t33 >> 0x18;
                                                                                        						 *(_t49 + 7) = _t31;
                                                                                        						 *(_t49 + 6) = _t31;
                                                                                        						 *((char*)(_t49 + 5)) = _t31 >> 0x10;
                                                                                        						_t32 = _t31 >> 0x18;
                                                                                        						 *(_t49 + 4) = _t32;
                                                                                        						return _t32;
                                                                                        					}
                                                                                        					_t89 = 0x9e3779b9;
                                                                                        					_v24 = _t48;
                                                                                        					 *_t94 = _t92;
                                                                                        					do {
                                                                                        						_t33 = _t33 + ((_t31 >> 0x00000005) + _v20 ^ _t31 + _t89 ^ (_t31 << 0x00000004) + _t79);
                                                                                        						_t31 = _t31 + ((_t33 >> 0x00000005) +  *_t94 ^ _t89 + _t33 ^ (_t33 << 0x00000004) + _v24);
                                                                                        						_t89 = _t89 + 0x9e3779b9;
                                                                                        						_t39 = _t39 - 1;
                                                                                        					} while (_t39 != 0);
                                                                                        					goto L9;
                                                                                        				}
                                                                                        				if(_t88 < 2) {
                                                                                        					L4:
                                                                                        					_t90 = _a20;
                                                                                        					if(_t90 != 0) {
                                                                                        						asm("bswap ecx");
                                                                                        						_t33 = _t33 ^  *_t90;
                                                                                        						asm("bswap edx");
                                                                                        						_t31 = _t31 ^ _t90[1];
                                                                                        						asm("movsd xmm0, [ecx]");
                                                                                        						asm("movsd [esi], xmm0");
                                                                                        					}
                                                                                        					goto L9;
                                                                                        				}
                                                                                        				_t91 = _t39 * 0x9e3779b9;
                                                                                        				 *_t94 = _t79;
                                                                                        				_v24 = _t48;
                                                                                        				do {
                                                                                        					_t31 = _t31 - ((_t33 >> 0x00000005) + _t92 ^ _t33 + _t91 ^ (_t33 << 0x00000004) + _v24);
                                                                                        					_t33 = _t33 - ((_t31 >> 0x00000005) + _v20 ^ _t91 + _t31 ^ (_t31 << 0x00000004) +  *_t94);
                                                                                        					_t91 = _t91 + 0x61c88647;
                                                                                        					_t39 = _t39 - 1;
                                                                                        				} while (_t39 != 0);
                                                                                        				goto L4;
                                                                                        			}




















                                                                                        0x0040141b
                                                                                        0x0040141f
                                                                                        0x00401423
                                                                                        0x00401426
                                                                                        0x0040142b
                                                                                        0x0040142f
                                                                                        0x00401432
                                                                                        0x00401435
                                                                                        0x00401437
                                                                                        0x00401439
                                                                                        0x0040143c
                                                                                        0x00401445
                                                                                        0x0040144c
                                                                                        0x004014c2
                                                                                        0x00401510
                                                                                        0x00401512
                                                                                        0x00401516
                                                                                        0x0040151a
                                                                                        0x00401523
                                                                                        0x00401529
                                                                                        0x0040152b
                                                                                        0x0040152e
                                                                                        0x00401536
                                                                                        0x00401539
                                                                                        0x0040153c
                                                                                        0x00401546
                                                                                        0x00401546
                                                                                        0x004014c4
                                                                                        0x004014c9
                                                                                        0x004014cd
                                                                                        0x004014d0
                                                                                        0x004014e9
                                                                                        0x00401505
                                                                                        0x00401507
                                                                                        0x0040150d
                                                                                        0x0040150d
                                                                                        0x00000000
                                                                                        0x004014d0
                                                                                        0x00401451
                                                                                        0x0040149c
                                                                                        0x0040149c
                                                                                        0x004014a2
                                                                                        0x004014a9
                                                                                        0x004014ab
                                                                                        0x004014ad
                                                                                        0x004014af
                                                                                        0x004014b5
                                                                                        0x004014b9
                                                                                        0x004014b9
                                                                                        0x00000000
                                                                                        0x004014a2
                                                                                        0x00401453
                                                                                        0x00401459
                                                                                        0x0040145c
                                                                                        0x00401460
                                                                                        0x00401477
                                                                                        0x00401491
                                                                                        0x00401493
                                                                                        0x00401499
                                                                                        0x00401499
                                                                                        0x00000000

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
                                                                                        • Instruction ID: ea091c4cf95a06f6a9f0a2c21ca28a0348a097a7891f51faddf94781dd302523
                                                                                        • Opcode Fuzzy Hash: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
                                                                                        • Instruction Fuzzy Hash: 44418571A056018BD304CE2AC88445BF7E3EFD9314B5AC66DD58DAB7A9D930E845CBC1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction ID: 3178929b01d798fa34d4ef378dbf52f0378e04f11d2b01edb067f4173028140d
                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction Fuzzy Hash: CC01DF72A006048FDB21CF60DC04BEA33A9FF86306F1545A4D90AD7285E3B0A8C18F80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 422 813077-8130c9 HeapCreate 423 81355f-813566 422->423 424 8130cf-8130f8 RtlAllocateHeap 422->424 425 813540-81355c HeapDestroy call 81126a 424->425 426 8130fe-813140 RtlAllocateHeap 424->426 425->423 427 813502-81350d 426->427 428 813146-8131d8 GetProcessHeap RtlAllocateHeap 426->428 430 81350f-813519 427->430 431 81351e-81353d HeapFree 427->431 436 813222-813227 428->436 437 8131da-81321f call 8152a7 GetProcessHeap HeapFree 428->437 430->431 431->425 439 81322d-81328a call 8135a3 call 8117c6 call 811838 call 8137b6 436->439 440 81346f-81348e HeapFree 436->440 437->436 454 813290-813299 call 8137b6 439->454 455 813466-81346a call 813839 439->455 443 813491-8134a6 440->443 445 8134a8 443->445 446 8134aa-813500 HeapFree 443->446 445->427 446->443 459 81329d-8132a4 454->459 455->440 460 8132b1-8132b3 459->460 461 8132a6-8132ae 459->461 462 8132b5-813457 460->462 463 8132ba-8132e1 call 8117ae call 811e68 460->463 461->460 467 813464 462->467 468 813459-81345d 462->468 471 8132e3-8132ef 463->471 472 81335d-81336c 463->472 467->455 468->467 471->472 475 8132f1-8132f4 471->475 473 8133ec-8133f6 472->473 474 81336e 472->474 476 8133f8-813402 473->476 477 81342f-81344a call 8137d2 call 8137b6 473->477 478 813370-81338d 474->478 479 8132f6-813306 475->479 476->477 480 813404-81340e 476->480 477->459 481 8133a3-8133a9 478->481 482 81338f-813394 478->482 484 813348-813357 479->484 485 813308-81331e 479->485 480->477 488 813410-81341a 480->488 493 8133e3-8133e8 481->493 494 8133ab-8133b1 481->494 482->493 498 813396-8133a1 call 811806 482->498 486 813359 484->486 487 81335b 484->487 491 813320-813330 485->491 492 813332-81333a 485->492 486->479 487->472 488->477 497 81341c-81342d 488->497 491->484 492->484 495 81333c-813346 492->495 493->478 496 8133ea 493->496 494->493 500 8133b3-8133dc 494->500 495->484 496->473 497->477 498->493 500->493 501 8133de 500->501 501->493
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate$Process$CountCreateDestroyTick
                                                                                        • String ID: @
                                                                                        • API String ID: 463782701-2766056989
                                                                                        • Opcode ID: 9987667864bc4dd8a25f1a563ba09b02a637d5a8444b02c06aec76deb7dbc244
                                                                                        • Instruction ID: 6f2afb8636d665e5ccd088299a6c50276fa036cf0733dd73bf2917b450884bea
                                                                                        • Opcode Fuzzy Hash: 9987667864bc4dd8a25f1a563ba09b02a637d5a8444b02c06aec76deb7dbc244
                                                                                        • Instruction Fuzzy Hash: D6F1F3B0508301CFD304DF28D188B5ABBE5FF88318F15896DE4999B3A1D775D989CB86
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 507 407919-407938 call 4081f0 call 409225 512 407958-40796c call 4090a3 507->512 513 40793a-40794f call 40ac60 507->513 518 407985-40798a 512->518 519 40796e-407983 call 40ac60 512->519 520 407950-407955 call 408235 513->520 522 407990-407997 518->522 519->520 525 407999-4079c8 522->525 526 4079ca-4079d9 GetStartupInfoW 522->526 525->522 528 407b08-407b0e 526->528 529 4079df-4079e4 526->529 530 407b14-407b25 528->530 531 407bcc-407bd3 call 407bdd 528->531 529->528 532 4079ea-407a01 529->532 533 407b27-407b2a 530->533 534 407b3a-407b40 530->534 541 407bd8 531->541 536 407a03-407a05 532->536 537 407a08-407a0b 532->537 533->534 538 407b2c-407b35 533->538 539 407b42-407b45 534->539 540 407b47-407b4e 534->540 536->537 542 407a0e-407a14 537->542 543 407bc6-407bc7 538->543 544 407b51-407b5d GetStdHandle 539->544 540->544 541->541 545 407a36-407a3e 542->545 546 407a16-407a27 call 4090a3 542->546 543->528 548 407ba4-407bba 544->548 549 407b5f-407b61 544->549 547 407a41-407a43 545->547 555 407abb-407ac2 546->555 556 407a2d-407a33 546->556 547->528 552 407a49-407a4e 547->552 548->543 551 407bbc-407bbf 548->551 549->548 553 407b63-407b6c GetFileType 549->553 551->543 557 407a50-407a53 552->557 558 407aa8-407ab9 552->558 553->548 559 407b6e-407b78 553->559 563 407ac8-407ad6 555->563 556->545 557->558 560 407a55-407a59 557->560 558->547 561 407b82-407b85 559->561 562 407b7a-407b80 559->562 560->558 564 407a5b-407a5d 560->564 566 407b90-407ba2 InitializeCriticalSectionAndSpinCount 561->566 567 407b87-407b8b 561->567 565 407b8d 562->565 568 407ad8-407afa 563->568 569 407afc-407b03 563->569 570 407a6d-407aa2 InitializeCriticalSectionAndSpinCount 564->570 571 407a5f-407a6b GetFileType 564->571 565->566 566->543 567->565 568->563 569->542 572 407aa5 570->572 571->570 571->572 572->558
                                                                                        C-Code - Quality: 86%
                                                                                        			E00407919(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                        				signed int* _t81;
                                                                                        				void* _t86;
                                                                                        				long _t90;
                                                                                        				intOrPtr _t94;
                                                                                        				signed int _t98;
                                                                                        				signed int _t99;
                                                                                        				signed char _t103;
                                                                                        				intOrPtr* _t105;
                                                                                        				intOrPtr _t106;
                                                                                        				intOrPtr* _t109;
                                                                                        				signed char _t111;
                                                                                        				long _t119;
                                                                                        				signed int _t130;
                                                                                        				signed int* _t134;
                                                                                        				intOrPtr _t135;
                                                                                        				signed int* _t138;
                                                                                        				void** _t139;
                                                                                        				intOrPtr _t141;
                                                                                        				void* _t142;
                                                                                        				signed int _t143;
                                                                                        				void** _t147;
                                                                                        				signed int _t149;
                                                                                        				void* _t150;
                                                                                        				void** _t154;
                                                                                        				void* _t155;
                                                                                        
                                                                                        				_push(0x64);
                                                                                        				_push(0x42aa50);
                                                                                        				E004081F0(__ebx, __edi, __esi);
                                                                                        				E00409225(0xb);
                                                                                        				_t130 = 0;
                                                                                        				 *(_t155 - 4) = 0;
                                                                                        				if( *0x42f5a0 == 0) {
                                                                                        					_push(0x40);
                                                                                        					_t141 = 0x20;
                                                                                        					_push(_t141);
                                                                                        					_t81 = E004090A3();
                                                                                        					_t134 = _t81;
                                                                                        					 *(_t155 - 0x24) = _t134;
                                                                                        					if(_t134 != 0) {
                                                                                        						 *0x42f5a0 = _t81;
                                                                                        						 *0x42f588 = _t141;
                                                                                        						while(_t134 <  &(_t81[0x200])) {
                                                                                        							_t134[1] = 0xa00;
                                                                                        							 *_t134 =  *_t134 | 0xffffffff;
                                                                                        							_t134[2] = _t130;
                                                                                        							_t134[9] = _t134[9] & 0x00000080;
                                                                                        							_t134[9] = _t134[9] & 0x0000007f;
                                                                                        							_t134[9] = 0xa0a;
                                                                                        							_t134[0xe] = _t130;
                                                                                        							_t134[0xd] = _t130;
                                                                                        							_t134 =  &(_t134[0x10]);
                                                                                        							 *(_t155 - 0x24) = _t134;
                                                                                        							_t81 =  *0x42f5a0;
                                                                                        						}
                                                                                        						GetStartupInfoW(_t155 - 0x74);
                                                                                        						if( *((short*)(_t155 - 0x42)) == 0) {
                                                                                        							while(1) {
                                                                                        								L31:
                                                                                        								 *(_t155 - 0x2c) = _t130;
                                                                                        								if(_t130 >= 3) {
                                                                                        									break;
                                                                                        								}
                                                                                        								_t147 =  *0x42f5a0 + (_t130 << 6);
                                                                                        								 *(_t155 - 0x24) = _t147;
                                                                                        								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
                                                                                        									_t147[1] = 0x81;
                                                                                        									if(_t130 != 0) {
                                                                                        										_t66 = _t130 - 1; // -1
                                                                                        										asm("sbb eax, eax");
                                                                                        										_t90 =  ~_t66 + 0xfffffff5;
                                                                                        									} else {
                                                                                        										_t90 = 0xfffffff6;
                                                                                        									}
                                                                                        									_t142 = GetStdHandle(_t90);
                                                                                        									if(_t142 == 0xffffffff || _t142 == 0) {
                                                                                        										L47:
                                                                                        										_t147[1] = _t147[1] | 0x00000040;
                                                                                        										 *_t147 = 0xfffffffe;
                                                                                        										_t94 =  *0x42e560; // 0x96d490
                                                                                        										if(_t94 != 0) {
                                                                                        											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
                                                                                        										}
                                                                                        										goto L49;
                                                                                        									} else {
                                                                                        										_t98 = GetFileType(_t142);
                                                                                        										if(_t98 == 0) {
                                                                                        											goto L47;
                                                                                        										}
                                                                                        										 *_t147 = _t142;
                                                                                        										_t99 = _t98 & 0x000000ff;
                                                                                        										if(_t99 != 2) {
                                                                                        											if(_t99 != 3) {
                                                                                        												L46:
                                                                                        												_t70 =  &(_t147[3]); // -4388244
                                                                                        												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
                                                                                        												_t147[2] = _t147[2] + 1;
                                                                                        												goto L49;
                                                                                        											}
                                                                                        											_t103 = _t147[1] | 0x00000008;
                                                                                        											L45:
                                                                                        											_t147[1] = _t103;
                                                                                        											goto L46;
                                                                                        										}
                                                                                        										_t103 = _t147[1] | 0x00000040;
                                                                                        										goto L45;
                                                                                        									}
                                                                                        								} else {
                                                                                        									_t147[1] = _t147[1] | 0x00000080;
                                                                                        									L49:
                                                                                        									_t130 = _t130 + 1;
                                                                                        									continue;
                                                                                        								}
                                                                                        							}
                                                                                        							 *(_t155 - 4) = 0xfffffffe;
                                                                                        							E00407BDD();
                                                                                        							L2:
                                                                                        							_t86 = 1;
                                                                                        							L3:
                                                                                        							return E00408235(_t86);
                                                                                        						}
                                                                                        						_t105 =  *((intOrPtr*)(_t155 - 0x40));
                                                                                        						if(_t105 == 0) {
                                                                                        							goto L31;
                                                                                        						}
                                                                                        						_t135 =  *_t105;
                                                                                        						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
                                                                                        						_t106 = _t105 + 4;
                                                                                        						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
                                                                                        						 *(_t155 - 0x20) = _t106 + _t135;
                                                                                        						if(_t135 >= 0x800) {
                                                                                        							_t135 = 0x800;
                                                                                        							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
                                                                                        						}
                                                                                        						_t149 = 1;
                                                                                        						 *(_t155 - 0x30) = 1;
                                                                                        						while( *0x42f588 < _t135) {
                                                                                        							_t138 = E004090A3(_t141, 0x40);
                                                                                        							 *(_t155 - 0x24) = _t138;
                                                                                        							if(_t138 != 0) {
                                                                                        								0x42f5a0[_t149] = _t138;
                                                                                        								 *0x42f588 =  *0x42f588 + _t141;
                                                                                        								while(_t138 <  &(0x42f5a0[_t149][0x200])) {
                                                                                        									_t138[1] = 0xa00;
                                                                                        									 *_t138 =  *_t138 | 0xffffffff;
                                                                                        									_t138[2] = _t130;
                                                                                        									_t138[9] = _t138[9] & 0x00000080;
                                                                                        									_t138[9] = 0xa0a;
                                                                                        									_t138[0xe] = _t130;
                                                                                        									_t138[0xd] = _t130;
                                                                                        									_t138 =  &(_t138[0x10]);
                                                                                        									 *(_t155 - 0x24) = _t138;
                                                                                        								}
                                                                                        								_t149 = _t149 + 1;
                                                                                        								 *(_t155 - 0x30) = _t149;
                                                                                        								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
                                                                                        								continue;
                                                                                        							}
                                                                                        							_t135 =  *0x42f588;
                                                                                        							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
                                                                                        							break;
                                                                                        						}
                                                                                        						_t143 = _t130;
                                                                                        						 *(_t155 - 0x2c) = _t143;
                                                                                        						_t109 =  *((intOrPtr*)(_t155 - 0x28));
                                                                                        						_t139 =  *(_t155 - 0x20);
                                                                                        						while(_t143 < _t135) {
                                                                                        							_t150 =  *_t139;
                                                                                        							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
                                                                                        								L26:
                                                                                        								_t143 = _t143 + 1;
                                                                                        								 *(_t155 - 0x2c) = _t143;
                                                                                        								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
                                                                                        								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
                                                                                        								_t139 =  &(_t139[1]);
                                                                                        								 *(_t155 - 0x20) = _t139;
                                                                                        								continue;
                                                                                        							} else {
                                                                                        								_t111 =  *_t109;
                                                                                        								if((_t111 & 0x00000001) == 0) {
                                                                                        									goto L26;
                                                                                        								}
                                                                                        								if((_t111 & 0x00000008) != 0) {
                                                                                        									L24:
                                                                                        									_t154 = 0x42f5a0[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
                                                                                        									 *(_t155 - 0x24) = _t154;
                                                                                        									 *_t154 =  *_t139;
                                                                                        									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
                                                                                        									_t38 =  &(_t154[3]); // 0xd
                                                                                        									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
                                                                                        									_t154[2] = _t154[2] + 1;
                                                                                        									_t139 =  *(_t155 - 0x20);
                                                                                        									L25:
                                                                                        									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
                                                                                        									goto L26;
                                                                                        								}
                                                                                        								_t119 = GetFileType(_t150);
                                                                                        								_t139 =  *(_t155 - 0x20);
                                                                                        								if(_t119 == 0) {
                                                                                        									goto L25;
                                                                                        								}
                                                                                        								goto L24;
                                                                                        							}
                                                                                        						}
                                                                                        						goto L31;
                                                                                        					}
                                                                                        					E0040AC60(_t155, 0x42c198, _t155 - 0x10, 0xfffffffe);
                                                                                        					_t86 = 0;
                                                                                        					goto L3;
                                                                                        				}
                                                                                        				E0040AC60(_t155, 0x42c198, _t155 - 0x10, 0xfffffffe);
                                                                                        				goto L2;
                                                                                        			}




























                                                                                        0x00407919
                                                                                        0x0040791b
                                                                                        0x00407920
                                                                                        0x00407927
                                                                                        0x0040792d
                                                                                        0x0040792f
                                                                                        0x00407938
                                                                                        0x00407958
                                                                                        0x0040795c
                                                                                        0x0040795d
                                                                                        0x0040795e
                                                                                        0x00407965
                                                                                        0x00407967
                                                                                        0x0040796c
                                                                                        0x00407985
                                                                                        0x0040798a
                                                                                        0x00407990
                                                                                        0x00407999
                                                                                        0x0040799f
                                                                                        0x004079a2
                                                                                        0x004079a5
                                                                                        0x004079ae
                                                                                        0x004079b1
                                                                                        0x004079b7
                                                                                        0x004079ba
                                                                                        0x004079bd
                                                                                        0x004079c0
                                                                                        0x004079c3
                                                                                        0x004079c3
                                                                                        0x004079ce
                                                                                        0x004079d9
                                                                                        0x00407b08
                                                                                        0x00407b08
                                                                                        0x00407b08
                                                                                        0x00407b0e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407b19
                                                                                        0x00407b1f
                                                                                        0x00407b25
                                                                                        0x00407b3a
                                                                                        0x00407b40
                                                                                        0x00407b47
                                                                                        0x00407b4c
                                                                                        0x00407b4e
                                                                                        0x00407b42
                                                                                        0x00407b44
                                                                                        0x00407b44
                                                                                        0x00407b58
                                                                                        0x00407b5d
                                                                                        0x00407ba4
                                                                                        0x00407baa
                                                                                        0x00407bad
                                                                                        0x00407bb3
                                                                                        0x00407bba
                                                                                        0x00407bbf
                                                                                        0x00407bbf
                                                                                        0x00000000
                                                                                        0x00407b63
                                                                                        0x00407b64
                                                                                        0x00407b6c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407b6e
                                                                                        0x00407b70
                                                                                        0x00407b78
                                                                                        0x00407b85
                                                                                        0x00407b90
                                                                                        0x00407b95
                                                                                        0x00407b99
                                                                                        0x00407b9f
                                                                                        0x00000000
                                                                                        0x00407b9f
                                                                                        0x00407b8b
                                                                                        0x00407b8d
                                                                                        0x00407b8d
                                                                                        0x00000000
                                                                                        0x00407b8d
                                                                                        0x00407b7e
                                                                                        0x00000000
                                                                                        0x00407b7e
                                                                                        0x00407b2c
                                                                                        0x00407b32
                                                                                        0x00407bc6
                                                                                        0x00407bc6
                                                                                        0x00000000
                                                                                        0x00407bc6
                                                                                        0x00407b25
                                                                                        0x00407bcc
                                                                                        0x00407bd3
                                                                                        0x0040794d
                                                                                        0x0040794f
                                                                                        0x00407950
                                                                                        0x00407955
                                                                                        0x00407955
                                                                                        0x004079df
                                                                                        0x004079e4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004079ea
                                                                                        0x004079ec
                                                                                        0x004079ef
                                                                                        0x004079f2
                                                                                        0x004079f7
                                                                                        0x00407a01
                                                                                        0x00407a03
                                                                                        0x00407a05
                                                                                        0x00407a05
                                                                                        0x00407a0a
                                                                                        0x00407a0b
                                                                                        0x00407a0e
                                                                                        0x00407a20
                                                                                        0x00407a22
                                                                                        0x00407a27
                                                                                        0x00407abb
                                                                                        0x00407ac2
                                                                                        0x00407ac8
                                                                                        0x00407ad8
                                                                                        0x00407ade
                                                                                        0x00407ae1
                                                                                        0x00407ae4
                                                                                        0x00407ae8
                                                                                        0x00407aee
                                                                                        0x00407af1
                                                                                        0x00407af4
                                                                                        0x00407af7
                                                                                        0x00407af7
                                                                                        0x00407afc
                                                                                        0x00407afd
                                                                                        0x00407b00
                                                                                        0x00000000
                                                                                        0x00407b00
                                                                                        0x00407a2d
                                                                                        0x00407a33
                                                                                        0x00000000
                                                                                        0x00407a33
                                                                                        0x00407a36
                                                                                        0x00407a38
                                                                                        0x00407a3b
                                                                                        0x00407a3e
                                                                                        0x00407a41
                                                                                        0x00407a49
                                                                                        0x00407a4e
                                                                                        0x00407aa8
                                                                                        0x00407aa8
                                                                                        0x00407aa9
                                                                                        0x00407aaf
                                                                                        0x00407ab0
                                                                                        0x00407ab3
                                                                                        0x00407ab6
                                                                                        0x00000000
                                                                                        0x00407a55
                                                                                        0x00407a55
                                                                                        0x00407a59
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407a5d
                                                                                        0x00407a6d
                                                                                        0x00407a7a
                                                                                        0x00407a81
                                                                                        0x00407a86
                                                                                        0x00407a8d
                                                                                        0x00407a95
                                                                                        0x00407a99
                                                                                        0x00407a9f
                                                                                        0x00407aa2
                                                                                        0x00407aa5
                                                                                        0x00407aa5
                                                                                        0x00000000
                                                                                        0x00407aa5
                                                                                        0x00407a60
                                                                                        0x00407a66
                                                                                        0x00407a6b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407a6b
                                                                                        0x00407a4e
                                                                                        0x00000000
                                                                                        0x00407a41
                                                                                        0x00407979
                                                                                        0x00407981
                                                                                        0x00000000
                                                                                        0x00407981
                                                                                        0x00407945
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • __lock.LIBCMT ref: 00407927
                                                                                          • Part of subcall function 00409225: __mtinitlocknum.LIBCMT ref: 00409237
                                                                                          • Part of subcall function 00409225: EnterCriticalSection.KERNEL32(00000000,?,00405A23,0000000D), ref: 00409250
                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00407945
                                                                                        • __calloc_crt.LIBCMT ref: 0040795E
                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00407979
                                                                                        • GetStartupInfoW.KERNEL32(?,0042AA50,00000064), ref: 004079CE
                                                                                        • __calloc_crt.LIBCMT ref: 00407A19
                                                                                        • GetFileType.KERNEL32(00000001), ref: 00407A60
                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00407A99
                                                                                        • GetStdHandle.KERNEL32(-000000F6), ref: 00407B52
                                                                                        • GetFileType.KERNEL32(00000000), ref: 00407B64
                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(-0042F594,00000FA0), ref: 00407B99
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__lock__mtinitlocknum
                                                                                        • String ID:
                                                                                        • API String ID: 1456538442-0
                                                                                        • Opcode ID: 6d9b8ba4f36c0ed21241421c23b7c2f9eb2ecc0d04ff1b18c8fdbda1afe8968a
                                                                                        • Instruction ID: d8c233d70c1a9e53d9c76028d0cf452cbb115d68185ddd2d1e64d5a2a2f0abc9
                                                                                        • Opcode Fuzzy Hash: 6d9b8ba4f36c0ed21241421c23b7c2f9eb2ecc0d04ff1b18c8fdbda1afe8968a
                                                                                        • Instruction Fuzzy Hash: 7191D770E082559FDB24CF68C84056DBBB0AF09328B64467ED4A6B73D1D73CA943CB5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 80%
                                                                                        			E004010B0(void* _a4, intOrPtr _a8, CHAR* _a12) {
                                                                                        				char _v20;
                                                                                        				char _v24;
                                                                                        				void* __edi;
                                                                                        				char _t12;
                                                                                        				void* _t14;
                                                                                        				CHAR* _t16;
                                                                                        				int _t20;
                                                                                        				void* _t25;
                                                                                        				void* _t27;
                                                                                        				void _t28;
                                                                                        				void* _t30;
                                                                                        				void* _t32;
                                                                                        				CHAR* _t33;
                                                                                        				CHAR* _t35;
                                                                                        				void _t36;
                                                                                        				char _t39;
                                                                                        				void* _t40;
                                                                                        				CHAR* _t41;
                                                                                        				int _t42;
                                                                                        				void* _t43;
                                                                                        				void* _t44;
                                                                                        				void* _t45;
                                                                                        				void* _t46;
                                                                                        
                                                                                        				_t35 = _a12;
                                                                                        				_t42 = lstrlenA(_t35);
                                                                                        				_t12 = 0;
                                                                                        				if(_a8 != 0 && _t35 != 0 && _t42 != 0) {
                                                                                        					_t44 = _a4;
                                                                                        					_t4 = _t42 + 1; // 0x1
                                                                                        					_t14 = HeapAlloc(_t44, 8, _t4);
                                                                                        					_t40 = _t14;
                                                                                        					if(_t14 != 0) {
                                                                                        						E00403E90(_t40, _t35, _t42);
                                                                                        						_t45 = _t45 + 0xc;
                                                                                        					}
                                                                                        					_t43 = E00401240(_t40);
                                                                                        					_t12 = 0;
                                                                                        					if(_t43 != 0) {
                                                                                        						_v20 = 0;
                                                                                        						_v24 = 0;
                                                                                        						_push(0x40e2f8);
                                                                                        						_t16 = E004044D4(_t40, _t43);
                                                                                        						_t46 = _t45 + 8;
                                                                                        						if(_t16 == 0) {
                                                                                        							L23:
                                                                                        							HeapFree(_t44, 0, _t43);
                                                                                        							asm("movsd xmm0, [esp]");
                                                                                        							asm("movsd [eax], xmm0");
                                                                                        							return 1;
                                                                                        						}
                                                                                        						_t41 = _t16;
                                                                                        						while(1) {
                                                                                        							_t20 = lstrlenA(_t41);
                                                                                        							_t6 = _t20 - 3; // -3
                                                                                        							if(_t6 < 0xfffffffe) {
                                                                                        								break;
                                                                                        							}
                                                                                        							_t39 =  *_t41;
                                                                                        							if(_t39 != 0x3f) {
                                                                                        								if(_t20 == 2) {
                                                                                        									_t25 = E0040476D(_t39);
                                                                                        									_t46 = _t46 + 4;
                                                                                        									if(_t25 == 0) {
                                                                                        										break;
                                                                                        									}
                                                                                        									_push(_t41[1]);
                                                                                        									L17:
                                                                                        									_t27 = E0040476D();
                                                                                        									_t46 = _t46 + 4;
                                                                                        									if(_t27 == 0) {
                                                                                        										break;
                                                                                        									}
                                                                                        									_t28 = E004049BE(_t41, 0, 0x10);
                                                                                        									_t46 = _t46 + 0xc;
                                                                                        									_t36 = _t28;
                                                                                        									if(_t28 + 0xffffff00 < 0xffffff01) {
                                                                                        										break;
                                                                                        									}
                                                                                        									_t30 = HeapAlloc(_t44, 8, 2);
                                                                                        									if(_t30 == 0) {
                                                                                        										break;
                                                                                        									}
                                                                                        									 *_t30 = _t36;
                                                                                        									 *((char*)(_t30 + 1)) = 0;
                                                                                        									L21:
                                                                                        									_t32 = E00401009(_t44,  &_v20, _t30);
                                                                                        									_t46 = _t46 + 0xc;
                                                                                        									if(_t32 == 0) {
                                                                                        										break;
                                                                                        									}
                                                                                        									_push(0x40e2f8);
                                                                                        									_t33 = E004044D4(_t41, 0);
                                                                                        									_t46 = _t46 + 8;
                                                                                        									_t41 = _t33;
                                                                                        									if(_t33 != 0) {
                                                                                        										continue;
                                                                                        									}
                                                                                        									goto L23;
                                                                                        								}
                                                                                        								if(_t20 != 1) {
                                                                                        									break;
                                                                                        								}
                                                                                        								_push(_t39);
                                                                                        								goto L17;
                                                                                        							}
                                                                                        							_t30 = HeapAlloc(_t44, 8, 2);
                                                                                        							if(_t30 == 0) {
                                                                                        								break;
                                                                                        							}
                                                                                        							 *_t30 = 0x100;
                                                                                        							goto L21;
                                                                                        						}
                                                                                        						E00401062(_t44, _t46);
                                                                                        						HeapFree(_t44, 0, _t43);
                                                                                        						return 0;
                                                                                        					}
                                                                                        				}
                                                                                        				return _t12;
                                                                                        			}


























                                                                                        0x004010b7
                                                                                        0x004010c2
                                                                                        0x004010c4
                                                                                        0x004010cb
                                                                                        0x004010e1
                                                                                        0x004010e5
                                                                                        0x004010ec
                                                                                        0x004010f2
                                                                                        0x004010f6
                                                                                        0x004010fb
                                                                                        0x00401100
                                                                                        0x00401100
                                                                                        0x0040110a
                                                                                        0x0040110c
                                                                                        0x00401110
                                                                                        0x00401116
                                                                                        0x0040111a
                                                                                        0x0040111d
                                                                                        0x00401123
                                                                                        0x00401128
                                                                                        0x0040112d
                                                                                        0x004011f9
                                                                                        0x004011fd
                                                                                        0x00401203
                                                                                        0x0040120c
                                                                                        0x00000000
                                                                                        0x00401210
                                                                                        0x00401133
                                                                                        0x00401135
                                                                                        0x00401136
                                                                                        0x0040113c
                                                                                        0x00401142
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401148
                                                                                        0x0040114e
                                                                                        0x0040116d
                                                                                        0x0040117c
                                                                                        0x00401181
                                                                                        0x00401186
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401190
                                                                                        0x00401191
                                                                                        0x00401191
                                                                                        0x00401196
                                                                                        0x0040119b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004011a2
                                                                                        0x004011a7
                                                                                        0x004011aa
                                                                                        0x004011b6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004011bd
                                                                                        0x004011c5
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004011c7
                                                                                        0x004011c9
                                                                                        0x004011cd
                                                                                        0x004011d4
                                                                                        0x004011d9
                                                                                        0x004011de
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004011e0
                                                                                        0x004011e7
                                                                                        0x004011ec
                                                                                        0x004011ef
                                                                                        0x004011f3
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004011f3
                                                                                        0x00401172
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401178
                                                                                        0x00000000
                                                                                        0x00401178
                                                                                        0x00401155
                                                                                        0x0040115d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401163
                                                                                        0x00000000
                                                                                        0x00401163
                                                                                        0x00401218
                                                                                        0x00401224
                                                                                        0x00000000
                                                                                        0x0040122a
                                                                                        0x00401110
                                                                                        0x00401233

                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?), ref: 004010BC
                                                                                        • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 004010EC
                                                                                        • _memmove.LIBCMT ref: 004010FB
                                                                                        • _strtok.LIBCMT ref: 00401123
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 00401136
                                                                                        • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 00401155
                                                                                        • _strtoul.LIBCMT ref: 004011A2
                                                                                        • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 004011BD
                                                                                        • _strtok.LIBCMT ref: 004011E7
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 004011FD
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 00401224
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Alloc$Free_strtoklstrlen$_memmove_strtoul
                                                                                        • String ID:
                                                                                        • API String ID: 3388104993-0
                                                                                        • Opcode ID: 19af556fbfa5abccf98dd01959ffd7e175d170726f9d7fbf2c399ddbfaaea6fb
                                                                                        • Instruction ID: adb70b9a9e510087b00887aa7310bd40e72bf33555e17388a9d105d8259b2b63
                                                                                        • Opcode Fuzzy Hash: 19af556fbfa5abccf98dd01959ffd7e175d170726f9d7fbf2c399ddbfaaea6fb
                                                                                        • Instruction Fuzzy Hash: 084154716402016BE620AB715C45B2F369C9F92705F04057AFE49FA3E2EB7CD810827E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • ___security_init_cookie.LIBCMT ref: 008153AE
                                                                                          • Part of subcall function 0081834A: GetStartupInfoW.KERNEL32(?), ref: 00818354
                                                                                        • _fast_error_exit.LIBCMT ref: 00815427
                                                                                        • _fast_error_exit.LIBCMT ref: 00815438
                                                                                        • __RTC_Initialize.LIBCMT ref: 0081543E
                                                                                        • __ioinit0.LIBCMT ref: 00815447
                                                                                        • GetCommandLineA.KERNEL32(0042A940,00000014), ref: 0081544C
                                                                                        • ___crtGetEnvironmentStringsA.LIBCMT ref: 00815457
                                                                                        • __setargv.LIBCMT ref: 00815461
                                                                                        • __setenvp.LIBCMT ref: 00815472
                                                                                        • __cinit.LIBCMT ref: 00815485
                                                                                        • __wincmdln.LIBCMT ref: 00815496
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__ioinit0__setargv__setenvp__wincmdln
                                                                                        • String ID:
                                                                                        • API String ID: 1504447550-0
                                                                                        • Opcode ID: 28e409208f6a583abcc2e46a45fb4fa7619360811febab490d0ff8c411d4b446
                                                                                        • Instruction ID: ff36cfa308532f13fa22d7ec5b83dd6ef9a39e1930014cfdbcf0cab487948605
                                                                                        • Opcode Fuzzy Hash: 28e409208f6a583abcc2e46a45fb4fa7619360811febab490d0ff8c411d4b446
                                                                                        • Instruction Fuzzy Hash: 8E21C4B0608B01DAE6607BBCA843BED21ACFF50755F10402AF514EA1D2DFB489C0865F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 94%
                                                                                        			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                        				intOrPtr _t17;
                                                                                        				intOrPtr _t27;
                                                                                        				signed int _t37;
                                                                                        				void* _t46;
                                                                                        				signed int _t49;
                                                                                        				void* _t51;
                                                                                        				void* _t53;
                                                                                        
                                                                                        				_t47 = __edi;
                                                                                        				E00407F41();
                                                                                        				_push(0x14);
                                                                                        				_push(0x42a940);
                                                                                        				E004081F0(__ebx, __edi, __esi);
                                                                                        				_t49 = E004080E3() & 0x0000ffff;
                                                                                        				E00407EF4(2);
                                                                                        				_t53 =  *0x400000 - 0x5a4d; // 0x5a4d
                                                                                        				if(_t53 == 0) {
                                                                                        					_t17 =  *0x40003c; // 0xe8
                                                                                        					if( *((intOrPtr*)(_t17 + 0x400000)) != 0x4550 ||  *((intOrPtr*)(_t17 + 0x400018)) != 0x10b) {
                                                                                        						goto L2;
                                                                                        					} else {
                                                                                        						_t37 = 0;
                                                                                        						if( *((intOrPtr*)(_t17 + 0x400074)) > 0xe) {
                                                                                        							_t37 = 0 |  *((intOrPtr*)(_t17 + 0x4000e8)) != 0x00000000;
                                                                                        						}
                                                                                        					}
                                                                                        				} else {
                                                                                        					L2:
                                                                                        					_t37 = 0;
                                                                                        				}
                                                                                        				 *(_t51 - 0x1c) = _t37;
                                                                                        				if(E004078C9() == 0) {
                                                                                        					E00405295(0x1c);
                                                                                        				}
                                                                                        				if(E00405A8D(_t37, _t47) == 0) {
                                                                                        					_t19 = E00405295(0x10);
                                                                                        				}
                                                                                        				E00407FDB(_t19);
                                                                                        				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
                                                                                        				E004078FA();
                                                                                        				 *0x42f6b4 = GetCommandLineA();
                                                                                        				 *0x42d8e4 = E0040801D();
                                                                                        				if(E00407BE6() < 0) {
                                                                                        					E0040740B(8);
                                                                                        				}
                                                                                        				if(E00407E13(_t37, _t46, _t47, _t49) < 0) {
                                                                                        					E0040740B(9);
                                                                                        				}
                                                                                        				if(E00407445(_t47, _t49, 1) != 0) {
                                                                                        					E0040740B(_t26);
                                                                                        				}
                                                                                        				_t27 = E00408189();
                                                                                        				E00402DC0(0x400000, 0, _t27, _t49);
                                                                                        				_t50 = _t27;
                                                                                        				 *((intOrPtr*)(_t51 - 0x24)) = _t27;
                                                                                        				if(_t37 == 0) {
                                                                                        					E0040769D(_t50);
                                                                                        				}
                                                                                        				E00407436();
                                                                                        				 *(_t51 - 4) = 0xfffffffe;
                                                                                        				return E00408235(_t50);
                                                                                        			}










                                                                                        0x00405147
                                                                                        0x00405147
                                                                                        0x00405151
                                                                                        0x00405153
                                                                                        0x00405158
                                                                                        0x00405162
                                                                                        0x00405167
                                                                                        0x00405172
                                                                                        0x00405179
                                                                                        0x0040517f
                                                                                        0x0040518e
                                                                                        0x00000000
                                                                                        0x0040519e
                                                                                        0x0040519e
                                                                                        0x004051a7
                                                                                        0x004051af
                                                                                        0x004051af
                                                                                        0x004051a7
                                                                                        0x0040517b
                                                                                        0x0040517b
                                                                                        0x0040517b
                                                                                        0x0040517b
                                                                                        0x004051b2
                                                                                        0x004051bc
                                                                                        0x004051c0
                                                                                        0x004051c5
                                                                                        0x004051cd
                                                                                        0x004051d1
                                                                                        0x004051d6
                                                                                        0x004051d7
                                                                                        0x004051dc
                                                                                        0x004051e0
                                                                                        0x004051eb
                                                                                        0x004051f5
                                                                                        0x00405201
                                                                                        0x00405205
                                                                                        0x0040520a
                                                                                        0x00405212
                                                                                        0x00405216
                                                                                        0x0040521b
                                                                                        0x00405226
                                                                                        0x00405229
                                                                                        0x0040522e
                                                                                        0x0040522f
                                                                                        0x0040523d
                                                                                        0x00405242
                                                                                        0x00405244
                                                                                        0x00405249
                                                                                        0x0040524c
                                                                                        0x0040524c
                                                                                        0x00405251
                                                                                        0x00405286
                                                                                        0x00405294

                                                                                        APIs
                                                                                        • ___security_init_cookie.LIBCMT ref: 00405147
                                                                                          • Part of subcall function 004080E3: GetStartupInfoW.KERNEL32(?), ref: 004080ED
                                                                                        • _fast_error_exit.LIBCMT ref: 004051C0
                                                                                        • _fast_error_exit.LIBCMT ref: 004051D1
                                                                                        • __RTC_Initialize.LIBCMT ref: 004051D7
                                                                                        • __ioinit0.LIBCMT ref: 004051E0
                                                                                        • GetCommandLineA.KERNEL32(0042A940,00000014), ref: 004051E5
                                                                                        • ___crtGetEnvironmentStringsA.LIBCMT ref: 004051F0
                                                                                        • __setargv.LIBCMT ref: 004051FA
                                                                                        • __setenvp.LIBCMT ref: 0040520B
                                                                                        • __cinit.LIBCMT ref: 0040521E
                                                                                        • __wincmdln.LIBCMT ref: 0040522F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__ioinit0__setargv__setenvp__wincmdln
                                                                                        • String ID:
                                                                                        • API String ID: 1504447550-0
                                                                                        • Opcode ID: 5091f19cf1d2d0efae3902bc976b102684804c8af962033a60bb9866b8b03b4e
                                                                                        • Instruction ID: 7656a2e4cd24e693345d71f8b590176bc8e33421cfbb194d0ef5fa04866332ae
                                                                                        • Opcode Fuzzy Hash: 5091f19cf1d2d0efae3902bc976b102684804c8af962033a60bb9866b8b03b4e
                                                                                        • Instruction Fuzzy Hash: B821A370E05B019AEA207BB6A946B2B2660DF1071CF1444BFF504BE1C3DE7C98419E5F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • __ioinit.LIBCMT ref: 0081DF20
                                                                                          • Part of subcall function 00817B45: InitOnceExecuteOnce.KERNELBASE(0042E2A4,00407919,00000000,00000000), ref: 00817B53
                                                                                        • __get_osfhandle.LIBCMT ref: 0081DF34
                                                                                        • __get_osfhandle.LIBCMT ref: 0081DF5F
                                                                                        • __get_osfhandle.LIBCMT ref: 0081DF68
                                                                                        • __get_osfhandle.LIBCMT ref: 0081DF74
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,0081DEC8,?,0042ABF8,00000010,0081DA21,00000000,?,?,?), ref: 0081DF7B
                                                                                        • GetLastError.KERNEL32(?,0081DEC8,?,0042ABF8,00000010,0081DA21,00000000,?,?,?), ref: 0081DF85
                                                                                        • __free_osfhnd.LIBCMT ref: 0081DF92
                                                                                        • __dosmaperr.LIBCMT ref: 0081DFB4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
                                                                                        • String ID:
                                                                                        • API String ID: 974577687-0
                                                                                        • Opcode ID: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
                                                                                        • Instruction ID: 4e73f1b440c9bcc6565a79a14c7d022c80e5dc3ef24f470d1f614b891aedb752
                                                                                        • Opcode Fuzzy Hash: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
                                                                                        • Instruction Fuzzy Hash: B411293260931429D224267CA905BFE779DFF41B34F250329F92BCB1D2EF6089D39152
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 100%
                                                                                        			E0040DCB6(void* __eflags, signed int _a4) {
                                                                                        				void* _t12;
                                                                                        				signed int _t13;
                                                                                        				signed int _t16;
                                                                                        				intOrPtr _t18;
                                                                                        				void* _t22;
                                                                                        				signed int _t35;
                                                                                        				long _t40;
                                                                                        
                                                                                        				_t13 = E004078DE(_t12);
                                                                                        				if(_t13 >= 0) {
                                                                                        					_t35 = _a4;
                                                                                        					if(E0040B164(_t35) == 0xffffffff) {
                                                                                        						L10:
                                                                                        						_t40 = 0;
                                                                                        					} else {
                                                                                        						_t18 =  *0x42f5a0;
                                                                                        						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
                                                                                        							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
                                                                                        								goto L8;
                                                                                        							} else {
                                                                                        								goto L7;
                                                                                        							}
                                                                                        						} else {
                                                                                        							L7:
                                                                                        							_t22 = E0040B164(2);
                                                                                        							if(E0040B164(1) == _t22) {
                                                                                        								goto L10;
                                                                                        							} else {
                                                                                        								L8:
                                                                                        								if(CloseHandle(E0040B164(_t35)) != 0) {
                                                                                        									goto L10;
                                                                                        								} else {
                                                                                        									_t40 = GetLastError();
                                                                                        								}
                                                                                        							}
                                                                                        						}
                                                                                        					}
                                                                                        					E0040B0DE(_t35);
                                                                                        					 *((char*)( *((intOrPtr*)(0x42f5a0 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
                                                                                        					if(_t40 == 0) {
                                                                                        						_t16 = 0;
                                                                                        					} else {
                                                                                        						_t16 = E00405465(_t40) | 0xffffffff;
                                                                                        					}
                                                                                        					return _t16;
                                                                                        				} else {
                                                                                        					return _t13 | 0xffffffff;
                                                                                        				}
                                                                                        			}










                                                                                        0x0040dcb9
                                                                                        0x0040dcc0
                                                                                        0x0040dcc9
                                                                                        0x0040dcd6
                                                                                        0x0040dd28
                                                                                        0x0040dd28
                                                                                        0x0040dcd8
                                                                                        0x0040dcd8
                                                                                        0x0040dce0
                                                                                        0x0040dcee
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040dcf6
                                                                                        0x0040dcf6
                                                                                        0x0040dcf8
                                                                                        0x0040dd0a
                                                                                        0x00000000
                                                                                        0x0040dd0c
                                                                                        0x0040dd0c
                                                                                        0x0040dd1c
                                                                                        0x00000000
                                                                                        0x0040dd1e
                                                                                        0x0040dd24
                                                                                        0x0040dd24
                                                                                        0x0040dd1c
                                                                                        0x0040dd0a
                                                                                        0x0040dce0
                                                                                        0x0040dd2b
                                                                                        0x0040dd43
                                                                                        0x0040dd4a
                                                                                        0x0040dd58
                                                                                        0x0040dd4c
                                                                                        0x0040dd53
                                                                                        0x0040dd53
                                                                                        0x0040dd5d
                                                                                        0x0040dcc2
                                                                                        0x0040dcc6
                                                                                        0x0040dcc6

                                                                                        APIs
                                                                                        • __ioinit.LIBCMT ref: 0040DCB9
                                                                                          • Part of subcall function 004078DE: InitOnceExecuteOnce.KERNEL32(0042E2A4,00407919,00000000,00000000,0040859F), ref: 004078EC
                                                                                        • __get_osfhandle.LIBCMT ref: 0040DCCD
                                                                                        • __get_osfhandle.LIBCMT ref: 0040DCF8
                                                                                        • __get_osfhandle.LIBCMT ref: 0040DD01
                                                                                        • __get_osfhandle.LIBCMT ref: 0040DD0D
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,0040DC61,?,0042ABF8,00000010,0040D7BA,00000000,?,?,?), ref: 0040DD14
                                                                                        • GetLastError.KERNEL32(?,0040DC61,?,0042ABF8,00000010,0040D7BA,00000000,?,?,?), ref: 0040DD1E
                                                                                        • __free_osfhnd.LIBCMT ref: 0040DD2B
                                                                                        • __dosmaperr.LIBCMT ref: 0040DD4D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
                                                                                        • String ID:
                                                                                        • API String ID: 974577687-0
                                                                                        • Opcode ID: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
                                                                                        • Instruction ID: b5644f32911bfeff68ee668ed1238c02b022121f98cde97332d5b29546b81a7c
                                                                                        • Opcode Fuzzy Hash: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
                                                                                        • Instruction Fuzzy Hash: 81112932E0522015E22026B9690977B37588F91B78F19433FF918FB2D2EB7C9C89C19D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • lstrlen.KERNEL32(?), ref: 00811323
                                                                                        • RtlAllocateHeap.NTDLL(?,00000008,00000001), ref: 00811353
                                                                                        • lstrlen.KERNEL32(00000000), ref: 0081139D
                                                                                        • RtlAllocateHeap.NTDLL(?,00000008,00000002), ref: 008113BC
                                                                                        • _strtoul.LIBCMT ref: 00811409
                                                                                        • RtlAllocateHeap.NTDLL(?,00000008,00000002), ref: 00811424
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 00811464
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 0081148B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Allocate$Freelstrlen$_strtoul
                                                                                        • String ID:
                                                                                        • API String ID: 2433434082-0
                                                                                        • Opcode ID: fa84e4cfab8044eda6926e8daa913f167c4d2fff0d77b2e3c74cd1e50dc6a334
                                                                                        • Instruction ID: 2e3af76123238451de0618879ee79feb5227a41665206266c431ec57c990cc3e
                                                                                        • Opcode Fuzzy Hash: fa84e4cfab8044eda6926e8daa913f167c4d2fff0d77b2e3c74cd1e50dc6a334
                                                                                        • Instruction Fuzzy Hash: 01418C715042052BEB205B315C8DFFB369EFF52B41F040534FF4AE6282EB64D884827A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                          • Part of subcall function 00811FF7: RtlAllocateHeap.NTDLL(?,00000008,00000005), ref: 0081212F
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00813692
                                                                                        • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 008136A1
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,?), ref: 008136CC
                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 008136E9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryVirtual$AllocateHeapHugeInfoReadSystem
                                                                                        • String ID: h<@$h<@
                                                                                        • API String ID: 3767855565-1657133309
                                                                                        • Opcode ID: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
                                                                                        • Instruction ID: 2433df62ffd39350bdd5030a19e09ee9fd55cb7f813bcd143734b7a8aca0b83c
                                                                                        • Opcode Fuzzy Hash: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
                                                                                        • Instruction Fuzzy Hash: B941F6B1908300ABD7009F15C985A9ABBECFF94314F048D3DF888E7251E770EA94CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • __init_pointers.LIBCMT ref: 00815CF4
                                                                                          • Part of subcall function 00817751: RtlEncodePointer.NTDLL(00000000), ref: 00817754
                                                                                          • Part of subcall function 00817751: __initp_misc_winsig.LIBCMT ref: 00817775
                                                                                        • __mtinitlocks.LIBCMT ref: 00815CF9
                                                                                          • Part of subcall function 008195BB: InitializeCriticalSectionAndSpinCount.KERNEL32(0042CBF0,00000FA0,?,?,00815CFE,00815432,0042A940,00000014), ref: 008195D9
                                                                                        • __mtterm.LIBCMT ref: 00815D02
                                                                                          • Part of subcall function 00815D6A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 008194D7
                                                                                          • Part of subcall function 00815D6A: _free.LIBCMT ref: 008194DE
                                                                                          • Part of subcall function 00815D6A: RtlDeleteCriticalSection.NTDLL(0042CBF0), ref: 00819500
                                                                                        • __calloc_crt.LIBCMT ref: 00815D27
                                                                                        • __initptd.LIBCMT ref: 00815D49
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00815D50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                        • String ID:
                                                                                        • API String ID: 757573777-0
                                                                                        • Opcode ID: d6beeba81231d8d1cf061db1e581590a50f42152415eea8aa51c551dd52fd4f2
                                                                                        • Instruction ID: a8f631a2fed2eeb556ad1e1932930875b088dbcf9311a2bc5b2e0b1e1262812e
                                                                                        • Opcode Fuzzy Hash: d6beeba81231d8d1cf061db1e581590a50f42152415eea8aa51c551dd52fd4f2
                                                                                        • Instruction Fuzzy Hash: 05F09032109B119AE6343BBDBC0BADA268DFF41730B244A39F4A4D50D2EE6084C2469A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 91%
                                                                                        			E00405A8D(void* __ebx, void* __edi) {
                                                                                        				void* __esi;
                                                                                        				void* _t3;
                                                                                        				intOrPtr _t6;
                                                                                        				long _t14;
                                                                                        				long* _t27;
                                                                                        
                                                                                        				E004074EA(_t3);
                                                                                        				if(E00409354() != 0) {
                                                                                        					_t6 = E004080A8(_t5, E00405823);
                                                                                        					 *0x42c194 = _t6;
                                                                                        					__eflags = _t6 - 0xffffffff;
                                                                                        					if(_t6 == 0xffffffff) {
                                                                                        						goto L1;
                                                                                        					} else {
                                                                                        						_t27 = E004090A3(1, 0x3b8);
                                                                                        						__eflags = _t27;
                                                                                        						if(_t27 == 0) {
                                                                                        							L6:
                                                                                        							E00405B03();
                                                                                        							__eflags = 0;
                                                                                        							return 0;
                                                                                        						} else {
                                                                                        							__eflags = E004080D2(_t9,  *0x42c194, _t27);
                                                                                        							if(__eflags == 0) {
                                                                                        								goto L6;
                                                                                        							} else {
                                                                                        								_push(0);
                                                                                        								_push(_t27);
                                                                                        								E004059E1(__ebx, __edi, _t27, __eflags);
                                                                                        								_t14 = GetCurrentThreadId();
                                                                                        								_t27[1] = _t27[1] | 0xffffffff;
                                                                                        								 *_t27 = _t14;
                                                                                        								__eflags = 1;
                                                                                        								return 1;
                                                                                        							}
                                                                                        						}
                                                                                        					}
                                                                                        				} else {
                                                                                        					L1:
                                                                                        					E00405B03();
                                                                                        					return 0;
                                                                                        				}
                                                                                        			}








                                                                                        0x00405a8d
                                                                                        0x00405a99
                                                                                        0x00405aa8
                                                                                        0x00405aae
                                                                                        0x00405ab3
                                                                                        0x00405ab6
                                                                                        0x00000000
                                                                                        0x00405ab8
                                                                                        0x00405ac5
                                                                                        0x00405ac9
                                                                                        0x00405acb
                                                                                        0x00405afa
                                                                                        0x00405afa
                                                                                        0x00405aff
                                                                                        0x00405b02
                                                                                        0x00405acd
                                                                                        0x00405adb
                                                                                        0x00405add
                                                                                        0x00000000
                                                                                        0x00405adf
                                                                                        0x00405adf
                                                                                        0x00405ae1
                                                                                        0x00405ae2
                                                                                        0x00405ae9
                                                                                        0x00405aef
                                                                                        0x00405af3
                                                                                        0x00405af7
                                                                                        0x00405af9
                                                                                        0x00405af9
                                                                                        0x00405add
                                                                                        0x00405acb
                                                                                        0x00405a9b
                                                                                        0x00405a9b
                                                                                        0x00405a9b
                                                                                        0x00405aa2
                                                                                        0x00405aa2

                                                                                        APIs
                                                                                        • __init_pointers.LIBCMT ref: 00405A8D
                                                                                          • Part of subcall function 004074EA: EncodePointer.KERNEL32(00000000,?,00405A92,004051CB,0042A940,00000014), ref: 004074ED
                                                                                          • Part of subcall function 004074EA: __initp_misc_winsig.LIBCMT ref: 0040750E
                                                                                        • __mtinitlocks.LIBCMT ref: 00405A92
                                                                                          • Part of subcall function 00409354: InitializeCriticalSectionAndSpinCount.KERNEL32(0042CBF0,00000FA0,?,?,00405A97,004051CB,0042A940,00000014), ref: 00409372
                                                                                        • __mtterm.LIBCMT ref: 00405A9B
                                                                                          • Part of subcall function 00405B03: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00405AA0,004051CB,0042A940,00000014), ref: 00409270
                                                                                          • Part of subcall function 00405B03: _free.LIBCMT ref: 00409277
                                                                                          • Part of subcall function 00405B03: DeleteCriticalSection.KERNEL32(0042CBF0,?,?,00405AA0,004051CB,0042A940,00000014), ref: 00409299
                                                                                        • __calloc_crt.LIBCMT ref: 00405AC0
                                                                                        • __initptd.LIBCMT ref: 00405AE2
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00405AE9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                        • String ID:
                                                                                        • API String ID: 757573777-0
                                                                                        • Opcode ID: 8c6357fa2dfdbcdb92e4daf8882d4245a40bf1d3c2794c25404fe2e1b107c065
                                                                                        • Instruction ID: a0fb9120c6b0d80f9ae17e211b5da191d5ca47b69b926c9a59b862a4de3ec27b
                                                                                        • Opcode Fuzzy Hash: 8c6357fa2dfdbcdb92e4daf8882d4245a40bf1d3c2794c25404fe2e1b107c065
                                                                                        • Instruction Fuzzy Hash: 05F0A932648B121EE224B7767D0B25B3684CB10339B204A3FF459F40D2EE7CA8428D9C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 96%
                                                                                        			E00401D90() {
                                                                                        				long _t96;
                                                                                        				signed int _t98;
                                                                                        				signed int _t102;
                                                                                        				signed int _t104;
                                                                                        				signed int _t107;
                                                                                        				signed int _t110;
                                                                                        				signed int _t111;
                                                                                        				signed int _t116;
                                                                                        				signed int _t117;
                                                                                        				void* _t120;
                                                                                        				signed int _t121;
                                                                                        				void* _t122;
                                                                                        				signed int _t123;
                                                                                        				signed int _t125;
                                                                                        				signed int _t128;
                                                                                        				intOrPtr _t129;
                                                                                        				signed char _t130;
                                                                                        				intOrPtr _t132;
                                                                                        				signed int _t137;
                                                                                        				signed int _t138;
                                                                                        				signed int _t139;
                                                                                        				void* _t141;
                                                                                        				signed int _t142;
                                                                                        				signed int _t144;
                                                                                        				signed int _t146;
                                                                                        				intOrPtr _t147;
                                                                                        				void* _t148;
                                                                                        				void* _t149;
                                                                                        				signed int _t150;
                                                                                        				signed int _t151;
                                                                                        				signed int _t152;
                                                                                        				signed int _t153;
                                                                                        				intOrPtr _t154;
                                                                                        				signed int _t156;
                                                                                        				signed int _t157;
                                                                                        				signed int* _t158;
                                                                                        				void* _t160;
                                                                                        				signed int _t161;
                                                                                        				signed int _t162;
                                                                                        				signed int _t163;
                                                                                        				signed int _t164;
                                                                                        				signed int _t169;
                                                                                        				signed int _t171;
                                                                                        				signed int _t172;
                                                                                        				signed int _t173;
                                                                                        				signed int _t175;
                                                                                        				signed int* _t177;
                                                                                        				void* _t209;
                                                                                        
                                                                                        				_t158 = _t177[0xc];
                                                                                        				_t160 = 0xffffffffffffffff;
                                                                                        				if(_t158 == 0) {
                                                                                        					L42:
                                                                                        					return _t160;
                                                                                        				}
                                                                                        				if(_t177[0x10] == 0) {
                                                                                        					_t158[0xc] = 3;
                                                                                        					goto L42;
                                                                                        				}
                                                                                        				_t121 = _t177[0xe];
                                                                                        				_t92 = _t177[0xd];
                                                                                        				asm("xorps xmm0, xmm0");
                                                                                        				asm("movups [edi+0x24], xmm0");
                                                                                        				asm("movups [edi+0x14], xmm0");
                                                                                        				asm("movups [edi+0x4], xmm0");
                                                                                        				 *_t158 = _t177[0xd];
                                                                                        				if(_t121 == 0) {
                                                                                        					L39:
                                                                                        					_t158[0xc] = 2;
                                                                                        					L40:
                                                                                        					E00401D24(_t92, _t158);
                                                                                        					goto L42;
                                                                                        				}
                                                                                        				_t92 = _t177[0xf];
                                                                                        				if(_t92 - 0x400001 < 0xffc00020 ||  *_t121 != 0x14744214) {
                                                                                        					goto L39;
                                                                                        				} else {
                                                                                        					_t128 = 0;
                                                                                        					do {
                                                                                        						 *((intOrPtr*)(_t128 + 0x42d8c0)) =  *((intOrPtr*)(_t121 + _t128));
                                                                                        						_t128 = _t128 + 4;
                                                                                        					} while (_t128 != 0x20);
                                                                                        					_t129 =  *0x42d8dc; // 0x11000
                                                                                        					if(_t129 < 0) {
                                                                                        						goto L39;
                                                                                        					}
                                                                                        					_t146 =  *0x42d8d4; // 0x10
                                                                                        					 *_t177 = _t146;
                                                                                        					if(_t146 < 0) {
                                                                                        						goto L39;
                                                                                        					}
                                                                                        					_t147 =  *0x42d8d8; // 0x0
                                                                                        					if(_t147 < 0) {
                                                                                        						goto L39;
                                                                                        					}
                                                                                        					_t161 =  *0x42d8cc; // 0xfe8
                                                                                        					_t177[1] = _t161;
                                                                                        					if(_t161 <= 0) {
                                                                                        						goto L39;
                                                                                        					}
                                                                                        					_t162 =  *0x42d8c8; // 0x20
                                                                                        					if(_t162 < 0) {
                                                                                        						goto L39;
                                                                                        					}
                                                                                        					_t177[4] = _t162;
                                                                                        					_t163 =  *0x42d8d0; // 0x1008
                                                                                        					_t177[3] = _t163;
                                                                                        					_t164 = _t177[4];
                                                                                        					if(_t177[3] < 0 ||  *0x42d8c4 <= 0 || _t129 > 0xa00000 || _t164 + _t177[1] > _t92) {
                                                                                        						goto L39;
                                                                                        					} else {
                                                                                        						_t148 = _t147 +  *_t177;
                                                                                        						if(_t177[3] + _t148 > _t92) {
                                                                                        							goto L39;
                                                                                        						}
                                                                                        						_t149 = _t148 + _t129;
                                                                                        						_t130 = 0;
                                                                                        						do {
                                                                                        							_t169 = 1 << _t130;
                                                                                        							_t130 = _t130 + 1;
                                                                                        						} while (_t149 > 1);
                                                                                        						_t16 = _t169 + 4; // 0x5
                                                                                        						_t96 = _t16;
                                                                                        						_t158[7] = _t96;
                                                                                        						_t92 = HeapAlloc( *( *_t158 + 0xa4), 8, _t96);
                                                                                        						_t158[5] = _t92;
                                                                                        						_t158[6] = _t169 - 1;
                                                                                        						if(_t92 == 0) {
                                                                                        							goto L39;
                                                                                        						}
                                                                                        						E00405040(_t92, 0, _t158[7]);
                                                                                        						_t98 =  *0x42d8d0; // 0x1008
                                                                                        						_t171 =  *0x42d8d4; // 0x10
                                                                                        						_t132 =  *0x42d8d8; // 0x0
                                                                                        						E00403E90(_t158[5], _t98 + _t121, _t132 + _t171);
                                                                                        						_t177 =  &(_t177[6]);
                                                                                        						if(_t171 <= 0) {
                                                                                        							L23:
                                                                                        							_t158[2] = _t177[0x10];
                                                                                        							_t102 =  *0x42d8c4; // 0x4db
                                                                                        							_t158[0xa] = _t102;
                                                                                        							_t92 = HeapAlloc( *( *_t158 + 0xa4), 8, _t102 << 2);
                                                                                        							_t158[8] = _t92;
                                                                                        							if(_t92 == 0) {
                                                                                        								_t158[0xc] = 0xd;
                                                                                        								goto L40;
                                                                                        							}
                                                                                        							_t158[9] = 0;
                                                                                        							_t104 =  *0x42d8cc; // 0xfe8
                                                                                        							_t158[4] = _t104;
                                                                                        							_t92 = HeapAlloc( *( *_t158 + 0xa4), 8, _t104 << 2);
                                                                                        							_t158[3] = _t92;
                                                                                        							if(_t92 == 0) {
                                                                                        								goto L40;
                                                                                        							}
                                                                                        							_t122 = _t121 +  *0x42d8c8;
                                                                                        							E00403E90(_t92, _t122, _t158[4]);
                                                                                        							_t177 =  &(_t177[3]);
                                                                                        							if( *0x42d8c4 <= 0) {
                                                                                        								L57:
                                                                                        								_t107 = _t158[6];
                                                                                        								_t158[1] = _t107 + 1;
                                                                                        								_t158[0xb] = _t107 + 0xffff0001;
                                                                                        								_t160 = 0;
                                                                                        								goto L42;
                                                                                        							}
                                                                                        							_t177[1] = _t158[3];
                                                                                        							_t110 =  *0x42d8cc; // 0xfe8
                                                                                        							_t177[6] = _t110;
                                                                                        							_t150 = 0;
                                                                                        							_t111 =  *0x42d8c4; // 0x4db
                                                                                        							_t177[2] = _t111;
                                                                                        							_t137 = 0;
                                                                                        							_t172 = 0;
                                                                                        							while(1) {
                                                                                        								_t177[4] = _t150;
                                                                                        								 *(_t158[8] + _t150 * 4) = _t137;
                                                                                        								_t151 =  *(_t122 + _t172) & 0x000000ff;
                                                                                        								_t92 = _t177[1];
                                                                                        								_t177[3] = _t137;
                                                                                        								 *(_t177[1] + _t137 * 4) = _t151;
                                                                                        								if(_t172 > _t177[6]) {
                                                                                        									break;
                                                                                        								}
                                                                                        								_t138 = _t172 + 1;
                                                                                        								_t48 = _t151 - 0xb; // -11
                                                                                        								_t92 = _t48;
                                                                                        								if(_t48 < 0x10) {
                                                                                        									L31:
                                                                                        									_t139 =  *(_t122 + _t138);
                                                                                        									 *_t177 = 5;
                                                                                        									L32:
                                                                                        									_t152 = _t177[3];
                                                                                        									 *(_t177[1] + 4 + _t152 * 4) = _t139;
                                                                                        									_t137 = _t152 + 2;
                                                                                        									_t153 = _t177[4];
                                                                                        									_t172 =  *_t177 + _t172;
                                                                                        									L33:
                                                                                        									_t150 = _t153 + 1;
                                                                                        									if(_t150 < _t177[2]) {
                                                                                        										continue;
                                                                                        									}
                                                                                        									_t123 = _t177[1];
                                                                                        									if(_t177[2] > 0) {
                                                                                        										_t141 = 0;
                                                                                        										_t116 =  *0x42d8c4; // 0x4db
                                                                                        										 *_t177 = _t116;
                                                                                        										_t92 = 0;
                                                                                        										do {
                                                                                        											_t154 =  *((intOrPtr*)(_t123 + _t92 * 4));
                                                                                        											if(_t154 - 0xb >= 0x10) {
                                                                                        												_t83 = _t92 + 1; // 0x1
                                                                                        												_t175 = _t83;
                                                                                        												__eflags = _t154 + 0xfffffffd - 0x1f;
                                                                                        												if(__eflags <= 0) {
                                                                                        													asm("bt ebx, edx");
                                                                                        													if(__eflags < 0) {
                                                                                        														_t117 = _t92 + 2;
                                                                                        														__eflags = _t117;
                                                                                        														_t175 = _t117;
                                                                                        													}
                                                                                        												}
                                                                                        												_t123 = _t177[1];
                                                                                        												_t156 = _t177[2];
                                                                                        												goto L56;
                                                                                        											}
                                                                                        											_t125 =  *(_t123 + 4 + _t92 * 4);
                                                                                        											_t173 = 7;
                                                                                        											if(_t125 < 0 || _t125 > _t158[0xa]) {
                                                                                        												L45:
                                                                                        												_t158[0xc] = _t173;
                                                                                        												goto L40;
                                                                                        											} else {
                                                                                        												_t157 = _t177[1];
                                                                                        												 *((intOrPtr*)(_t157 + 4 + _t92 * 4)) =  *((intOrPtr*)(_t158[8] + _t125 * 4));
                                                                                        												_t123 = _t157;
                                                                                        												_t156 =  *_t177;
                                                                                        												_t175 = _t92 + 2;
                                                                                        											}
                                                                                        											L56:
                                                                                        											_t141 = _t141 + 1;
                                                                                        											_t92 = _t175;
                                                                                        											_t177[2] = _t156;
                                                                                        										} while (_t141 < _t156);
                                                                                        									}
                                                                                        									goto L57;
                                                                                        									L35:
                                                                                        									__eflags = _t177[5] - 0x1e;
                                                                                        									if(_t177[5] != 0x1e) {
                                                                                        										L37:
                                                                                        										__eflags = _t151 - 0x3b;
                                                                                        										if(_t151 > 0x3b) {
                                                                                        											_t173 = 0xe;
                                                                                        											goto L45;
                                                                                        										}
                                                                                        										_t137 = _t177[3] + 1;
                                                                                        										_t153 = _t177[4];
                                                                                        										_t172 =  *_t177;
                                                                                        										goto L33;
                                                                                        									}
                                                                                        									_t139 =  *(_t122 +  *_t177) & 0x000000ff;
                                                                                        									 *_t177 = 2;
                                                                                        									goto L32;
                                                                                        								}
                                                                                        								 *_t177 = _t138;
                                                                                        								_t49 = _t151 - 3; // -3
                                                                                        								_t142 = _t49;
                                                                                        								_t209 = _t142 - 0x1f;
                                                                                        								if(_t209 > 0) {
                                                                                        									goto L37;
                                                                                        								}
                                                                                        								_t92 = 0x80000063;
                                                                                        								_t177[5] = _t142;
                                                                                        								asm("bt eax, ecx");
                                                                                        								_t138 =  *_t177;
                                                                                        								if(_t209 >= 0) {
                                                                                        									goto L35;
                                                                                        								}
                                                                                        								goto L31;
                                                                                        							}
                                                                                        							_t173 = 6;
                                                                                        							goto L45;
                                                                                        						}
                                                                                        						_t120 = 0;
                                                                                        						_t144 =  *0x42d8d4; // 0x10
                                                                                        						do {
                                                                                        							_t120 = _t120 + 4;
                                                                                        						} while (_t120 < _t144);
                                                                                        						goto L23;
                                                                                        					}
                                                                                        				}
                                                                                        			}



















































                                                                                        0x00401d97
                                                                                        0x00401d9d
                                                                                        0x00401da0
                                                                                        0x0040207b
                                                                                        0x00402084
                                                                                        0x00402084
                                                                                        0x00401dab
                                                                                        0x00402074
                                                                                        0x00000000
                                                                                        0x00402074
                                                                                        0x00401db1
                                                                                        0x00401db5
                                                                                        0x00401db9
                                                                                        0x00401dbc
                                                                                        0x00401dc0
                                                                                        0x00401dc4
                                                                                        0x00401dc8
                                                                                        0x00401dcc
                                                                                        0x00402062
                                                                                        0x00402062
                                                                                        0x00402069
                                                                                        0x0040206a
                                                                                        0x00000000
                                                                                        0x0040206f
                                                                                        0x00401dd2
                                                                                        0x00401de2
                                                                                        0x00000000
                                                                                        0x00401df4
                                                                                        0x00401df4
                                                                                        0x00401df6
                                                                                        0x00401df9
                                                                                        0x00401dff
                                                                                        0x00401e02
                                                                                        0x00401e07
                                                                                        0x00401e0f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401e15
                                                                                        0x00401e1b
                                                                                        0x00401e20
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401e26
                                                                                        0x00401e2e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401e34
                                                                                        0x00401e3a
                                                                                        0x00401e40
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401e46
                                                                                        0x00401e4e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401e54
                                                                                        0x00401e58
                                                                                        0x00401e5e
                                                                                        0x00401e62
                                                                                        0x00401e6b
                                                                                        0x00000000
                                                                                        0x00401e96
                                                                                        0x00401e96
                                                                                        0x00401ea1
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401ea7
                                                                                        0x00401ea9
                                                                                        0x00401eae
                                                                                        0x00401eb0
                                                                                        0x00401eb2
                                                                                        0x00401eb3
                                                                                        0x00401eb7
                                                                                        0x00401eb7
                                                                                        0x00401eba
                                                                                        0x00401ec8
                                                                                        0x00401ece
                                                                                        0x00401ed2
                                                                                        0x00401ed7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401ee3
                                                                                        0x00401eeb
                                                                                        0x00401ef2
                                                                                        0x00401ef8
                                                                                        0x00401f05
                                                                                        0x00401f0a
                                                                                        0x00401f0f
                                                                                        0x00401f20
                                                                                        0x00401f24
                                                                                        0x00401f27
                                                                                        0x00401f2c
                                                                                        0x00401f3d
                                                                                        0x00401f43
                                                                                        0x00401f48
                                                                                        0x00402085
                                                                                        0x00000000
                                                                                        0x00402085
                                                                                        0x00401f4e
                                                                                        0x00401f55
                                                                                        0x00401f5a
                                                                                        0x00401f6b
                                                                                        0x00401f71
                                                                                        0x00401f76
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401f7c
                                                                                        0x00401f87
                                                                                        0x00401f8c
                                                                                        0x00401f96
                                                                                        0x00402114
                                                                                        0x00402114
                                                                                        0x0040211a
                                                                                        0x00402122
                                                                                        0x00402125
                                                                                        0x00000000
                                                                                        0x00402125
                                                                                        0x00401f9f
                                                                                        0x00401fa3
                                                                                        0x00401fa8
                                                                                        0x00401fac
                                                                                        0x00401fae
                                                                                        0x00401fb3
                                                                                        0x00401fb7
                                                                                        0x00401fb9
                                                                                        0x00401fbb
                                                                                        0x00401fbe
                                                                                        0x00401fc2
                                                                                        0x00401fc5
                                                                                        0x00401fc9
                                                                                        0x00401fcd
                                                                                        0x00401fd1
                                                                                        0x00401fd8
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401fde
                                                                                        0x00401fe1
                                                                                        0x00401fe1
                                                                                        0x00401fe7
                                                                                        0x00402005
                                                                                        0x00402005
                                                                                        0x00402008
                                                                                        0x0040200f
                                                                                        0x00402013
                                                                                        0x00402017
                                                                                        0x00402022
                                                                                        0x00402025
                                                                                        0x00402029
                                                                                        0x0040202b
                                                                                        0x0040202b
                                                                                        0x00402030
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040209d
                                                                                        0x004020a1
                                                                                        0x004020a3
                                                                                        0x004020a5
                                                                                        0x004020aa
                                                                                        0x004020ad
                                                                                        0x004020af
                                                                                        0x004020af
                                                                                        0x004020b8
                                                                                        0x004020e7
                                                                                        0x004020e7
                                                                                        0x004020ed
                                                                                        0x004020f0
                                                                                        0x004020f7
                                                                                        0x004020fa
                                                                                        0x004020fc
                                                                                        0x004020fc
                                                                                        0x004020ff
                                                                                        0x004020ff
                                                                                        0x004020fa
                                                                                        0x00402101
                                                                                        0x00402105
                                                                                        0x00000000
                                                                                        0x00402105
                                                                                        0x004020ba
                                                                                        0x004020be
                                                                                        0x004020c5
                                                                                        0x00402093
                                                                                        0x00402093
                                                                                        0x00000000
                                                                                        0x004020cc
                                                                                        0x004020d3
                                                                                        0x004020d7
                                                                                        0x004020db
                                                                                        0x004020e0
                                                                                        0x004020e3
                                                                                        0x004020e3
                                                                                        0x00402109
                                                                                        0x00402109
                                                                                        0x0040210a
                                                                                        0x0040210c
                                                                                        0x00402110
                                                                                        0x004020af
                                                                                        0x00000000
                                                                                        0x00402034
                                                                                        0x00402034
                                                                                        0x00402039
                                                                                        0x0040204b
                                                                                        0x0040204b
                                                                                        0x0040204e
                                                                                        0x0040212c
                                                                                        0x00000000
                                                                                        0x0040212c
                                                                                        0x00402058
                                                                                        0x00402059
                                                                                        0x0040205d
                                                                                        0x00000000
                                                                                        0x0040205d
                                                                                        0x0040203e
                                                                                        0x00402042
                                                                                        0x00000000
                                                                                        0x00402042
                                                                                        0x00401fe9
                                                                                        0x00401fec
                                                                                        0x00401fec
                                                                                        0x00401fef
                                                                                        0x00401ff2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401ff4
                                                                                        0x00401ff9
                                                                                        0x00401ffd
                                                                                        0x00402000
                                                                                        0x00402003
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00402003
                                                                                        0x0040208e
                                                                                        0x00000000
                                                                                        0x0040208e
                                                                                        0x00401f11
                                                                                        0x00401f13
                                                                                        0x00401f19
                                                                                        0x00401f19
                                                                                        0x00401f1c
                                                                                        0x00000000
                                                                                        0x00401f19
                                                                                        0x00401e6b

                                                                                        APIs
                                                                                        • HeapAlloc.KERNEL32(?,00000008,00000005), ref: 00401EC8
                                                                                        • _memset.LIBCMT ref: 00401EE3
                                                                                        • _memmove.LIBCMT ref: 00401F05
                                                                                        • HeapAlloc.KERNEL32(?,00000008,000004DB), ref: 00401F3D
                                                                                        • HeapAlloc.KERNEL32(?,00000008,00000FE8), ref: 00401F6B
                                                                                        • _memmove.LIBCMT ref: 00401F87
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocHeap$_memmove$_memset
                                                                                        • String ID:
                                                                                        • API String ID: 2021246875-0
                                                                                        • Opcode ID: a8da47e364ec9222b83c5226e2a4727d47cf86e33682b1ae8647604246d5210e
                                                                                        • Instruction ID: 0cd98d74923c86061d372e325762cf04d560278b323548a532e0a1f862f871aa
                                                                                        • Opcode Fuzzy Hash: a8da47e364ec9222b83c5226e2a4727d47cf86e33682b1ae8647604246d5210e
                                                                                        • Instruction Fuzzy Hash: F8B1BF70604306DFD318DF24CA8862AB7E1FF94304F04853EEA85973D1E7B9A995CB89
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 92%
                                                                                        			E00403DAD() {
                                                                                        				int _t17;
                                                                                        				unsigned int _t23;
                                                                                        				unsigned int _t24;
                                                                                        				intOrPtr _t25;
                                                                                        				void* _t27;
                                                                                        				intOrPtr _t28;
                                                                                        				void** _t29;
                                                                                        
                                                                                        				_t17 = _t29[0x19];
                                                                                        				_t25 =  *((intOrPtr*)(4 + _t17));
                                                                                        				if(_t25 != 0) {
                                                                                        					if( *((intOrPtr*)(_t25 + 0xa8)) == 0) {
                                                                                        						L7:
                                                                                        						return E00401D24(_t17, _t25 + 0x60);
                                                                                        					}
                                                                                        					_t17 = HeapAlloc( *(_t25 + 0xa4), 8,  *(_t25 + 0xac));
                                                                                        					if(_t17 == 0) {
                                                                                        						goto L7;
                                                                                        					}
                                                                                        					_t29[2] = 0x2065646f;
                                                                                        					_t29[1] = 0x63206563;
                                                                                        					asm("movaps xmm0, [0x40e250]");
                                                                                        					asm("movups [esp+0xc], xmm0");
                                                                                        					_t29[0x13] = 4;
                                                                                        					_t29[2] = _t17;
                                                                                        					E00403E90(_t17,  *((intOrPtr*)(_t25 + 0xa8)),  *(_t25 + 0xac));
                                                                                        					_t29 =  &(_t29[3]);
                                                                                        					_t23 =  *(_t25 + 0xac);
                                                                                        					if(_t23 < 8) {
                                                                                        						L6:
                                                                                        						_t17 = HeapFree( *(_t25 + 0xa4), 0,  *_t29);
                                                                                        						goto L7;
                                                                                        					}
                                                                                        					_t28 =  *((intOrPtr*)(_t25 + 0xa8));
                                                                                        					_t24 = _t23 >> 3;
                                                                                        					_t27 =  *_t29;
                                                                                        					do {
                                                                                        						E00401414( &(_t29[7]), _t28, _t27, 1,  &(_t29[1]));
                                                                                        						_t29 =  &(_t29[5]);
                                                                                        						_t27 = _t27 + 8;
                                                                                        						_t28 = _t28 + 8;
                                                                                        						_t24 = _t24 - 1;
                                                                                        					} while (_t24 != 0);
                                                                                        					goto L6;
                                                                                        				}
                                                                                        				return _t17;
                                                                                        			}










                                                                                        0x00403db4
                                                                                        0x00403db8
                                                                                        0x00403dbd
                                                                                        0x00403dca
                                                                                        0x00403e70
                                                                                        0x00000000
                                                                                        0x00403e79
                                                                                        0x00403dde
                                                                                        0x00403de6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00403dec
                                                                                        0x00403df4
                                                                                        0x00403dfc
                                                                                        0x00403e03
                                                                                        0x00403e08
                                                                                        0x00403e1c
                                                                                        0x00403e21
                                                                                        0x00403e26
                                                                                        0x00403e29
                                                                                        0x00403e32
                                                                                        0x00403e5f
                                                                                        0x00403e6a
                                                                                        0x00000000
                                                                                        0x00403e6a
                                                                                        0x00403e34
                                                                                        0x00403e3a
                                                                                        0x00403e3d
                                                                                        0x00403e40
                                                                                        0x00403e4e
                                                                                        0x00403e53
                                                                                        0x00403e56
                                                                                        0x00403e59
                                                                                        0x00403e5c
                                                                                        0x00403e5c
                                                                                        0x00000000
                                                                                        0x00403e40
                                                                                        0x00403e83

                                                                                        APIs
                                                                                        • HeapAlloc.KERNEL32(?,00000008,?), ref: 00403DDE
                                                                                        • _memmove.LIBCMT ref: 00403E21
                                                                                        • HeapFree.KERNEL32(?,00000000), ref: 00403E6A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocFree_memmove
                                                                                        • String ID: ce c$ode
                                                                                        • API String ID: 3002676227-1628434751
                                                                                        • Opcode ID: 6376a26bd0941a49b058ee2e9f9b7f5254c48767a77057fe041d4a16616e6798
                                                                                        • Instruction ID: edc1a9ca207d80e36b7ab1bd5e5809205ccd11b7ad63a05a10aab67541da700f
                                                                                        • Opcode Fuzzy Hash: 6376a26bd0941a49b058ee2e9f9b7f5254c48767a77057fe041d4a16616e6798
                                                                                        • Instruction Fuzzy Hash: C211E471600301BFD7005F60CC45F57FBA9FF91705F048629FA9C66260E371A964CB96
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • _malloc.LIBCMT ref: 0081B680
                                                                                          • Part of subcall function 0081B5E2: __FF_MSGBANNER.LIBCMT ref: 0081B5F9
                                                                                          • Part of subcall function 0081B5E2: __NMSG_WRITE.LIBCMT ref: 0081B600
                                                                                          • Part of subcall function 0081B5E2: RtlAllocateHeap.NTDLL(0042E2A0,00000000,00000001), ref: 0081B625
                                                                                        • _free.LIBCMT ref: 0081B693
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                        • String ID:
                                                                                        • API String ID: 1020059152-0
                                                                                        • Opcode ID: 54dcba1cba77acac28428781274a972a517ae939cad5e5cf24ae877359539b44
                                                                                        • Instruction ID: 08d375d810f6e5cf11509a3f5b1faa873dc82dafa5d46af8f21b9acfe398923b
                                                                                        • Opcode Fuzzy Hash: 54dcba1cba77acac28428781274a972a517ae939cad5e5cf24ae877359539b44
                                                                                        • Instruction Fuzzy Hash: 5E11C132501615EBCF216F7DE845ADA379CFF343A4F604825F905D6190EB3088C086A9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 95%
                                                                                        			E0040B40D(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
                                                                                        				void* _t7;
                                                                                        				void* _t8;
                                                                                        				intOrPtr* _t9;
                                                                                        				intOrPtr* _t12;
                                                                                        				void* _t20;
                                                                                        				long _t31;
                                                                                        
                                                                                        				if(_a4 != 0) {
                                                                                        					_t31 = _a8;
                                                                                        					if(_t31 != 0) {
                                                                                        						_push(__ebx);
                                                                                        						while(_t31 <= 0xffffffe0) {
                                                                                        							if(_t31 == 0) {
                                                                                        								_t31 = _t31 + 1;
                                                                                        							}
                                                                                        							_t7 = HeapReAlloc( *0x42e2a0, 0, _a4, _t31);
                                                                                        							_t20 = _t7;
                                                                                        							if(_t20 != 0) {
                                                                                        								L17:
                                                                                        								_t8 = _t20;
                                                                                        							} else {
                                                                                        								if( *0x42e55c == _t7) {
                                                                                        									_t9 = E00405486();
                                                                                        									 *_t9 = E00405499(GetLastError());
                                                                                        									goto L17;
                                                                                        								} else {
                                                                                        									if(E0040A80B(_t7, _t31) == 0) {
                                                                                        										_t12 = E00405486();
                                                                                        										 *_t12 = E00405499(GetLastError());
                                                                                        										L12:
                                                                                        										_t8 = 0;
                                                                                        									} else {
                                                                                        										continue;
                                                                                        									}
                                                                                        								}
                                                                                        							}
                                                                                        							goto L14;
                                                                                        						}
                                                                                        						E0040A80B(_t6, _t31);
                                                                                        						 *((intOrPtr*)(E00405486())) = 0xc;
                                                                                        						goto L12;
                                                                                        					} else {
                                                                                        						E0040906B(_a4);
                                                                                        						_t8 = 0;
                                                                                        					}
                                                                                        					L14:
                                                                                        					return _t8;
                                                                                        				} else {
                                                                                        					return E0040B37B(__ebx, __edx, __edi, _a8);
                                                                                        				}
                                                                                        			}









                                                                                        0x0040b414
                                                                                        0x0040b422
                                                                                        0x0040b427
                                                                                        0x0040b436
                                                                                        0x0040b469
                                                                                        0x0040b43b
                                                                                        0x0040b43d
                                                                                        0x0040b43d
                                                                                        0x0040b44a
                                                                                        0x0040b450
                                                                                        0x0040b454
                                                                                        0x0040b4b4
                                                                                        0x0040b4b4
                                                                                        0x0040b456
                                                                                        0x0040b45c
                                                                                        0x0040b49e
                                                                                        0x0040b4b2
                                                                                        0x00000000
                                                                                        0x0040b45e
                                                                                        0x0040b467
                                                                                        0x0040b486
                                                                                        0x0040b49a
                                                                                        0x0040b480
                                                                                        0x0040b480
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040b467
                                                                                        0x0040b45c
                                                                                        0x00000000
                                                                                        0x0040b482
                                                                                        0x0040b46f
                                                                                        0x0040b47a
                                                                                        0x00000000
                                                                                        0x0040b429
                                                                                        0x0040b42c
                                                                                        0x0040b432
                                                                                        0x0040b432
                                                                                        0x0040b483
                                                                                        0x0040b485
                                                                                        0x0040b416
                                                                                        0x0040b420
                                                                                        0x0040b420

                                                                                        APIs
                                                                                        • _malloc.LIBCMT ref: 0040B419
                                                                                          • Part of subcall function 0040B37B: __FF_MSGBANNER.LIBCMT ref: 0040B392
                                                                                          • Part of subcall function 0040B37B: __NMSG_WRITE.LIBCMT ref: 0040B399
                                                                                          • Part of subcall function 0040B37B: HeapAlloc.KERNEL32(00940000,00000000,00000001,00000000,00000000,00000000,?,00409103,00000000,00000000,00000000,00000000,?,004092EE,00000018,0042AA90), ref: 0040B3BE
                                                                                        • _free.LIBCMT ref: 0040B42C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocHeap_free_malloc
                                                                                        • String ID:
                                                                                        • API String ID: 2734353464-0
                                                                                        • Opcode ID: 1461537aa5bdf64185a22e2855a400e14d0cfbd13de291c811f624f91c3d27a4
                                                                                        • Instruction ID: e31a16e3c6a7a2403059718067600b16c48654a5b05da7c6894cfb2bac3c2755
                                                                                        • Opcode Fuzzy Hash: 1461537aa5bdf64185a22e2855a400e14d0cfbd13de291c811f624f91c3d27a4
                                                                                        • Instruction Fuzzy Hash: 7011C432505711AFCB213F76AC0569F3798DB04764B10843BFD44B62D2DB3C89818AED
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 00814045
                                                                                        • HeapFree.KERNEL32(?,00000000), ref: 008140D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFree
                                                                                        • String ID: ce c$ode
                                                                                        • API String ID: 2488874121-1628434751
                                                                                        • Opcode ID: 7d18186eced3afd32101676b68dbcaad51043d16fdf218b18470ac7d951a2305
                                                                                        • Instruction ID: 46101012ea41a279f8e87eac35cebcb823161203ea65343bdbe198d0de8b38b8
                                                                                        • Opcode Fuzzy Hash: 7d18186eced3afd32101676b68dbcaad51043d16fdf218b18470ac7d951a2305
                                                                                        • Instruction Fuzzy Hash: F511B4B1600705BFDB105B21CD45F96FB69FF85704F048528F79C97210E772A4A4CB52
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0081B497
                                                                                        • __isleadbyte_l.LIBCMT ref: 0081B4C5
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0081B4F3
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0081B529
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                        • String ID:
                                                                                        • API String ID: 3058430110-0
                                                                                        • Opcode ID: c286a52766656667312ad477b22793e64a9e60a7a7acca1ac02e9f4ed1fd99a6
                                                                                        • Instruction ID: 83b5345855902132e2c4f6a8946c15fd69f30a18f36d5154282d471f0e99ad24
                                                                                        • Opcode Fuzzy Hash: c286a52766656667312ad477b22793e64a9e60a7a7acca1ac02e9f4ed1fd99a6
                                                                                        • Instruction Fuzzy Hash: 9F319E3160425AEFDB218F75C845BEA7BAAFF41320F158429E461D72A2E770D8D1DB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 100%
                                                                                        			E0040B1FC(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
                                                                                        				char _v8;
                                                                                        				intOrPtr _v12;
                                                                                        				int _v20;
                                                                                        				int _t35;
                                                                                        				int _t38;
                                                                                        				int _t42;
                                                                                        				intOrPtr* _t44;
                                                                                        				int _t47;
                                                                                        				short* _t49;
                                                                                        				intOrPtr _t50;
                                                                                        				intOrPtr _t54;
                                                                                        				int _t55;
                                                                                        				int _t59;
                                                                                        				char* _t62;
                                                                                        
                                                                                        				_t62 = _a8;
                                                                                        				if(_t62 == 0) {
                                                                                        					L5:
                                                                                        					return 0;
                                                                                        				}
                                                                                        				_t50 = _a12;
                                                                                        				if(_t50 == 0) {
                                                                                        					goto L5;
                                                                                        				}
                                                                                        				if( *_t62 != 0) {
                                                                                        					E00404599( &_v20, _a16);
                                                                                        					_t35 = _v20;
                                                                                        					__eflags =  *(_t35 + 0xa8);
                                                                                        					if( *(_t35 + 0xa8) != 0) {
                                                                                        						_t38 = E00408F8F( *_t62 & 0x000000ff,  &_v20);
                                                                                        						__eflags = _t38;
                                                                                        						if(_t38 == 0) {
                                                                                        							__eflags = _a4;
                                                                                        							_t59 = 1;
                                                                                        							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
                                                                                        							__eflags = _t42;
                                                                                        							if(_t42 != 0) {
                                                                                        								L21:
                                                                                        								__eflags = _v8;
                                                                                        								if(_v8 != 0) {
                                                                                        									_t54 = _v12;
                                                                                        									_t31 = _t54 + 0x70;
                                                                                        									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
                                                                                        									__eflags =  *_t31;
                                                                                        								}
                                                                                        								return _t59;
                                                                                        							}
                                                                                        							L20:
                                                                                        							_t44 = E00405486();
                                                                                        							_t59 = _t59 | 0xffffffff;
                                                                                        							__eflags = _t59;
                                                                                        							 *_t44 = 0x2a;
                                                                                        							goto L21;
                                                                                        						}
                                                                                        						_t59 = _v20;
                                                                                        						__eflags =  *(_t59 + 0x74) - 1;
                                                                                        						if( *(_t59 + 0x74) <= 1) {
                                                                                        							L15:
                                                                                        							__eflags = _t50 -  *(_t59 + 0x74);
                                                                                        							L16:
                                                                                        							if(__eflags < 0) {
                                                                                        								goto L20;
                                                                                        							}
                                                                                        							__eflags = _t62[1];
                                                                                        							if(_t62[1] == 0) {
                                                                                        								goto L20;
                                                                                        							}
                                                                                        							L18:
                                                                                        							_t59 =  *(_t59 + 0x74);
                                                                                        							goto L21;
                                                                                        						}
                                                                                        						__eflags = _t50 -  *(_t59 + 0x74);
                                                                                        						if(__eflags < 0) {
                                                                                        							goto L16;
                                                                                        						}
                                                                                        						__eflags = _a4;
                                                                                        						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
                                                                                        						_t59 = _v20;
                                                                                        						__eflags = _t47;
                                                                                        						if(_t47 != 0) {
                                                                                        							goto L18;
                                                                                        						}
                                                                                        						goto L15;
                                                                                        					}
                                                                                        					_t55 = _a4;
                                                                                        					__eflags = _t55;
                                                                                        					if(_t55 != 0) {
                                                                                        						 *_t55 =  *_t62 & 0x000000ff;
                                                                                        					}
                                                                                        					_t59 = 1;
                                                                                        					goto L21;
                                                                                        				}
                                                                                        				_t49 = _a4;
                                                                                        				if(_t49 != 0) {
                                                                                        					 *_t49 = 0;
                                                                                        				}
                                                                                        				goto L5;
                                                                                        			}

















                                                                                        0x0040b204
                                                                                        0x0040b209
                                                                                        0x0040b223
                                                                                        0x00000000
                                                                                        0x0040b223
                                                                                        0x0040b20b
                                                                                        0x0040b210
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040b215
                                                                                        0x0040b230
                                                                                        0x0040b235
                                                                                        0x0040b238
                                                                                        0x0040b23f
                                                                                        0x0040b25e
                                                                                        0x0040b265
                                                                                        0x0040b267
                                                                                        0x0040b2ab
                                                                                        0x0040b2b3
                                                                                        0x0040b2c2
                                                                                        0x0040b2c8
                                                                                        0x0040b2ca
                                                                                        0x0040b2da
                                                                                        0x0040b2da
                                                                                        0x0040b2de
                                                                                        0x0040b2e0
                                                                                        0x0040b2e3
                                                                                        0x0040b2e3
                                                                                        0x0040b2e3
                                                                                        0x0040b2e3
                                                                                        0x00000000
                                                                                        0x0040b2e9
                                                                                        0x0040b2cc
                                                                                        0x0040b2cc
                                                                                        0x0040b2d1
                                                                                        0x0040b2d1
                                                                                        0x0040b2d4
                                                                                        0x00000000
                                                                                        0x0040b2d4
                                                                                        0x0040b269
                                                                                        0x0040b26c
                                                                                        0x0040b270
                                                                                        0x0040b299
                                                                                        0x0040b299
                                                                                        0x0040b29c
                                                                                        0x0040b29c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040b29e
                                                                                        0x0040b2a2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040b2a4
                                                                                        0x0040b2a4
                                                                                        0x00000000
                                                                                        0x0040b2a4
                                                                                        0x0040b272
                                                                                        0x0040b275
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040b279
                                                                                        0x0040b28c
                                                                                        0x0040b292
                                                                                        0x0040b295
                                                                                        0x0040b297
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040b297
                                                                                        0x0040b241
                                                                                        0x0040b244
                                                                                        0x0040b246
                                                                                        0x0040b24b
                                                                                        0x0040b24b
                                                                                        0x0040b250
                                                                                        0x00000000
                                                                                        0x0040b250
                                                                                        0x0040b217
                                                                                        0x0040b21c
                                                                                        0x0040b220
                                                                                        0x0040b220
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040B230
                                                                                        • __isleadbyte_l.LIBCMT ref: 0040B25E
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0040B28C
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0040B2C2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                        • String ID:
                                                                                        • API String ID: 3058430110-0
                                                                                        • Opcode ID: 762194cd5de1c9b9ead550572a8d015e50fa1e8de8e0d4c0df4b122f55631d38
                                                                                        • Instruction ID: 8e81a93ff20c5179882294eb7575b41b178007e5790b646f6f671e99a04df761
                                                                                        • Opcode Fuzzy Hash: 762194cd5de1c9b9ead550572a8d015e50fa1e8de8e0d4c0df4b122f55631d38
                                                                                        • Instruction Fuzzy Hash: D331AE31600246AFDB218FA5D848BBF7BA5EF41310F1544BEE825A72E0D738D890DB9C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                        • Instruction ID: 9e16c95706f4e9f1e77441d2be2a9d2cc1bdfb02b14281f9bedd544f4f232a55
                                                                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                        • Instruction Fuzzy Hash: 46014E3204415EBBCF125E88CC11CED3F6BFF18354B588519FA99A8131E636D9B1AB81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 100%
                                                                                        			E00406768(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                                                                                        				intOrPtr _t25;
                                                                                        				void* _t26;
                                                                                        
                                                                                        				_t25 = _a16;
                                                                                        				if(_t25 == 0x65 || _t25 == 0x45) {
                                                                                        					_t26 = E00406CB5(_a4, _a8, _a12, _a20, _a24, _a28);
                                                                                        					goto L9;
                                                                                        				} else {
                                                                                        					_t34 = _t25 - 0x66;
                                                                                        					if(_t25 != 0x66) {
                                                                                        						__eflags = _t25 - 0x61;
                                                                                        						if(_t25 == 0x61) {
                                                                                        							L7:
                                                                                        							_t26 = E004067EE(_a4, _a8, _a12, _a20, _a24, _a28);
                                                                                        						} else {
                                                                                        							__eflags = _t25 - 0x41;
                                                                                        							if(__eflags == 0) {
                                                                                        								goto L7;
                                                                                        							} else {
                                                                                        								_t26 = E00406F2A(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                                                                                        							}
                                                                                        						}
                                                                                        						L9:
                                                                                        						return _t26;
                                                                                        					} else {
                                                                                        						return E00406E6B(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
                                                                                        					}
                                                                                        				}
                                                                                        			}





                                                                                        0x0040676b
                                                                                        0x00406771
                                                                                        0x004067e4
                                                                                        0x00000000
                                                                                        0x00406778
                                                                                        0x00406778
                                                                                        0x0040677b
                                                                                        0x00406796
                                                                                        0x00406799
                                                                                        0x004067b9
                                                                                        0x004067cb
                                                                                        0x0040679b
                                                                                        0x0040679b
                                                                                        0x0040679e
                                                                                        0x00000000
                                                                                        0x004067a0
                                                                                        0x004067b2
                                                                                        0x004067b2
                                                                                        0x0040679e
                                                                                        0x004067e9
                                                                                        0x004067ed
                                                                                        0x0040677d
                                                                                        0x00406795
                                                                                        0x00406795
                                                                                        0x0040677b

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                        • Instruction ID: aea4206f527f6fff8dfdf05b7a6688f4d4ea01ffa10814b623b9810bd0ea2048
                                                                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                        • Instruction Fuzzy Hash: CE01433600014ABBCF125E84CC418EE3F76BB19358B5A842AFB1965171D23AD971AB85
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                          • Part of subcall function 00815BC1: __getptd_noexit.LIBCMT ref: 00815BC2
                                                                                        • __lock.LIBCMT ref: 008163DA
                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 008163F7
                                                                                        • _free.LIBCMT ref: 0081640A
                                                                                        • InterlockedIncrement.KERNEL32(0042C1A4), ref: 00816422
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_810000_setup.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                        • String ID:
                                                                                        • API String ID: 2704283638-0
                                                                                        • Opcode ID: 9bf3a04d43eee07b18bb58f07ca9be70ebc8cd783a1907ed480256e1dd487afc
                                                                                        • Instruction ID: 0b073234d1a37d696c8c046b0c98130fa721dad1d7a453f0f412a93612a277ac
                                                                                        • Opcode Fuzzy Hash: 9bf3a04d43eee07b18bb58f07ca9be70ebc8cd783a1907ed480256e1dd487afc
                                                                                        • Instruction Fuzzy Hash: F801C431A01722DBD720AB6994463ED7768FF00721F414529E854F7291DB7468E1CBDE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        C-Code - Quality: 91%
                                                                                        			E00406136(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                        				LONG* _t20;
                                                                                        				long _t22;
                                                                                        				signed int _t25;
                                                                                        				void* _t30;
                                                                                        				LONG* _t32;
                                                                                        				void* _t33;
                                                                                        
                                                                                        				_push(0xc);
                                                                                        				_push(0x42a9d0);
                                                                                        				E004081F0(__ebx, __edi, __esi);
                                                                                        				_t30 = E0040595A();
                                                                                        				_t25 =  *0x42c8f4; // 0xfffffffe
                                                                                        				if(( *(_t30 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t30 + 0x6c)) == 0) {
                                                                                        					E00409225(0xd);
                                                                                        					 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
                                                                                        					_t32 =  *(_t30 + 0x68);
                                                                                        					 *(_t33 - 0x1c) = _t32;
                                                                                        					__eflags = _t32 -  *0x42c1a4; // 0x96a3d8
                                                                                        					if(__eflags != 0) {
                                                                                        						__eflags = _t32;
                                                                                        						if(_t32 != 0) {
                                                                                        							_t22 = InterlockedDecrement(_t32);
                                                                                        							__eflags = _t22;
                                                                                        							if(_t22 == 0) {
                                                                                        								__eflags = _t32 - 0x42c4a0;
                                                                                        								if(_t32 != 0x42c4a0) {
                                                                                        									E0040906B(_t32);
                                                                                        								}
                                                                                        							}
                                                                                        						}
                                                                                        						_t20 =  *0x42c1a4; // 0x96a3d8
                                                                                        						 *(_t30 + 0x68) = _t20;
                                                                                        						_t32 =  *0x42c1a4; // 0x96a3d8
                                                                                        						 *(_t33 - 0x1c) = _t32;
                                                                                        						InterlockedIncrement(_t32);
                                                                                        					}
                                                                                        					 *(_t33 - 4) = 0xfffffffe;
                                                                                        					E004061D2();
                                                                                        				} else {
                                                                                        					_t32 =  *(_t30 + 0x68);
                                                                                        				}
                                                                                        				if(_t32 == 0) {
                                                                                        					E0040740B(0x20);
                                                                                        				}
                                                                                        				return E00408235(_t32);
                                                                                        			}









                                                                                        0x00406136
                                                                                        0x00406138
                                                                                        0x0040613d
                                                                                        0x00406147
                                                                                        0x00406149
                                                                                        0x00406152
                                                                                        0x00406173
                                                                                        0x00406179
                                                                                        0x0040617d
                                                                                        0x00406180
                                                                                        0x00406183
                                                                                        0x00406189
                                                                                        0x0040618b
                                                                                        0x0040618d
                                                                                        0x00406190
                                                                                        0x00406196
                                                                                        0x00406198
                                                                                        0x0040619a
                                                                                        0x004061a0
                                                                                        0x004061a3
                                                                                        0x004061a8
                                                                                        0x004061a0
                                                                                        0x00406198
                                                                                        0x004061a9
                                                                                        0x004061ae
                                                                                        0x004061b1
                                                                                        0x004061b7
                                                                                        0x004061bb
                                                                                        0x004061bb
                                                                                        0x004061c1
                                                                                        0x004061c8
                                                                                        0x0040615a
                                                                                        0x0040615a
                                                                                        0x0040615a
                                                                                        0x0040615f
                                                                                        0x00406163
                                                                                        0x00406168
                                                                                        0x00406170

                                                                                        APIs
                                                                                          • Part of subcall function 0040595A: __getptd_noexit.LIBCMT ref: 0040595B
                                                                                        • __lock.LIBCMT ref: 00406173
                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00406190
                                                                                        • _free.LIBCMT ref: 004061A3
                                                                                        • InterlockedIncrement.KERNEL32(0096A3D8), ref: 004061BB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                        Similarity
                                                                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                        • String ID:
                                                                                        • API String ID: 2704283638-0
                                                                                        • Opcode ID: 9a490045696f11bfaa74908e1410ad382ebca8c5b2dbda7e8616983b39942f21
                                                                                        • Instruction ID: 92dd21f900cdea8ed63b94cc79b176875fe63f4237bcfdc2142f7b5521d70ca3
                                                                                        • Opcode Fuzzy Hash: 9a490045696f11bfaa74908e1410ad382ebca8c5b2dbda7e8616983b39942f21
                                                                                        • Instruction Fuzzy Hash: 1C01A535A01621ABE721AB26994676EB660AF00715F06453FE8057B3C3CB3C5D62CBDD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:3.1%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:9.7%
                                                                                        Total number of Nodes:145
                                                                                        Total number of Limit Nodes:5
                                                                                        execution_graph 32151 7df490f11a14 32152 7df490f11a2a 32151->32152 32154 7df490f11aac 32151->32154 32153 7df490f11aa5 ??3@YAXPEAX 32152->32153 32152->32154 32153->32154 32155 7df490e6f9b8 32156 7df490e6f9d9 32155->32156 32157 7df490e6fa1f ??3@YAXPEAX 32156->32157 32158 7df490e6fa25 32156->32158 32157->32158 32159 229c8f40000 32160 229c8f4000a 32159->32160 32165 229c8f430d0 32160->32165 32162 229c8f435f7 32163 229c8f435e6 RtlDeleteBoundaryDescriptor 32163->32162 32164 229c8f434e6 32164->32162 32164->32163 32166 229c8f43106 32165->32166 32167 229c8f43440 32165->32167 32166->32167 32168 229c8f43435 RtlDeleteBoundaryDescriptor 32166->32168 32167->32164 32168->32167 32169 229c8f90003 32172 229c8f90072 32169->32172 32175 229c8f90280 32172->32175 32174 229c8f90008 32176 229c8f90296 32175->32176 32177 229c8f902b1 OpenFileMappingW 32176->32177 32179 229c8f902ec 32176->32179 32178 229c8f902cc MapViewOfFile 32177->32178 32177->32179 32178->32179 32179->32174 32180 7df490e63e3a 32181 7df490e63e3f 32180->32181 32182 7df490e64086 __swprintf_l 32181->32182 32183 7df490e63fa1 MapViewOfFile 32181->32183 32184 7df490e6406b FindCloseChangeNotification 32183->32184 32187 7df490e63fc9 32183->32187 32184->32182 32185 7df490e64079 32184->32185 32185->32182 32188 7df490e636a0 32185->32188 32187->32184 32189 7df490e636da 32188->32189 32195 7df490e63c98 __swprintf_l 32189->32195 32207 7df490e52918 32189->32207 32191 7df490e63a40 32214 7df490e51a58 32191->32214 32193 7df490e63c8c 32230 7df490e6d3f4 32193->32230 32195->32182 32196 7df490e63c2c ??3@YAXPEAX 32206 7df490e63c11 32196->32206 32197 7df490e63845 32197->32191 32211 7df490e52be8 32197->32211 32199 7df490e63c57 32226 7df490e51aac 32199->32226 32201 7df490e63a4a 32201->32193 32201->32206 32218 7df490e623e4 32201->32218 32203 7df490e63ba9 32222 7df490e6ba7c 32203->32222 32206->32196 32206->32199 32208 7df490e52bb8 __swprintf_l 32207->32208 32209 7df490e52952 32207->32209 32208->32197 32209->32208 32234 7df490e527e8 32209->32234 32212 7df490e52bf7 32211->32212 32213 7df490e52bf1 ??3@YAXPEAX 32211->32213 32212->32191 32213->32212 32215 7df490e51a68 32214->32215 32216 7df490e51a71 HeapCreate 32215->32216 32217 7df490e51a8a 32215->32217 32216->32217 32217->32201 32220 7df490e6240c 32218->32220 32219 7df490e624ab GetVolumeInformationW 32221 7df490e624fc __swprintf_l 32219->32221 32220->32219 32220->32221 32221->32203 32223 7df490e6ba8d 32222->32223 32225 7df490e63bd4 CreateThread FindCloseChangeNotification 32223->32225 32238 7df490e6b92c 32223->32238 32225->32206 32228 7df490e51ab8 32226->32228 32227 7df490e51b14 32227->32193 32228->32227 32229 7df490e51aeb HeapDestroy 32228->32229 32229->32227 32231 7df490e6d407 32230->32231 32232 7df490e6d437 32231->32232 32233 7df490e6d422 ??3@YAXPEAX 32231->32233 32232->32195 32233->32232 32233->32233 32235 7df490e5290a 32234->32235 32237 7df490e52802 32234->32237 32235->32208 32236 7df490e52901 ??3@YAXPEAX 32236->32235 32237->32235 32237->32236 32239 7df490e6b97f 32238->32239 32240 7df490e6b9ab CreateNamedPipeW 32239->32240 32241 7df490e6b9f3 32240->32241 32244 7df490e6ba35 __swprintf_l 32240->32244 32242 7df490e6ba0c BindIoCompletionCallback 32241->32242 32243 7df490e6ba24 ConnectNamedPipe 32242->32243 32242->32244 32243->32244 32244->32223 32245 7df490e615a4 32246 7df490e615c3 32245->32246 32247 7df490e615b2 32245->32247 32249 7df490e68718 32247->32249 32258 7df490e67b7c 32249->32258 32251 7df490e68c1c 32264 7df490e67cc4 ??3@YAXPEAX 32251->32264 32254 7df490e6828c FindFirstFileW FindNextFileW 32255 7df490e68754 32254->32255 32255->32251 32255->32254 32256 7df490e6889a GetLogicalDrives 32255->32256 32257 7df490e688ab GetDriveTypeW 32255->32257 32256->32255 32257->32255 32259 7df490e67b9e 32258->32259 32265 7df490e72834 32259->32265 32262 7df490e67c4c 32262->32255 32263 7df490e72834 NtQuerySystemInformation 32263->32262 32266 7df490e67c26 32265->32266 32267 7df490e72844 NtQuerySystemInformation 32265->32267 32266->32262 32266->32263 32267->32266 32268 7df490e60ef4 32269 7df490e60f1c 32268->32269 32275 7df490e60f7f 32269->32275 32276 7df490e522e4 32269->32276 32273 7df490e60f5f 32274 7df490e60f67 SetErrorMode 32273->32274 32274->32275 32279 7df490e52307 32276->32279 32277 7df490e5238f 32277->32275 32281 7df490e748c8 32277->32281 32278 7df490e52316 LoadLibraryA 32278->32277 32278->32279 32279->32277 32279->32278 32280 7df490e5236b GetProcAddressForCaller 32279->32280 32280->32277 32280->32279 32282 7df490e748ed 32281->32282 32289 7df490e744a4 32282->32289 32284 7df490e74c76 32284->32273 32285 7df490e74c1a VirtualFree 32285->32284 32287 7df490e74c35 32285->32287 32286 7df490e74946 32286->32284 32286->32285 32287->32284 32297 7df490e746b4 32287->32297 32290 7df490e744dc 32289->32290 32291 7df490e744e4 CreateFileW 32290->32291 32292 7df490e745dc __swprintf_l 32290->32292 32291->32292 32293 7df490e74519 32291->32293 32292->32286 32293->32292 32294 7df490e7453c ReadFile 32293->32294 32295 7df490e745d3 ??3@YAXPEAX 32294->32295 32296 7df490e7455b 32294->32296 32295->32292 32296->32295 32299 7df490e746ce 32297->32299 32298 7df490e748b4 32298->32287 32299->32298 32300 7df490e744a4 3 API calls 32299->32300 32302 7df490e746ed 32300->32302 32301 7df490e748a3 VirtualFree 32301->32298 32302->32298 32302->32301 32303 7df490e62b50 lstrcmpiW 32304 7df490e62b6e 32303->32304 32305 7df490e675ac CreateFileW 32306 7df490e67631 32305->32306 32307 7df490e675e6 32305->32307 32307->32306 32308 7df490e6760c ReadFile 32307->32308 32308->32306 32309 7df490e6c06c 32310 7df490e6c0ff 32309->32310 32311 7df490e6c08e 32309->32311 32311->32310 32312 7df490e6c0cd CryptUnprotectData 32311->32312 32312->32310 32313 7df490e70bac 32314 7df490e70bdf 32313->32314 32316 7df490e70c17 __swprintf_l 32313->32316 32314->32316 32317 7df490e615e4 32314->32317 32318 7df490e61e7a 32317->32318 32322 7df490e61618 32317->32322 32318->32316 32319 7df490e6d3f4 ??3@YAXPEAX 32320 7df490e61e46 32319->32320 32320->32318 32321 7df490e61e4b CreateThread 32320->32321 32321->32318 32322->32318 32322->32319

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 69 7df490e68718-7df490e68758 call 7df490e67b7c 72 7df490e68c1c-7df490e68c49 call 7df490e67cc4 call 7df490e8f670 69->72 73 7df490e6875e-7df490e68765 69->73 75 7df490e6876b-7df490e68797 73->75 80 7df490e68ba4-7df490e68be7 call 7df490e6828c 75->80 81 7df490e6879d-7df490e687b4 75->81 94 7df490e68bec 80->94 85 7df490e687ba-7df490e687d3 81->85 86 7df490e68b31-7df490e68b4a 81->86 91 7df490e687de-7df490e687e2 85->91 92 7df490e68c09-7df490e68c16 86->92 93 7df490e68b50-7df490e68ba2 call 7df490e6828c 86->93 95 7df490e687d5-7df490e687d8 91->95 96 7df490e687e4-7df490e687e5 91->96 92->72 92->75 93->94 97 7df490e68bf1-7df490e68c04 call 7df490e68564 94->97 98 7df490e68bee-7df490e68bef 94->98 99 7df490e687da-7df490e687db 95->99 100 7df490e687e7 95->100 96->100 97->92 98->97 99->91 100->92 105 7df490e687ed-7df490e68838 100->105 105->92 110 7df490e6883e-7df490e6885c 105->110 112 7df490e68882-7df490e68885 110->112 113 7df490e68887-7df490e688a4 call 7df490e8f690 GetLogicalDrives 112->113 114 7df490e6885e-7df490e68865 112->114 122 7df490e688a6-7df490e688a9 113->122 123 7df490e68901-7df490e68904 113->123 116 7df490e6887b-7df490e6887c 114->116 117 7df490e68867-7df490e6886a 114->117 121 7df490e6887e-7df490e6887f 116->121 119 7df490e68876-7df490e68879 117->119 120 7df490e6886c-7df490e6886f 117->120 119->121 120->121 124 7df490e68871-7df490e68874 120->124 121->112 125 7df490e688ab-7df490e688bc GetDriveTypeW 122->125 126 7df490e688f4-7df490e688ff 122->126 127 7df490e6890b-7df490e6890e 123->127 124->121 128 7df490e688da-7df490e688e0 125->128 129 7df490e688be-7df490e688c1 125->129 126->122 126->123 130 7df490e68954-7df490e6895d 127->130 131 7df490e68910-7df490e68930 127->131 135 7df490e688e2 128->135 133 7df490e688d1-7df490e688d8 129->133 134 7df490e688c3-7df490e688c6 129->134 130->127 132 7df490e6895f-7df490e6896f 130->132 131->130 141 7df490e68932-7df490e6894f call 7df490e6828c 131->141 137 7df490e68975-7df490e6898f call 7df490e8f69c 132->137 138 7df490e68b23-7df490e68b2c 132->138 133->135 134->126 139 7df490e688c8-7df490e688cf 134->139 135->126 140 7df490e688e4-7df490e688ed 135->140 146 7df490e689aa-7df490e689b5 137->146 138->92 139->135 140->126 141->130 147 7df490e689b7-7df490e689c9 146->147 148 7df490e68991-7df490e689a6 146->148 151 7df490e68b16-7df490e68b1d 147->151 152 7df490e689cf-7df490e68a19 call 7df490e8f5d2 147->152 148->146 151->138 155 7df490e68a88-7df490e68afb 152->155 156 7df490e68a1b-7df490e68a1f 152->156 161 7df490e68b11-7df490e68b12 155->161 162 7df490e68afd-7df490e68b0c call 7df490e93468 155->162 157 7df490e68a21-7df490e68a81 156->157 166 7df490e68a83-7df490e68a84 157->166 161->151 162->161 166->155
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: DriveDrivesLogicalType
                                                                                        • String ID: :$A$\$\
                                                                                        • API String ID: 4038169723-2970747007
                                                                                        • Opcode ID: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
                                                                                        • Instruction ID: 33c11f9fc37f128a860e23cae35e15ceb6768a3f5672f20b86655c31e2683008
                                                                                        • Opcode Fuzzy Hash: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
                                                                                        • Instruction Fuzzy Hash: EAF1523561CA4C8BEB69EF18D885AEA73F0FB58304F54462ED48FC3151DA78E945CB82
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 167 7df490e636a0-7df490e636fe call 7df490e921bc * 2 call 7df490e92d8c 174 7df490e63cb4-7df490e63cd7 call 7df490e8f670 167->174 175 7df490e63704-7df490e63722 call 7df490e52bfc 167->175 181 7df490e63724-7df490e6372c 175->181 182 7df490e6372e-7df490e63753 call 7df490e730dc 175->182 183 7df490e63757-7df490e6375b 181->183 182->183 186 7df490e63761-7df490e637ad call 7df490e8f690 183->186 187 7df490e63cae 183->187 186->187 191 7df490e637b3-7df490e637e7 186->191 187->174 195 7df490e63ca5-7df490e63ca6 191->195 196 7df490e637ed-7df490e6384b call 7df490e6d3dc call 7df490e52918 191->196 195->187 201 7df490e63a45-7df490e63a50 call 7df490e51a58 196->201 202 7df490e63851-7df490e638bb 196->202 209 7df490e63a56-7df490e63a76 201->209 210 7df490e63c8c-7df490e63c99 call 7df490e6d3f4 201->210 204 7df490e63919 202->204 205 7df490e638bd-7df490e638df 202->205 207 7df490e6391b-7df490e6392e call 7df490e52c8c 204->207 208 7df490e638e1-7df490e638f4 call 7df490e52c8c 205->208 218 7df490e63945-7df490e63954 207->218 219 7df490e63930-7df490e63938 207->219 220 7df490e6390b-7df490e63917 208->220 221 7df490e638f6-7df490e638fe 208->221 229 7df490e63a78-7df490e63a7f 209->229 230 7df490e63a87-7df490e63a8b 209->230 210->195 218->207 224 7df490e63956-7df490e63957 218->224 219->218 223 7df490e6393a-7df490e63940 call 7df490e620c0 219->223 220->204 220->208 221->220 222 7df490e63900-7df490e63906 call 7df490e620c0 221->222 222->220 223->218 228 7df490e6395a-7df490e63994 call 7df490e52c8c 224->228 237 7df490e6399a-7df490e639a2 228->237 238 7df490e63a22-7df490e63a3b call 7df490e621a4 call 7df490e52be8 228->238 229->230 231 7df490e63a97-7df490e63aa2 230->231 232 7df490e63a8d 230->232 239 7df490e63aa8-7df490e63ad9 call 7df490e8f69c call 7df490e725c8 231->239 240 7df490e63c23-7df490e63c2a 231->240 232->231 242 7df490e63a14-7df490e63a1c 237->242 243 7df490e639a4-7df490e639b9 237->243 256 7df490e63a40-7df490e63a41 238->256 239->240 257 7df490e63adf-7df490e63c0c call 7df490e94320 call 7df490e93c88 call 7df490e693f8 call 7df490e623e4 call 7df490e933bc call 7df490e6ba7c CreateThread FindCloseChangeNotification call 7df490e93f9c 239->257 244 7df490e63c4e-7df490e63c55 240->244 242->228 242->238 243->242 254 7df490e639bb-7df490e63a12 call 7df490e8f5d2 243->254 247 7df490e63c57-7df490e63c5d 244->247 248 7df490e63c2c-7df490e63c48 ??3@YAXPEAX@Z 244->248 258 7df490e63c81-7df490e63c85 247->258 248->244 254->242 256->201 279 7df490e63c11-7df490e63c17 call 7df490e6bac8 257->279 259 7df490e63c87 call 7df490e51aac 258->259 260 7df490e63c5f-7df490e63c78 258->260 259->210 260->258 279->240
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@ChangeCloseCreateFindNotificationThread
                                                                                        • String ID: d
                                                                                        • API String ID: 1887508895-2564639436
                                                                                        • Opcode ID: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
                                                                                        • Instruction ID: fa3a7de9919e758c279b07d43087d06f887ed8d1d33470d8b71a4e904bf83cf8
                                                                                        • Opcode Fuzzy Hash: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
                                                                                        • Instruction Fuzzy Hash: E412FB74618A4C8FEB95EF38D845AEAB7E1FB94300F54462EE44FC3291DB34E5458B82
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 3541575487-0
                                                                                        • Opcode ID: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
                                                                                        • Instruction ID: 434c118b61d1cf05502e526ae2c2e9b74380384c6f98d1db4a32407ad29dadbb
                                                                                        • Opcode Fuzzy Hash: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
                                                                                        • Instruction Fuzzy Hash: E6414135718E584FEB94EB28E859AAA77E1FBD5301F54463EE04BC3290DE38D9448782
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: NamedPipe$BindCallbackCompletionConnectCreate
                                                                                        • String ID:
                                                                                        • API String ID: 2502124517-0
                                                                                        • Opcode ID: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
                                                                                        • Instruction ID: ec5d7afb114b5f9fe2af21197c3e9699837f3a07a7254c47cc7315ef1b029308
                                                                                        • Opcode Fuzzy Hash: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
                                                                                        • Instruction Fuzzy Hash: 56316D34708A488FEB94DF28D888B9A77E1FB95310F54462AD05BC31D0DB38D985CB82
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$FirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 1690352074-0
                                                                                        • Opcode ID: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
                                                                                        • Instruction ID: 356ae50d74c97bcbfbf712a7b24962603814f1a359728b854d39bb24df70b557
                                                                                        • Opcode Fuzzy Hash: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
                                                                                        • Instruction Fuzzy Hash: D9812035608A488FEF54EF28E898A9673E1FB94305F14467ED44FC7295DB38E944CB82
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
                                                                                        • Instruction ID: eec6ab8b7c57573984625d032278161dbf5fedcb333001ae0a864804157d41be
                                                                                        • Opcode Fuzzy Hash: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
                                                                                        • Instruction Fuzzy Hash: D3426434A1CB488FDB69EF28D485AAE77E5FB94300F18456ED48FC3251DA34E941CB82
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CryptDataUnprotect
                                                                                        • String ID:
                                                                                        • API String ID: 834300711-0
                                                                                        • Opcode ID: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
                                                                                        • Instruction ID: 0aa9a2d7670ba4f595c11e3180415f81da0266798a24b5ed3fcde6b17a30fe23
                                                                                        • Opcode Fuzzy Hash: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
                                                                                        • Instruction Fuzzy Hash: 9731413471CA484FEB58EB6CD849A6AB7E1FB9A301F44452EE54BC3291DE39D841C782
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 3562636166-0
                                                                                        • Opcode ID: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
                                                                                        • Instruction ID: b2b6a9f1dab92307d32347c41406752ccafce972f2737cc997380d85f8ba844d
                                                                                        • Opcode Fuzzy Hash: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
                                                                                        • Instruction Fuzzy Hash: C4C08C04F1AC4A4BFD4867BE4D82B2930A0ABE9300F880019940AC2190E60DE4824393
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363078043.00000229C8F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000229C8F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_229c8f40000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: BoundaryDeleteDescriptor
                                                                                        • String ID: $!$!Rcx$!Rex$A$D$E$H$S
                                                                                        • API String ID: 3203483114-3349172591
                                                                                        • Opcode ID: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
                                                                                        • Instruction ID: 2aea8251fc42641ebc95257a6f75f14e9c738ea388b4ae6d5028b3b35fb09ddc
                                                                                        • Opcode Fuzzy Hash: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
                                                                                        • Instruction Fuzzy Hash: 9FB1B63121CB485FD75AEF59D485A9AB3E1FBDC300F800A2FE48AC3156DA70E99587D2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$??3@CreateRead
                                                                                        • String ID: MZ
                                                                                        • API String ID: 481216328-2410715997
                                                                                        • Opcode ID: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
                                                                                        • Instruction ID: 580e0671ba654adbbefbeb0cc6365236731e3c662b9f801b30fbfbe3ed07b812
                                                                                        • Opcode Fuzzy Hash: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
                                                                                        • Instruction Fuzzy Hash: 7E417270B0CA584FDB54EB6898856AA73E1FF99311F04462EE44FC3184EB38E9518B92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 305 7df490e748c8-7df490e74902 307 7df490e74904-7df490e7492b 305->307 308 7df490e7492d-7df490e74936 305->308 307->308 310 7df490e7493a-7df490e7494c call 7df490e744a4 307->310 308->310 314 7df490e74c76-7df490e74c89 310->314 315 7df490e74952-7df490e74986 call 7df490e74034 310->315 318 7df490e74c8b-7df490e74c99 314->318 319 7df490e74cb2-7df490e74cc5 314->319 328 7df490e74c1a-7df490e74c33 VirtualFree 315->328 329 7df490e7498c-7df490e749af call 7df490e7441c 315->329 318->319 324 7df490e74c9b-7df490e74caf 318->324 325 7df490e74cc7-7df490e74cd5 319->325 326 7df490e74cee-7df490e74d01 319->326 324->319 325->326 335 7df490e74cd7-7df490e74ceb 325->335 328->314 331 7df490e74c35-7df490e74c45 328->331 336 7df490e74afa-7df490e74b00 329->336 337 7df490e749b5-7df490e749c7 329->337 331->314 334 7df490e74c47-7df490e74c50 331->334 338 7df490e74c71-7df490e74c74 334->338 335->326 336->328 339 7df490e74b06-7df490e74b09 336->339 337->336 340 7df490e749cd-7df490e749d0 337->340 338->314 341 7df490e74c52-7df490e74c54 338->341 339->328 342 7df490e74b0f-7df490e74b1a 339->342 343 7df490e749d7-7df490e749da 340->343 344 7df490e749d2-7df490e749d5 340->344 345 7df490e74c56-7df490e74c5e call 7df490e746b4 341->345 346 7df490e74c63-7df490e74c6e 341->346 342->328 347 7df490e74b20-7df490e74b34 342->347 349 7df490e74a37-7df490e74a82 call 7df490e7441c 343->349 350 7df490e749dc-7df490e749df 343->350 344->343 348 7df490e749e1-7df490e749f1 call 7df490e503d8 344->348 345->346 346->338 347->328 353 7df490e74b3a-7df490e74b51 call 7df490e74608 347->353 359 7df490e74a1a-7df490e74a30 348->359 360 7df490e749f3-7df490e749f6 348->360 366 7df490e74a94-7df490e74a97 349->366 367 7df490e74a84-7df490e74a92 call 7df490e8f5d2 349->367 350->348 350->349 362 7df490e74c09-7df490e74c14 353->362 363 7df490e74b57-7df490e74b6d 353->363 359->340 365 7df490e74a32 359->365 360->359 364 7df490e749f8-7df490e74a04 360->364 362->328 362->353 363->362 373 7df490e74b73-7df490e74b81 363->373 364->336 368 7df490e74a0a-7df490e74a14 364->368 365->336 366->336 370 7df490e74a99-7df490e74ac2 366->370 367->336 368->336 368->359 370->336 375 7df490e74ac4-7df490e74af4 call 7df490e8f5d2 370->375 373->362 378 7df490e74b87-7df490e74b97 call 7df490e8f696 373->378 375->336 378->362 382 7df490e74b99-7df490e74bd0 call 7df490e73fd0 378->382 382->362 385 7df490e74bd2-7df490e74c04 call 7df490e8f5d2 call 7df490e73fd0 382->385 385->362
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeVirtual
                                                                                        • String ID: MZ$MZ$MZ
                                                                                        • API String ID: 1263568516-970779948
                                                                                        • Opcode ID: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
                                                                                        • Instruction ID: 312147b554bc745c0f7579325d09feff2ad19bbf7cb4fe5e96d7d513f620b930
                                                                                        • Opcode Fuzzy Hash: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
                                                                                        • Instruction Fuzzy Hash: 69D19375B1CA894BEF65AF2C9885AAA73E1EFE5300F04452ED44FC3195EF78E8418781
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363110039.00000229C8F90000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000229C8F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_229c8f90000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$MappingOpenView
                                                                                        • String ID: !Rex
                                                                                        • API String ID: 3439327939-279350133
                                                                                        • Opcode ID: 17450c00fed49fe80342f3e25c2c945cb80a2df36b887535064fd9d07ebb3af5
                                                                                        • Instruction ID: 5db9f8b736b65d8deb372bfa74b1d68a5d3b3ae8b48ec81a828ac23b4b96823b
                                                                                        • Opcode Fuzzy Hash: 17450c00fed49fe80342f3e25c2c945cb80a2df36b887535064fd9d07ebb3af5
                                                                                        • Instruction Fuzzy Hash: 64518C31208B499FDB65EB69C489BDAB3E4FFE8300F40493ED48AC3141DE31D9958B82
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID: !Rcx
                                                                                        • API String ID: 613200358-1190931699
                                                                                        • Opcode ID: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
                                                                                        • Instruction ID: 11529a1bd4dff5e1a8d0f6530c9e2afb132799829b1c8a2e916065d34baccc41
                                                                                        • Opcode Fuzzy Hash: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
                                                                                        • Instruction Fuzzy Hash: 85319230718A484FDF64EF68C885BAAB7E0FBA5315F144A3FD44EC2291DA34E545C782
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLibraryLoadMode
                                                                                        • String ID: {
                                                                                        • API String ID: 2987862817-366298937
                                                                                        • Opcode ID: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
                                                                                        • Instruction ID: a50668434cd69d77f2a200ed74acabdb3dd6af56e9b0c43b2c1a5b34b591a375
                                                                                        • Opcode Fuzzy Hash: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
                                                                                        • Instruction Fuzzy Hash: 6601A52871C5540BEF94A63C6801AA772E5EF95310F04463EE41FC31C6ED18DC054292
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CreateFreeReadVirtual
                                                                                        • String ID: MZ
                                                                                        • API String ID: 1417541778-2410715997
                                                                                        • Opcode ID: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
                                                                                        • Instruction ID: 5d5d7f9e66964dbcb282b8396c262f5e0a1020f29425c18c74ba540286072ee8
                                                                                        • Opcode Fuzzy Hash: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
                                                                                        • Instruction Fuzzy Hash: 73516975B1CA884BEFA8AA3C9845A6F72E6EFD5310F14056EE44FC3195DF38E8014782
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChangeCloseFileFindNotificationView
                                                                                        • String ID:
                                                                                        • API String ID: 556135526-0
                                                                                        • Opcode ID: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
                                                                                        • Instruction ID: 4c831a8468faa5c19645a4ffd9a8c54de127eee98a569f5bd6378e1798226554
                                                                                        • Opcode Fuzzy Hash: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
                                                                                        • Instruction Fuzzy Hash: 79411D34708A498FEF99FB28D455AAAB3B1FF94310F14462ED45FC3182DE29E8158B91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressCallerLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 4215043672-0
                                                                                        • Opcode ID: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
                                                                                        • Instruction ID: 971cb51070c8d490fca43328f3444669c5e3648dbbf5aac05f1307f4d6898886
                                                                                        • Opcode Fuzzy Hash: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
                                                                                        • Instruction Fuzzy Hash: E721E225B0DA4E4BEF28996C9C45B7633E4DB47321F1D047FD84BC7192E96DF8828291
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 648 7df490e675ac-7df490e675e4 CreateFileW 649 7df490e67659-7df490e67663 648->649 650 7df490e675e6-7df490e6760a 648->650 653 7df490e67650-7df490e67651 650->653 654 7df490e6760c-7df490e6762f ReadFile 650->654 653->649 655 7df490e67647-7df490e67648 654->655 656 7df490e67631-7df490e67645 654->656 655->653 656->653
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CreateRead
                                                                                        • String ID:
                                                                                        • API String ID: 3388366904-0
                                                                                        • Opcode ID: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
                                                                                        • Instruction ID: 85644a50f7486c1d8e60f921288cc65687010dac20bdfa197068a664a6064f99
                                                                                        • Opcode Fuzzy Hash: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
                                                                                        • Instruction Fuzzy Hash: 0A11B130618A488FDB90AF6CD88876E77E0FB98315F04862EE88EC3290CB3899458751
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363078043.00000229C8F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000229C8F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_229c8f40000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
                                                                                        • Instruction ID: 8684eb889db6d443d6842a2fcb88de21225c5c1e9ccf3b1de685123818c2256e
                                                                                        • Opcode Fuzzy Hash: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
                                                                                        • Instruction Fuzzy Hash: 70510530618A055BD71EEF5AC4899B9B3E1FBD8710F54863FE487C7186EE70E88286D0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationVolume
                                                                                        • String ID:
                                                                                        • API String ID: 2039140958-0
                                                                                        • Opcode ID: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
                                                                                        • Instruction ID: 5f7a7904f87e47f3d9630f3042607d3eebd57cf037b2920601846b9e108de86a
                                                                                        • Opcode Fuzzy Hash: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
                                                                                        • Instruction Fuzzy Hash: EA410E3561CB488BE765EF28D895BDBB7E0FB94304F404A2EE48BC2191EF799504CB42
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: b321590e39003328950868adb3b7baf0a738c2a81c9ed83129ade6c1723d170f
                                                                                        • Instruction ID: e7d47a432114c7896f867c7c1a5fcc3c780fd9bb6c45ecc5398b178364bbba51
                                                                                        • Opcode Fuzzy Hash: b321590e39003328950868adb3b7baf0a738c2a81c9ed83129ade6c1723d170f
                                                                                        • Instruction Fuzzy Hash: 8831043461890D8FDF85EF2CD494FA533A1FF58311F4841B9D80ECB29ACA34A845CB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
                                                                                        • Instruction ID: dc137faa13fcffa22ea56959b73a4447f8f569ca62b1c1484ff2537795affcd4
                                                                                        • Opcode Fuzzy Hash: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
                                                                                        • Instruction Fuzzy Hash: A8212C34B098184FDED4EA2CC0C4D797BE6FF8875072902A6D81BC729DE569ED81C780
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: 1173c4bf6734c2ddcbf1999c0336684670098a1b8ff3ecb332de893cda3149d8
                                                                                        • Instruction ID: 7085371e78f0e0ce48038a191d4c72047fdf891aacb50829aca5bc74f0b7d617
                                                                                        • Opcode Fuzzy Hash: 1173c4bf6734c2ddcbf1999c0336684670098a1b8ff3ecb332de893cda3149d8
                                                                                        • Instruction Fuzzy Hash: 27F0F974A19E4A8FEB84AF6DD498B6577B0FB68305FA4007ED41AC6190DB75AC54C700
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: DestroyHeap
                                                                                        • String ID:
                                                                                        • API String ID: 2435110975-0
                                                                                        • Opcode ID: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
                                                                                        • Instruction ID: 7ecab14eb4a360e2035f0832f8666157bc50deeb6d24f0eb920365250c69bd8c
                                                                                        • Opcode Fuzzy Hash: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
                                                                                        • Instruction Fuzzy Hash: 03014634B0D6848FEF50EFADACC5A2532B5EB89710B4808BFD00ADA164C63CA8408B12
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 10892065-0
                                                                                        • Opcode ID: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
                                                                                        • Instruction ID: cf9948e050d299319042d0067db0626b7b290353cf5633a56b3d8650c87bafa8
                                                                                        • Opcode Fuzzy Hash: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
                                                                                        • Instruction Fuzzy Hash: AEF0A029F0E1894AFF21AF3D5C846372276EB88321F294E7FD04BC6182D93CD8C18242
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoSystem
                                                                                        • String ID:
                                                                                        • API String ID: 31276548-0
                                                                                        • Opcode ID: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
                                                                                        • Instruction ID: af7a0c4efb83a43d3dd6eca2473c3cc2213c567d43e53af28580ee8b2cdbf410
                                                                                        • Opcode Fuzzy Hash: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
                                                                                        • Instruction Fuzzy Hash: 0FE04835F1044956F749F735EC998D733A1FF68300B84416ADC0B910E6FE2C5286C6C1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ??3@
                                                                                        • String ID:
                                                                                        • API String ID: 613200358-0
                                                                                        • Opcode ID: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
                                                                                        • Instruction ID: b3670ef8330dce2f2d7d2bf7083a2b37775f516ed42de02125f419482e3fa940
                                                                                        • Opcode Fuzzy Hash: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
                                                                                        • Instruction Fuzzy Hash: C5B0122892BD6B06ED8C377A0C5A5253560AF08311FC8005CD80AC0040E60CC5D46386
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 1586166983-0
                                                                                        • Opcode ID: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
                                                                                        • Instruction ID: 3d085ae7aaa33ab3aaf9a1ab97f09b268cceebe4e2d56206a11af7c4d78bd258
                                                                                        • Opcode Fuzzy Hash: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
                                                                                        • Instruction Fuzzy Hash: D6F08235314D095BFF649F39AC88ABA37A9EB84341B18872ED40BC5164EF6CD9049744
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%